Strengthening the Net: The FTC’s Expanded Reach on Health Data Protection

This article was originally published by HIStalk.com.

By Chris Bowen, Founder & CISO, ClearDATA

The Federal Trade Commission (FTC) recently finalized changes to the Health Breach Notification Rule (HBNR), signaling a move from fragmented, independent privacy and security measures towards a unified, collaborative defense. This new rule puts patients and consumers in the driver’s seat of their privacy and serves as a call to action for companies that create, collect, manage, and use health information, providing a potent deterrent against vulnerabilities that could expose their data.

Understand this: The FTC’s stance is unwavering and authoritative. It demands not mere compliance, but the utmost adherence to rigorous standards of care and caution in handling confidential health information.

The Health Breach Notification Rule mandates that vendors of personal health records and associated entities that are not covered by HIPAA must inform individuals in case of a breach with unsecured data. If a third-party service provider to these entities experiences a breach, it must inform the entity, which then notifies the individuals. The Rule also outlines the specifics of when, how, and what to notify in the event of specific breaches.

HBNR specifically applies to personal health record vendors and other entities that offer products or services through them, and third-party service providers to them. It covers a variety of platforms from health apps to wearable technologies. Unfortunately, 81% of Americans assume that all protected health data that is collected by digital health apps is protected under HIPAA.

In May 2023, the FTC proposed amendments to the Health Breach Notification Rule (HBNR) to clarify its scope regarding the collection of consumer health data by health apps and related technologies. The finalization of these changes is an unambiguous signal to the digital health ecosystem that the integrity of healthcare data is non-negotiable. No longer can firms hide behind the complexities or nascent nature of digital health technologies; the time to comply and protect is now, and the FTC has implemented rules that leave no uncertainty about the seriousness of the endeavor.

The updated HBNR ushers in several key shifts that set a higher standard for security and transparency. First among these is the expanded content required in a breach notification to patients. This move is not merely bureaucratic; it aligns with the growing demand for clarity and accountability that patients and providers alike require to maintain trust in the face of technological unknowns.

The Commission has made significant revisions and clarifications to the rules governing health apps and technologies that are not covered by HIPAA, enhancing the protection of personal health information (PHI). Among these changes are revised definitions to emphasize the rule’s application to health apps, clarification on what constitutes a “breach of security,” and a more precise scope for “PHR related entities” that includes those offering services via online and mobile platforms.

Additionally, the final rule expands the methods and content of breach notifications to consumers, including the use of electronic communication and detailed information on the breach’s impact.

It also adjusts the timing for notifying the FTC in the event of a breach, setting strict deadlines to ensure prompt action. These updates mark a significant step forward in securing PHI and underscore the importance of compliance and clear communication in the digital health space.

The FTC’s action demands not just compliance, but leadership — leadership in technological integrity, transparency, and fortitude in the face of cyber threats. Change will require investment, invention, and unwavering commitment, but the benefits extend far beyond mere regulatory peace of mind. In championing cybersecurity, we champion the future of healthcare, a future that is secure, trusted, and resilient. Digital health entities that fall short will find themselves lacking not just in regulatory compliance, but also in the trust and investment of a discerning public.

Consumer Protected Health Information is not just a term. It embodies the very essence of what is ours, our narratives of health, history, and future.

The time has come for a unified front in healthcare cybersecurity. We, the technologists, innovators, lawmakers, and guardians of the healthcare digital landscape, must rise to this challenge with unity and tenacity.

It is time for every digital health company, every healthcare professional, and every policymaker to reassess, reinvent, and redouble their efforts in cybersecurity. The FTC’s changes provide the roadmap. It is now up to us to ensure a future where patient data is as secure as the healthcare we strive to provide.

The stakes are too high, the threats too real, and the need for action too pressing.