The Federal Trade Commission (FTC) announced changes to the Health Breach Notification Rule (HBNR) in April 2024 that broadly apply to digital health, health apps, and the like, and expands the rule to apply to vendors of public health information and related entities in addition to covered health care entities under HIPAA. The intent of rule is to protect individuals using health data apps and devices and it expands what covered entities must tell consumers if there’s been a breach of their data. These changes will go into effect on July 29, 2024, following its publishing in the Federal Register on May 30, 2024.

Protecting patient privacy is garnering much regulatory attention after the Change Healthcare and HealthEquity data breach incidents. The emergence of digital health records, telemedicine, and wearable health technology, makes safeguarding patient information a significant challenge.  

Understanding the FTC’s role in health care privacy protection, its regulatory powers, and how the new HBNR changes impact breach response protocols can help affected organizations prepare to meet the new reporting requirements effectively.

The FTC’s Role

The FTC was established in 1914 with a mandate to protect consumers and promote competition. Over the years, its role has expanded to include the oversight of privacy and data security practices across various industries.

In health care, the FTC is known for scrutinizing health care transactions for potential antitrust conduct, as well as seeing that companies adhere to fair practices regarding the collection, use, and protection of personal health information (PHI).

Regulatory Powers

The FTC enforces several laws and regulations that have significant implications for health care privacy, including but not limited to:

• Section 5 of the FTC Act. This provision prohibits unfair or deceptive acts or practices in commerce. The FTC uses this authority to take action against companies that fail to adequately protect consumer health data or mislead consumers about their privacy practices.
• Health Breach Notification Rule. The HBNR requires vendors of personal health records (PHR) and related entities that aren’t covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach.
• Children’s Online Privacy Protection Act (COPPA). Although not exclusive to health care, COPPA is relevant when health apps or services target children under 13, requiring parental consent for data collection.

The FTC realized that there are non-covered entities that collect, transmit, and share consumer sensitive health information that aren’t regulated by HIPAA, and therefore the HBNR rules were updated and expanded.

Impact on Health Care Industry

The FTC’s increased focus on health care privacy has had a profound impact on the industry. Companies are now more vigilant about their data protection practices and are investing heavily in cybersecurity measures. The threat of FTC enforcement has prompted health care providers, app developers, and other stakeholders to enhance their privacy policies and ensure compliance with relevant regulations.

Moreover, the FTC’s actions have raised public awareness about the importance of health care privacy. Consumers are becoming more informed about their rights and are demanding greater transparency and security from healthcare companies.

Challenges and Future Directions

Despite its success in regulating health care privacy, the FTC faces several challenges. The rapid pace of technological innovation means that new privacy threats are constantly emerging. Additionally, the overlap between the FTC’s jurisdiction and other regulatory bodies, such as the Department of Health and Human Services (HHS) which enforces HIPAA, can create confusion and complicate enforcement efforts.

Looking ahead, the FTC is likely to continue its proactive stance in health care privacy. This may involve collaborating more closely with other regulators, updating existing rules to address new technologies, and continuing to hold companies accountable for privacy violations.

Steps for Navigating a Potential Data Breach

In the event of a data breach, here are some considerations for health care organizations working through a potential breach:

• Identify and contain the breach
• Notify key stakeholders, such as key personnel, IT, legal and the compliance team, about the breach
• Assess the breach’s scope and impact
• Conduct an investigation
• Notify affected individuals
• Report to authorities
• Support affected individuals
• Fix vulnerabilities
• Enhance security measures
• Improve policies
• Train employees

Next Steps

The FTC’s emergence in health care privacy marks a significant shift in the regulatory landscape. As health care becomes increasingly digital, the need for robust privacy protections is more critical than ever. The FTC’s efforts to enforce privacy laws and promote fair practices play a vital role in safeguarding consumer health information, ultimately contributing to a more secure and trustworthy health care system.

We’re Here to Help

For more information on mitigating risk under the FTC and health care private equity investing, contact your Moss Adams professional.

Additional Resources

• Health Care Practice
• Health Care Consulting Services