FTC finalizes revised well being breach notification rule increasing its scope and updating firms’ obligations – Fin Serve

Overview of the Rule

The ultimate model of the up to date HBNR requires international and home distributors of non-public well being information (“PHRs”), PHR-related entities, and third-party service suppliers that keep details about U.S. residents or residents to inform people, the FTC, and (in some instances) the media of a breach of unsecured PHR identifiable well being info of a person. The HBNR units out particular notification triggers, timelines, content material/type necessities, and enforcement penalties. Amongst different updates, the FTC expanded the HBNR’s utility to well being apps and different comparable applied sciences and data. Most of the adjustments launched by the ultimate Rule have been previewed within the FTC’s Discover of Proposed Rulemaking (NRPM), as outlined in our prior publish.

Key Modifications

Whereas most of the adjustments merely enhance readability (e.g., by clarifying cross-references and streamlining descriptions), different edits within the closing Rule increase the scope of firms topic to the HBNR and sorts of knowledge incidents that must be reported.

  • Elevated scope. The Rule’s new definitions for PHR and PHR identifiable well being info now cowl a broader swath of well being and wellness apps and applied sciences, calling out web sites, cell apps, and internet-connected gadgets not historically thought-about in scope resembling apps that solely monitor very important indicators, signs, bodily features, health, fertility, sexual well being, sleep, psychological well being, genetic info, or weight loss plan.
  • Expanded definition of breach. The Rule’s revised definition for breach contains unauthorized disclosures of well being info along with the normal breach definition of unauthorized entry or acquisition of data.
  • New strategies of discover. The Rule permits use of electronic mail together with different digital strategies of discover, resembling textual content, in-app messaging, and digital banners, as acceptable technique of offering particular person discover of a breach.
  • New discover content material and type necessities. The Rule requires extra incident particulars and design particulars be included within the particular person breach discover, resembling the complete title or id of any third events that acquired particular person info and use of quick, explanatory sentences or bullet lists every time potential.
  • Prolonged timeline for discover to FTC. The Rule extends the timeline for notifying the FTC of an incident involving over 500 people from ten enterprise days to 60 days, aligning discover to the FTC with discover to people and the media. 

Subsequent Steps

In response to the FTC’s updates and in preparation of an incident that will set off these obligations, firms providing related well being and wellness gadgets, or cell well being purposes might take into account:

  • Confirming the scope of doubtless coated choices and knowledge;
  • Updating incident response processes; and
  • Assessing whether or not notification procedures might must be up to date.


Authored by Melissa Bianchi, Alyssa Golay, and Fleur Oke. 

Leave a Comment