A version of this article was published in the August edition of Healthcare News.
The Federal Trade Commission (FTC) announced changes to the Health Breach Notification Rule (HBNR) in April 2024 that broadly apply to digital health, health apps, and the like, and expands the rule to apply to vendors of public health information and related entities in addition to covered health care entities under HIPAA. The intent of rule is to protect individuals using health data apps and devices and it expands what covered entities must tell consumers if there’s been a breach of their data. These changes will go into effect on July 29, 2024, following its publishing in the Federal Register on May 30, 2024.
Protecting patient privacy is garnering much regulatory attention after the Change Healthcare and HealthEquity data breach incidents. The emergence of digital health records, telemedicine, and wearable health technology, makes safeguarding patient information a significant challenge.
Understanding the FTC’s role in health care privacy protection, its regulatory powers, and how the new HBNR changes impact breach response protocols can help affected organizations prepare to meet the new reporting requirements effectively.
The FTC was established in 1914 with a mandate to protect consumers and promote competition. Over the years, its role has expanded to include the oversight of privacy and data security practices across various industries.
In health care, the FTC is known for scrutinizing health care transactions for potential antitrust conduct, as well as seeing that companies adhere to fair practices regarding the collection, use, and protection of personal health information (PHI).
The FTC enforces several laws and regulations that have significant implications for health care privacy, including but not limited to:
The FTC realized that there are non-covered entities that collect, transmit, and share consumer sensitive health information that aren’t regulated by HIPAA, and therefore the HBNR rules were updated and expanded.
The FTC’s increased focus on health care privacy has had a profound impact on the industry. Companies are now more vigilant about their data protection practices and are investing heavily in cybersecurity measures. The threat of FTC enforcement has prompted health care providers, app developers, and other stakeholders to enhance their privacy policies and ensure compliance with relevant regulations.
Moreover, the FTC’s actions have raised public awareness about the importance of health care privacy. Consumers are becoming more informed about their rights and are demanding greater transparency and security from healthcare companies.
Despite its success in regulating health care privacy, the FTC faces several challenges. The rapid pace of technological innovation means that new privacy threats are constantly emerging. Additionally, the overlap between the FTC’s jurisdiction and other regulatory bodies, such as the Department of Health and Human Services (HHS) which enforces HIPAA, can create confusion and complicate enforcement efforts.
Looking ahead, the FTC is likely to continue its proactive stance in health care privacy. This may involve collaborating more closely with other regulators, updating existing rules to address new technologies, and continuing to hold companies accountable for privacy violations.
In the event of a data breach, here are some considerations for health care organizations working through a potential breach:
The FTC’s emergence in health care privacy marks a significant shift in the regulatory landscape. As health care becomes increasingly digital, the need for robust privacy protections is more critical than ever. The FTC’s efforts to enforce privacy laws and promote fair practices play a vital role in safeguarding consumer health information, ultimately contributing to a more secure and trustworthy health care system.
For more information on mitigating risk under the FTC and health care private equity investing, contact your Moss Adams professional.