2023-06-09
FTC Proposes Amendment to Health Data Breach Notification Rule
The US Federal Trade Commission (FTC) has published a notice of proposed rulemaking in the Federal Register. The proposed rule would amend the FTC’s Health Breach Notification Rule to add health app developers to the entities that are required to report data breaches. The FTC is accepting public comment through August 8, 2023.
Editor's Note
This also refines the definition of a Personal Health Record (PHR) and reinforces the requirement to report breaches of health records not covered by HIPAA. Having a consolidated reference will help those impacted. Our demand to monitor and track our fitness has resulted in a plethora of applications and devices to meet that demand, often delivered with an eye on time-to-market, not data security and reporting. This rule change puts those meeting the demand on notice they have skin in the game. If you're collecting personal health information, or creating applications which do, you may want to weigh in on reporting requirements.

Lee Neely
Requiring apps that handle/store personal health records to meet breach disclosure requirements was floated for public comment in 2020 with little to no pushback – it makes sense. Especially as we now see Apple and other health app/device vendors starting to meet increased consumer demands for privacy and making claims for higher levels of personal health data protection.

John Pescatore
Read more in
Federal Register: Health Breach Notification Rule
SC Magazine: FTC to take aim at health apps with updated breach notification rules