The Health Breach Notification Rule (HBNR) and PHI

A conversation with Chris Bowen, Chief Information Security Officer and Founder at ClearDATA

If you’re like many Americans, you might believe your personal health information is always protected under law — specifically, HIPAA. ClearDATA commissioned The Harris Poll to further explore this notion and found that as many as 81% of Americans assume that all protected health data collected by digital health apps is protected under HIPAA. In this interview, ClearDATA’s Founder and Chief Information and Security Officer, Chris Bowen shares his thoughts on the FTC’s proposal to “strengthen and modernize the Health Breach Notification Rule (HBNR)”, which specifically addresses challenges and shortcomings in how digital health companies manage the storage and security of consumer data.

QUESTION: How would you briefly describe the primary goal and scope of the Health Breach Notification Rule (HBNR)?

The Health Breach Notification Rule (HBNR) was established to ensure that individuals are informed when there is a breach of their unsecured, identifiable health information held by entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). Unlike HIPAA, which covers healthcare providers, health plans, and other related entities, the HBNR specifically applies to personal health record vendors and other entities that offer products or services through such vendors, as well as third-party service providers to these vendors. This rule serves as a crucial reminder that health data, irrespective of where it’s stored or processed, remains a sensitive category of personal information that requires proactive safeguards and immediate action if those safeguards fail.

QUESTION: What are your thoughts on the HBNR and the current regulation of Protected and Personal Health Information PII and PHI?  

The current system is terrible. The US is engaged in a “quilt work” strategy when it comes to regulating the protection of our PHI and PII. Basically, navigating the ever-changing landscape of health data privacy is akin to the wild west, with ambiguities surrounding what qualifies as protected health information.

Personal Identifiable Information (PII), for instance, can sometimes be even more revealing than a medical record. Add to this the challenges of managing sensitive information such as reproductive data and the complexity multiplies. A case in point is a young individual receiving targeted coupons by a large retailer revealing a health condition to a guardian, or the controversial Good RX lawsuit, where dismissive attitudes of these large health companies highlight the nonchalance toward regulations and the protection of consumer data.

Our political system needs to take action, particularly Congress, which has been slow in addressing these complexities. While the European Union has taken strides with GDPR, the U.S. still grapples with disorganized and muddled regulations, leaving many in confusion. While I commend the Federal Trade Commission (FTC) proposals to the HBNR, I’m not sure what finally spurred them into action, but I applaud it.

QUESTION: How significant is the risk associated with the growth and impact of health apps and direct-to-consumer health technologies since the issuance of HBNR?

Tremendously significant! Erroneous or unauthorized access to our data can have fatal consequences. Consider situations like blood transfusions or experiencing allergic reactions during medical interventions. Ensuring data is accurate and free from third-party manipulation is critical for our safety. Among the pressing vulnerabilities are quadruple extortion tactics associated with ransomware and the phenomenon of Synthetic Identity Theft. In the latter, data fragments are joined to simulate a legitimate record. Imagine the impact on one’s life if this counterfeit record wrongfully designates them as criminals. This manipulation extends to both textual data and images.

I delivered a talk at Stanford University at the inaugural StartX Kickoff, targeting app developers, highlighting the complexities of health applications and consumer data. I discussed the essential standards of privacy, security, and compliance in health apps. Some of the blank stares looking back at me were telling. There’s an imperative to prioritize data protection. We are amassing data at an astonishing pace, and our defensive and offensive measures, for example threat hunting, should accelerate accordingly. Silicon Valley developers must comprehend that a mere ‘Terms of Service’ agreement is insufficient protection.

QUESTION How significant are the enforcement actions taken by the FTC against companies like Premom and GoodRx in setting a precedent for HBNR violations?

FTC penalties against companies such as Premom and GoodRx are symbolically significant, but they also expose shortcomings and gaps in the Health Breach Notification Rule (HBNR) and its enforcement. While the actions by the FTC signal to the industry they are paying attention and are willing to take corrective action, we need to raise questions about the depth and consistency of these interventions. For instance, are the penalties and corrective measures mandated actually commensurate with the gravity of the breach or the potential harm inflicted upon individuals? In many cases, no! It might appear that the punitive measures, be they financial penalties or mandated process changes, aren’t sufficiently rigorous or deter other companies from similar missteps.

Additionally, there’s the question of how proactive the FTC’s approach is. In this case, the FTC stepped in after a violation became evident, but we need to question whether there are enough mechanisms in place to detect breaches before they occur. Are we only seeing the tip of the iceberg? And if so, how many violations go unnoticed or unreported? The actions against Premom and GoodRx highlight that the FTC is aware and responsive, but they also underscore the need for a more dynamic and anticipatory approach to regulation and enforcement. These actions need to be more than mere token gestures; they should spearhead a robust, holistic, and future-proof approach to data protection in the health business domain. Honestly, I harbor reservations about the efficacy of the penalties and enforcement actions associated with the Health Breach Notification Rule (HBNR). While it’s headed in the right direction, it has a lot of room for improvement.

QUESTION In your opinion, do the current penalties and enforcement actions sufficiently deter companies from violating the HBNR?

