The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.
Modifications to the regulation
- Updating Definitions: The Commission has updated several definitions to emphasize the applicability of the final rule to health apps and similar technologies not governed by HIPAA. This includes altering the definition of “PHR identifiable health information” and introducing new definitions for “covered health care provider” and “health care services or supplies.”
- Specifying Security Breaches: The rule now specifies that a "breach of security" encompasses unauthorized access to identifiable health information, whether through a data security incident or unauthorized disclosure.
- Amending the Definition of PHR Related Entity: The definition of “PHR related entity” has been refined in two significant ways relevant to the rule’s scope. It now specifies that the rule applies to entities that provide products and services via the online services of personal health record vendors, including mobile apps. It also restricts the definition to entities that access or transmit unsecured PHR identifiable health information to a personal health record.
- Clarifying Information from Multiple Sources: The rule clarifies the criteria for a personal health record to incorporate PHR identifiable health information from various sources.
- Enhancing Electronic Notifications: The final rule permits broader use of email and other electronic methods for sending clear and effective breach notifications to consumers.
- Broadening Notice Requirements: The content required in consumer notifications has been expanded. Notices must now include either the name or a description of any third parties who obtained unsecured PHR identifiable health information due to a security breach, especially when revealing the full name poses a risk.
- Adjusting Notification Timelines: The final rule changes the timing for notifying the FTC about breaches impacting 500 or more individuals. Covered entities must now notify the FTC concurrently with affected individuals, doing so promptly and no later than 60 calendar days after identifying a breach.
- Improving Clarity and Compliance: The final rule also includes modifications to enhance clarity and facilitate compliance.
The rule takes effect 60 days after its announcement in the Federal Register.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials
ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.
Comprehensive Cyber Insurance for the Life Sciences Industry
Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.
UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack
The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.
