FTC to update Wellness Breach Notification Rule for apps, connected products

On Could 18, 2023, the Federal Trade Commission (FTC or Fee) declared its intention to hold firms much more accountable for their selection and use of consumers’ overall health facts. In an open Fee conference, FTC Chair Lina Khan, Commissioner Rebecca Slaughter, and Commissioner Alvaro Bedoya voted unanimously to update the FTC’s Wellbeing Breach Notification Rule (HBNR) to protect extra sellers of personal well being information that entry or send unsecured individual well being history information.

The proposed rule (Proposed Rule) to amend the HBNR even further developments the FTC’s aggressive enforcement priorities all over sensitive personal info. Furthermore, it would develop significantly the breach notification obligations for individual wellbeing report sellers and specific other non-HIPAA protected entities under the Overall health Information and facts Know-how for Economic and Medical Wellbeing Act (HITECH).

Also, the Proposed Rule confirms the Commission’s intention to interpret “breach” not just as a nefarious intrusion, but as any unauthorized disclosure of individually identifiable wellbeing information and facts by non-HIPAA covered entities, these kinds of as vendors of apps, wearables, and other systems for overall health tips, facts, and monitoring.


The FTC’s HBNR applies to sellers of own well being information (PHR) and similar entities not included by HIPAA. It calls for those entities to problem notifications to shoppers, the Fee, and the media in the celebration of a breach of identifiable wellbeing details. In addition, if a company company to one of those people vendors has a breach, it must notify the seller, which in transform need to notify consumers.

Despite the fact that the HBNR has been in effect considering that 2009, the FTC has only lately started to enforce compliance. Since December 2022, the Commission has introduced two enforcement steps versus entities alleged to have violated the HBNR by sharing their users’ personal health and fitness knowledge with third get-togethers devoid of authorization or consent.

Beforehand, in September 2021, the Fee voted 3-2 alongside occasion lines to adopt a Plan Statement asserting that the HBRN applies to health apps and related units that acquire, use, or transmit customer health information. Dissenting statements from then-Commissioners Noah Phillips and Christine Wilson argued that the Coverage Assertion improperly expanded the FTC’s statutory authority and did so unilaterally, somewhat than in concert with other businesses with related jurisdiction.[1]

Below the Coverage Assertion, all applications consumers use to keep and course of action facts about nearly anything connected to wellbeing – for case in point, consumers’ techniques or the food stuff they consume – are “health care providers.” So way too would be shops that market wellness treatment supplies, like Neosporin and nutritional vitamins. That broad definition is not the one used by the Division of Wellbeing and Human Services and the Social Security Administration (people companies target on traditional well being care vendors, like medical professionals, nursing residences, and pharmacies). It also goes far past dialogue both in Congress and at the Commission at the time the legislation was created and the HBNR was drafted.[2]

The Proposed Rule now seeks to amend the HBNR by incorporating a lot of areas of the 2021 Coverage Statement.

Essential specifics

The Proposed Rule would have 4 considerable implications for builders of non-HIPAA lined wellness applications and related gadgets.

1. Definitions of “health care provider” and “health treatment services or supplies”

1st, the Proposed Rule would amend the HBNR to protect pretty much all health and wellness applications and linked health and fitness equipment not topic to HIPAA – even even though HITECH refers only to PHR-distributors, sure PHR-connected entities, and their 3rd-social gathering provider providers. The FTC would pull in a broader swath of entities by way of the addition of two phrases: “health treatment provider” and “health treatment expert services or materials,” each of which element into the definition of “PHR identifiable wellness details.”

Beneath the HBNR, a vendor of PHRs is an entity other than a HIPAA protected entity or enterprise associate that offers or maintains a PHR. A PHR is outlined to incorporate sure digital data of PHR identifiable wellbeing information and facts. PHR identifiable health and fitness information and facts is described below HITECH in reference to HIPAA’s definition of independently identifiable wellbeing information and facts which includes sure wellbeing information developed or received by a “health treatment supplier.” HIPAA defines a “health treatment provider” as a service provider of expert services (as outlined in part 1395x(u) of this title), a supplier of clinical or other overall health companies (as described in section 1395x(s) of this title), and any other human being furnishing “health care expert services or materials.”

