On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.

Over the past decade, the FTC has not brought an enforcement action under the Rule and has only received two notifications of data breaches involving more than 500 individuals.  According to the FTC’s notice, this lack of enforcement is due to the fact that PHR vendors and related entities are often HIPAA-covered entities or business associates, and therefore subject to HIPAA’s Breach Notification Rule.  However, more entities may fall within the scope of the FTC’s Rule as the PHR market expands to include more direct-to-consumer technologies and services, such as mobile health applications, platform health tools, and virtual assistants.

The FTC’s review includes standard questions about the benefits and effectiveness of the Rule and whether it should be maintained, revised, or eliminated.  In addition, the FTC is soliciting comments regarding:

  • whether there has been under-notification, over-notification, or an appropriate level of notification as a result of the Rule;
  • whether the Rule’s definitions should be updated to account for legal, economic, or technological changes;
  • whether the Rule’s timing requirements and reporting methods are sufficient;
  • the possible enforcement implications related to direct-to-consumer services and technologies; and
  • if and how the Rule should consider COVID-19-related developments in health care products or services.

The FTC will be accepting comments for a period of 90 days after the notice is published in the Federal Register.