Shoppers can find a plethora of apps, trackers, and sensors that hold or capture almost every conceivable form of personal health information. If your business or nonprofit offers products like that or provides certain services to entities that do – and you aren’t subject to HIPAA – you may be covered by the FTC’s Health Breach Notification Rule (HBNR). The FTC has two new publications to help determine if the Rule applies to you and the steps you must take if there’s a breach. The FTC also unveiled another new resource to help you meet your compliance obligations.
Entities covered by the Health Breach Notification Rule must notify their customers, the FTC, and, in some cases, the media if there’s a breach of unsecured, individually identifiable health information. In September 2021, the Commission issued a Policy Statement clarifying that the Rule applies to makers of health apps, connected devices, and similar products. A breach under the HBNR includes both cybersecurity intrusions and instances of unauthorized access – for example, when sensitive health information is disclosed without the user’s authorization.
Looking for a sticky note-sized recap of what the Rule requires? Health Breach Notification Rule: The Basics For Business offers a quick introduction. If you need more detailed guidance, Complying With the FTC’s Health Breach Notification Rule addresses who’s covered, what triggers notification, and what to do if a breach occurs, including the who, when, how, and what of notification. In addition, you’ll find FAQs with answers to questions HBNR-covered organizations are asking.
Even if a business isn’t covered by the Health Breach Notification Rule, the FTC has used Section 5’s prohibition on deceptive and unfair practices to challenge illegal conduct related to the use of consumers’ health information. Of course, prevention is the best medicine, so we’ve created a new Health Privacy page where you’ll find cases, blog posts, and other materials to help companies – especially small businesses – honor established legal standards. The page includes a can’t-miss-it link that entities covered by the Rule can use to report breaches of health information.