FTC Expands Health Data Breach Rules to Cover Apps, Similar Tech

The Federal Trade Commission has widened protections for consumers’ health data collected by digital health tools through its final revisions of the Health Breach Notification Rule.

The updated HBNR broadens its reach to encompass health apps and similar technologies not covered by the Health Insurance Portability and Accountability Act. It means companies that fall under the said category are now required to comply with the rule’s notification protocols, the FTC said.

The revised rule also requires companies to disclose details such as the identities of any third parties who may have accessed unsecured health information during a breach.

Covered entities are also now required to notify the FTC of data breaches involving 500 or more individuals at the same time they notify their affected customers. The notification must be released within 60 days after the discovery of the security breach.

The final rule also streamlines communication by allowing electronic notifications via email.

The rule amendments come on the heels of recent enforcement actions against companies such as GoodRx and Easy Healthcare for violating the HBNR.

The final HBNR, which resulted in a split decision in the commission, will take effect 60 days after its publication in the Federal Register.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now