FTC finalizes revised well being breach notification rule increasing its scope and updating corporations’ obligations – Nexus Vista

Overview of the Rule

The remaining model of the up to date HBNR requires international and home distributors of non-public well being data (“PHRs”), PHR-related entities, and third-party service suppliers that preserve details about U.S. residents or residents to inform people, the FTC, and (in some instances) the media of a breach of unsecured PHR identifiable well being info of a person. The HBNR units out particular notification triggers, timelines, content material/type necessities, and enforcement penalties. Amongst different updates, the FTC expanded the HBNR’s utility to well being apps and different comparable applied sciences and knowledge. Lots of the adjustments launched by the ultimate Rule have been previewed within the FTC’s Discover of Proposed Rulemaking (NRPM), as outlined in our prior publish.

Key Modifications

Whereas lots of the adjustments merely enhance readability (e.g., by clarifying cross-references and streamlining descriptions), different edits within the remaining Rule increase the scope of corporations topic to the HBNR and sorts of knowledge incidents that should be reported.

  • Elevated scope. The Rule’s new definitions for PHR and PHR identifiable well being info now cowl a broader swath of well being and wellness apps and applied sciences, calling out web sites, cellular apps, and internet-connected units not historically thought of in scope corresponding to apps that solely monitor very important indicators, signs, bodily features, health, fertility, sexual well being, sleep, psychological well being, genetic info, or weight loss plan.
  • Expanded definition of breach. The Rule’s revised definition for breach consists of unauthorized disclosures of well being info along with the standard breach definition of unauthorized entry or acquisition of data.
  • New strategies of discover. The Rule permits use of e mail together with different digital strategies of discover, corresponding to textual content, in-app messaging, and digital banners, as acceptable technique of offering particular person discover of a breach.
  • New discover content material and type necessities. The Rule requires further incident particulars and design particulars be included within the particular person breach discover, corresponding to the total identify or identification of any third events that acquired particular person info and use of quick, explanatory sentences or bullet lists every time doable.
  • Prolonged timeline for discover to FTC. The Rule extends the timeline for notifying the FTC of an incident involving over 500 people from ten enterprise days to 60 days, aligning discover to the FTC with discover to people and the media. 

Subsequent Steps

In response to the FTC’s updates and in preparation of an incident that will set off these obligations, corporations providing related well being and wellness units, or cellular well being purposes might think about:

  • Confirming the scope of doubtless lined choices and knowledge;
  • Updating incident response processes; and
  • Assessing whether or not notification procedures might should be up to date.


Authored by Melissa Bianchi, Alyssa Golay, and Fleur Oke. 

Add a Comment

Your email address will not be published. Required fields are marked *