On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”). The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR. The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content. According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.” Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.
FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare
On May 17, the Federal Trade Commission (“FTC”) announced an enforcement action against Easy Healthcare Corporation (“Easy Healthcare”) alleging that it shared users’ sensitive personal information and health information with third parties contrary to its representations and without users’ affirmative express consent, in violation of Section 5 of the FTC Act. It also alleges that Easy Healthcare failed to notify consumers of these unauthorized disclosures, in violation of the Health Breach Notification Rule (“HBNR”). According to the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other requirements, will be permanently prohibited from sharing users’ personal health data with third parties for advertising purposes. The FTC also noted that Easy Healthcare will pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their laws.
HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care
On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care. Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.
The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.” President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.
Below, we provide a brief summary of the proposed changes and a timeline for commenting.