- On June 3, 2024
Federal rules to protect the privacy and data security of individuals’ personally identifiable health information (widely known as the HIPAA privacy and security rules) have been in place since 2000. However, there are many entities that collect, hold, interact with, and/or sell people’s personal health data that are not subject to the HIPAA privacy rules. Examples include wearable vendors like FitBit or healthcare discount organizations like GoodRx. A new final rule issued by the Federal Trade Commission (FTC) makes it clear that vendors of personal health records (“PHRs”) and related entities that are not covered by HIPAA must provide notice to affected individuals, the FTC, and the media if they have a data breach.
The FTC first issued a rule in 2009 to protect PHRs collected and held by entities that do not fall under the HIPAA privacy and data security rules. However, the 2009 rule had its limits, particularly concerning its scope. In the 15 years since its publication, the number of health applications, other services, and vendors that collect and interact with personal health data has exploded. The new rule clarifies that the FTC requirements and protections apply to “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” Third-party service providers of such entities also must comply.
In addition to clarifying the scope of the FTC requirements, the new rule revises the definition of breach of security to clarify it applies to both large-scale data security breaches and individual or smaller-scale unauthorized disclosures. It modernizes the methods entities may use to notify consumers affected by an unauthorized disclosure or a data breach and provides detailed examples of notice content. The rule also updates the requirements to inform the FTC, the public, and the media about any large-scale data breach. It makes it very clear that covered entities will be subject to civil enforcement action by the FTC and heavy fines if they do not comply. The new rule will take effect on July 29, 2024.