Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On May 30, 2024, the FTC published amendments to its Health Breach Notification Rule (“HBNR” or “Rule”) in the Federal Register, memorializing the Rule’s expanded scope that now explicitly includes direct-to-consumer health and wellness technologies. Effective July 29, 2024, these updates may require companies to re-assess whether the Rule applies to them and revise their incident response processes to comply with new notice obligations.
The final version of the updated HBNR requires foreign and domestic vendors of personal health records (“PHRs”), PHR-related entities, and third-party service providers that maintain information about U.S. citizens or residents to notify individuals, the FTC, and (in some cases) the media of a breach of unsecured PHR identifiable health information of an individual. The HBNR sets out specific notification triggers, timelines, content/form requirements, and enforcement penalties. Among other updates, the FTC expanded the HBNR’s application to health apps and other similar technologies and information. Many of the changes introduced by the final Rule were previewed in the FTC’s Notice of Proposed Rulemaking (NRPM), as outlined in our prior post.
While many of the changes merely improve readability (e.g., by clarifying cross-references and streamlining descriptions), other edits in the final Rule expand the scope of companies subject to the HBNR and types of data incidents that need to be reported.
In response to the FTC’s updates and in preparation of an incident that may trigger these obligations, companies offering connected health and wellness devices, or mobile health applications may consider:
Authored by Melissa Bianchi, Alyssa Golay, and Fleur Oke.