The FTC Health Breach Notification Rule and the 2024 Update
The FTC Health Breach Notification Rule (HBNR), from 2009, covers individually identifiable health information held OUTSIDE HIPAA - health apps, websites, wearables, and Personal Health Record (PHR)s. Unlike HIPAA, the HBNR has no exemption for deidentified data, and its 2024 update expanded scope and tightened notice timing.
The FTC Health Breach Notification Rule (HBNR), dating from 2009, fills a gap by covering individually identifiable health information held outside HIPAA - health apps, websites, wearables, and Personal Health Record (PHR)s. It requires vendors of personal health records to notify consumers, the FTC, and in some cases the media after a breach. If an entity acts solely as a HIPAA covered entity or business associate, the HBNR does not apply.
Unlike HIPAA, the HBNR has no exemption for deidentified data. This is a frequent exam contrast: HIPAA's protections fall away once data is properly deidentified, but the HBNR draws no such line.
The 2024 update expanded scope to explicitly include health apps and similar technologies not covered by HIPAA; required breach notices to identify the third parties involved; mandated that for breaches affecting 500 or more individuals the notice to the FTC be simultaneous with consumer notice; allowed electronic notice; and revised definitions such as "PHR related entity" and "breach of security." Apps are covered if they can draw health inferences from multiple sources.