In contrast to the definition of “health care” formulated less than HIPAA – which is limited to care, providers, and supplies related to (a) physical or mental conditions, or purposeful status, of an specific or that impacts the framework or perform of the system, and (b) prescription prescription drugs and units – the Proposed Rule’s definition is significantly extra expansive.

The Proposed Rule would outline the phrase “health treatment services or supplies” to involve any online services (these types of as a web page, mobile software, or net-linked unit) that offers well being-related services or applications these types of as mechanisms to keep track of:

  • Diseases
  • Wellbeing circumstances
  • Diagnoses or diagnostic testing
  • Treatment method
  • Medicines
  • Important indications
  • Indications
  • Bodily functions
  • Exercise
  • Fertility
  • Sexual overall health
  • Slumber
  • Psychological wellbeing
  • Genetic details or
  • Diet.

2. Revised definition of “breach of security”

Next, a reportable “breach of security” less than the Proposed Rule would no extended be limited to facts breaches but alternatively consist of any disclosure of unsecured PHR identifiable health facts not approved by a purchaser. This amendment would effectively call for PHR vendors and PHR-connected entities to obtain client consent for every single disclosure of identifiable wellness facts.

3. Added notification solutions

Third, to align the methods for breach notifications with the techniques frequently used by wellness applications to converse with buyers, the Proposed Rule would allow notification to impacted people (with their consent) by textual content message, in-application messaging, or electronic banner within the software. The Proposed Rule would need that these electronic discover be supplied in a crystal clear and conspicuous way.

4. Alterations to content material requirements for personal notifications

Finally, the Proposed Rule’s breach notification provisions would demand protected entities to element how buyers could be harmed by the breach. At present, the HBNR calls for the see to include (to the extent probable) the pursuing:[3]

  • A quick description of what happened, such as the date of the breach and the day of the discovery of the breach, if recognised
  • A description of the types of unsecured PHR identifiable wellness information that were involved in the breach (these types of as comprehensive identify, Social Stability range, date of birth, house deal with, account quantity, or disability code)
  • Steps people should really get to shield themselves from likely harm resulting from the breach
  • A quick description of what the entity that suffered the breach is carrying out to investigate the breach, to mitigate damage, and to safeguard against any even further breaches, and
  • Get hold of processes for persons to ask concerns or learn extra details, which shall incorporate a toll-cost-free telephone number, e-mail tackle, internet site, or postal address.

The Proposed Rule would require the subsequent more merchandise to be bundled in the notice:

  • A temporary description of the opportunity harm that may perhaps result from the breach, these as health-related or other id theft,[4]
  • The entire name, internet site, and get in touch with data (this sort of as a general public e-mail tackle or phone variety) of any third events that acquired unsecured PHR identifiable overall health data as a outcome of a breach of stability, if this information and facts is recognized, and
  • A brief description of what the entity that expert the breach is performing to safeguard impacted folks, this kind of as offering credit history checking or other providers.


In view of the FTC’s recent HBNR enforcement actions and the Proposed Rule, builders of wellness and wellness purposes and linked products should really intently evaluate regardless of whether their functions comply with the HBNR, particularly with regard to any use of trackers for marketing functions. In addition, these companies must contemplate the next:

  • Protected entities. Firms that accumulate and use buyer overall health information and facts should really evaluation the Proposed Rule to assess irrespective of whether they would be issue to the FTC’s expanded interpretation of HITECH’s breach of safety provisions and the possible effect to their operations that depend on processing of overall health info.
  • Community suggestions. Businesses that could be impacted by the Proposed Rule will have 60 times to submit feedback pursuing its publication in the Federal Sign-up.
  • Impact on standing in breach course steps. The Proposed Rule’s breach notification provisions would need included entities to detail how consumers could be harmed by the breach. This transform could possibly complicate the ability of this kind of entities to argue against standing in breach class steps.