Not in many instances, no I do not think so as I previously mentioned. First, the financial penalties to companies like GoodRx, although they might seem significant for some businesses, these penalties can be perceived as merely a cost of doing business, rather than a significant deterrent. Second, the 60-day window provided for notifying affected individuals is way too lenient, especially in our fast-paced digital age. Two months is a lifetime and can cause extensive, irreparable harm for individuals whose data has been compromised, especially if malicious actors access this information!

Again, the HBNR is too reactive. While breach notifications are crucial, we need a more proactive stance with an emphasis on preventative measures and continuous monitoring. As the technological and threat landscapes evolve rapidly, a static rule just isn’t enough. The HBNR, as with all such regulatory frameworks, should be periodically reviewed and revised to ensure it remains effective and relevant. Really what it comes down to is the necessity for the US to have a cohesive and effective strategy as it relates to protecting our data.

QUESTION: Considering the proposed changes and the current innovative landscape of healthcare technology, what advice would you give to consumers moving forward as they utilize digital health applications?

Given the vast amounts of sensitive health information flowing through these platforms, the motivations and capacities of these apps to protect data requires intense scrutiny. Consumers should engage in some of the following activities as they engage with digital health companies:

1. Educate Yourself: Before downloading or using any health app, familiarize yourself with its privacy policies and terms of service. It’s essential to know who is collecting your data, how it’s being used, and with whom it might be shared.
2. Limit Data Sharing: Only provide the minimum required data. If an app asks for information that doesn’t seem relevant to its function, be skeptical.
3. Review Permissions: Regularly review and restrict unnecessary permissions that apps have on your device, especially access to your camera, microphone, or location.
4. Research the App’s Reputation and look for whether there’s a history of data breaches or questionable practices.
5. Use Multi-Factor Authentication: Where available, enable multi-factor authentication for added security.

QUESTION: What advice would you give to app developers and Healthcare Technology companies as they continue to innovate and collect protected health information?

As we continue to digitize and expand the horizons of healthcare, ensuring the security and privacy of health data, is both a challenge and an obligation the leadership in these companies.

1. Prioritize Data Protection from Day One: Adopt a ‘privacy by design’ approach. Ensure that data protection is not an afterthought but an integral part of the app’s development process.
2. Consider a Privacy and security Vendor: Vendors specializing in security and data protection, bring a depth of technical expertise to the table, providing robust solutions tailored to the company’s unique needs.
3. Be Transparent: Clearly articulate your data collection, storage, and sharing practices in layman’s terms. Avoid hiding behind complex legal jargon.
4. Limit Data Collection: Collect only the data that’s absolutely necessary for the app’s function. More data means greater responsibility and higher risks.
5. Employ Robust Encryption: Always encrypt personal health information, both in transit and at rest. Regularly update cryptographic methods in line with industry best practices.
6. Regular Audits and Penetration Testing: Regularly evaluate the security posture of your app and infrastructure. Engage third-party services for penetration testing to identify vulnerabilities.
7. Stay Updated: The tech landscape, especially security, is always evolving. Continuous education and adaptation are crucial.
8. Act Swiftly in Case of Breaches: If a breach occurs, act promptly to mitigate it, inform affected users, and take steps to prevent future incidents.

QUESTION: You mentioned a vendor partnership to help protect consumer information. What are the major hurdles healthcare technology companies experience as they work with protected health information?  

1. Intense Healthcare Regulations and Penalties: The healthcare industry is subject to some of the most stringent data protection regulations globally. Non-compliance is not just a matter of penalties; it can erode a company’s reputation and destroy human life.
2. Risk of Data Breaches: The healthcare sector consistently ranks high as a target for cyberattacks due to the value of health data. Engaging a vendor with expertise in cybersecurity can significantly reduce this risk. These vendors are equipped with cutting-edge tools, strategies, and threat intelligence to prevent, detect, and respond to potential security incidents.
3. Limited Internal Technical Capabilities: Not all digital health companies have the in-house technical capabilities to develop, maintain, and secure complex IT infrastructures. Vendors, specializing in security and data protection, bring a depth of technical expertise to the table, providing robust solutions tailored to the company’s unique needs.
4. Workforce Expertise Shortage: The cybersecurity domain is facing a talent crunch, with a glaring gap between the demand for skilled professionals and available talent.
5. Cost Constraints: Developing and maintaining a state-of-the-art, secure IT infrastructure can be prohibitively expensive for many digital health companies, especially startups.

Question: Why is it important for digital health companies to consider utilizing vendors who specialize in security and data protection?

In essence, as digital health companies continue to expand in number and scale, their challenges grow in tandem. Engaging a vendor to handle the intricacies of data protection isn’t just about offloading responsibilities; it’s about harnessing specialized expertise to ensure that the company remains resilient, compliant, and trusted in an increasingly complex digital landscape. It’s about recognizing that in the dynamic world of digital health, collaboration is often the key to robust, sustainable growth.

These vendors are equipped with cutting-edge tools, strategies, and threat intelligence to prevent, detect, and respond to potential security incidents. Specialist vendors, being in the field, have access to a pool of skilled professionals and can provide the necessary expertise without the company having to hire, train, or retain in-house staff. By leveraging shared resources and expertise, they can provide top-tier security solutions at a fraction of the cost of in-house operations.

When it comes to cloud security and protection of PHI in the public cloud, we’re here to help. Talk to the healthcare cloud experts at ClearDATA today.

Schedule a consultation