Exploring the FTC’s Enforcement Action for Violation of & Amendments to the Health Breach Notification Rule (HBNR)

The Federal Trade Commission (FTC) is at it again. This time it brings an enforcement action against an ovulation tracking application for:

• deceiving consumers by disclosing sensitive personal data to third-party organizations, including two Chinese companies,
• disclosing users’ sensitive health data to AppsFlyer and Google, and
• failing to comply with the Health Breach Notification Rule (HBNR) by not notifying consumers of these disclosures.

This is the FTC’s second enforcement action under the HBNR following a settlement announced in February with a telehealth and prescription drug discount provider.

According to the complaint, the company misled users by repeatedly and deceptively representing in its privacy policies that it wouldn't disclose their medical records to third parties without consent and that any data it did collect was non-identifiable and only used for internal analytics or marketing. However, the company violated its promises and deceived the consumers by using third-party automated tracking tools, also known as software development kits (SDKs), and sharing consumers' sensitive health information for the purposes of advertising without obtaining their express consent. Such conduct on behalf of the company constitutes a violation of the FTC’s HBNR.

As a result, the proposed order issued by the FTC imposes a $100,000 civil penalty for violating the HBNR and the company will also be:

• permanently barred from sharing users’ personal health data with third parties for advertising;
• required to obtain users’ consent before sharing health data for any other purpose;
• required to inform consumers how their personal data will be used;
• required to retain the user’s personal data as long as necessary to achieve the goals for which it was obtained;
• prohibited from misrepresenting the company’s privacy policies going forward and forced to comply with the HBNR notification requirements for any future security breach;
• required to request the deletion of data it shared with third parties;
• required to send and post a consumer notice outlining the allegations and settlement made by the FTC; and
• required to implement comprehensive security and privacy policies with robust protections to protect customer data.

FTC’s Proposed Amendments to Strengthen and Modernize the HBNR

On May 18, 2023, the FTC also published some amendments to the HBNR for public consultation, which aim to extend the scope of the HBNR to health apps and other similar technologies. FTC’s proposed amendments to the HBNR come in light of evolving company procedures and technological advancements as more consumer health data is being collected, increasing the likelihood of businesses utilizing or disclosing sensitive data for marketing and other purposes. The FTC has proposed the following changes to the HBNR:

• several definitions have been updated to clarify how the rule applies to health apps and other similar non-HIPAA technologies. Additionally, two new definitions for "health care provider" and "health care services or supplies" are added, as well as the definition of "PHR identifiable health information" is modified;
• defining what constitutes a "breach of security" to clarify that breach of security includes unauthorized acquisition of PHR identifiable health information resulting from a data security breach or unauthorized disclosure;
• revising the definition of PHR related entity to make clear that:
  • the entities offering products and services through the online services, including mobile applications, of vendors of personal health records are also included; and
  • that entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—are PHR related entities.
• defining what it means for a personal health record to obtain PHR-identifiable health information from various sources;
• authorizing for increased use of email and other electronic tools to notify consumers of breaches in a straightforward and efficient manner;
• expanding the mandatory information that must be included in the consumer’s notice. For instance, the notice would have to detail any potential harm brought on by the breach and list any third parties who may have obtained any unsecured personally identifiable health information; and
• adding modifications to make the rule easier to understand and encourage compliance.

Best Practices to Comply with the Health Breach Notification Rule (HBNR)

An enforcement action of any magnitude isn’t good for business. Companies dealing with health data have a legal obligation to protect the privacy and confidentiality of this sensitive information and ensure compliance with relevant laws and regulations. Here’s how companies should comply with the HBNR to avoid enforcement actions and noncompliance penalties and build consumer trust:

Understand the HBNR requirements

Learn about the particular specifications included in the HBNR. Review the rule to comprehend what constitutes a breach, who is in charge of reporting it, when it must be reported, and what information must be included in breach notifications.

Establish breach response protocols

Develop comprehensive breach response guidelines that specify what must be done in the event of a healthcare data breach. This should include a clear chain of command, employees assigned to handling breach responses, and a strategy for determining and mitigating the breach's impact.

Conduct risk assessments

Regularly assess the systems and procedures used by the organization to discover vulnerabilities and potential hazards to protected health information (PHI). This includes assessing physical security measures, personnel training, access controls, and security controls.

Implement security safeguards

Implement appropriate security measures like intrusion detection systems, access controls, firewalls, and encryption. Ensure your organization follows relevant security regulations, such as the HIPAA Security Rule, and complies with industry best practices.

Train employees on breach prevention and response

Employees should receive thorough training on the value of protecting PHI, identifying potential breaches, and reporting such incidents immediately. To ensure prompt action in the case of a breach, employees should also get training on breach response methods.

Establishing a breach notification plan

In the event of a data breach or other security issue involving health data, organizations should have a mechanism in place for handling it, including notifying affected individuals and regulatory authorities as required by law.

Document all breach incidents

Maintain comprehensive records of every breach incident, including the type of breach, the people or entities impacted, the actions taken to control and mitigate the breach, and the notifications sent. This documentation demonstrates compliance and answers any regulatory questions.

Regularly review and update breach response plans

Breach response strategies should be reviewed and updated frequently to account for new risks and regulatory updates.

How Can Securiti Help?

Securiti, by harnessing the power of automation, enables organizations to leverage its DataControls Cloud and overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, which allow organizations to meet security, privacy, governance, and compliance obligations around data.

Securiti’s multiple automation modules, such as privacy policy and notice management, consent management, and third-party consent, enable you to comply with HBNR and evolving data privacy laws and avoid non-compliance penalties.

Request a demo to witness Securiti in action.