Listen
to
this
post
On
May
18,
2023,
the
Federal
Trade
Commission
announced
it
is
seeking
comment
to
proposed
changes
to
the
Health
Breach
Notification
Rule
(the
“Rule”).
The
Rule
requires
vendors
of
personal
health
records
(“PHR”),
PHR-related
entities
and
service
providers
to
these
entities,
to
notify
consumers
and
the
FTC
(and,
in
some
cases,
the
media)
in
the
event
of
a
breach
of
unsecured
identifiable
health
information,
including
cybersecurity
intrusions
and
other
instances
of
unauthorized
access.
By
clarifying
the
Rule’s
scope
and
applicability,
and
by
modernizing
allowable
methods
of
notice,
the
proposed
amendments
seek
to
update
the
Rule
to
account
for
technological
change
since
the
Rule’s
issuance,
which
includes
the
proliferation
of
health
apps
and
connected
devices,
and
the
emergence
of
a
widespread
market
for
health
data.
Specifically,
the
FTC’s
proposed
amendments
would:
(1)
clarify
the
Rule’s
scope,
revising
several
definitions
to
explain
the
Rule’s
applicability
to
health
apps
and
similar
technologies
not
covered
by
HIPAA;
(2)
amend
the
definition
of
“breach
of
security”
to
clarify
that
it
includes
data
security
breaches
and
unauthorized
disclosures;
(3)
revise
the
definition
of
“PHR-related
entity”
to
clarify
that
only
entities
that
access
or
send
unsecured
PHR-identifiable
health
information
to
a
personal
health
record
qualify
as
PHR-related
entities;
(4)
clarify
what
it
means
for
a
vendor
of
personal
health
records
to
draw
PHR-identifiable
health
information
from
multiple
sources;
(5)
modernize
the
allowable
methods
of
consumer
notice
by
authorizing
the
expanded
use
of
email
and
other
electronic
notices;
(6)
expand
the
required
content
of
consumer
notices;
and
(7)
improve
the
Rule’s
readability.
Public
comments
on
the
amendments
will
be
due
60
days
after
the
amendments’
publication
in
the
Federal
Register.
About Author
