FTC strengthens health data protections with updated breach notification rule

FTC strengthens health data protections with updated breach notification rule

The Federal Trade Commission (FTC) this week announced a significant update to the Health Breach Notification Rule (HBNR). This update aims to strengthen protections for consumers' health data in the digital age.

A key change clarifies that the HBNR now explicitly covers health apps and similar digital health technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). This is an important update considering the growing popularity of these technologies and the sensitive health data they collect.

The FTC has expanded the definition of "breach of security" to encompass both data security breaches and unauthorized disclosures of health information. This broader definition ensures that companies are held accountable for any unauthorized access or sharing of sensitive health data.

The revised rule emphasizes the importance of clear and understandable communication with consumers in the event of a data breach. The FTC offers specific guidance on crafting notices that are easy to read and comprehend. This includes using plain language, bullet points, and avoiding legal jargon. The rule also requires notices to include more detailed information about the breach, such as the types of health data involved and any third parties who may have accessed the data.

The FTC is tightening notification timelines for breaches affecting 500 or more individuals. Covered entities must now notify the FTC at the same time they send notices to affected consumers, with a deadline of 60 calendar days after discovery of the breach.

The updated rule includes additional information about potential penalties for non-compliance. Violations of the HBNR are considered unfair or deceptive acts or practices under the FTC Act, potentially leading to civil penalties for companies that fail to comply.

The updated HBNR goes into effect 60 days after its publication in the Federal Register. Businesses that collect or store health data should familiarize themselves with the new requirements to ensure they are in compliance. The FTC website provides resources and a reporting form for companies who need to report a breach under the HBNR.

This update has significant implications for businesses involved in marketing health apps, wearables, and other digital health technologies. Marketers should ensure their messaging clearly communicates data privacy practices and potential risks associated with data breaches. Building trust and transparency with consumers will be crucial in the wake of this update.

Read more