Health Law Highlights

Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation

Summary of article from Wyrick Robbins Yates & Ponton LLP, by Lynn Percival IV:

In December 2021, the Federal Trade Commission (FTC) began a rulemaking process to update the Health Breach Notification Rule (HBNR), which mandates notice following a security breach of unsecured personal health records. The FTC has now finalized these updates, expanding the definition of a “breach of security” to include unauthorized uses and disclosures of health information. The updated rule also broadens the terms “personal health records” and “PHR identifiable health information,” potentially encompassing more websites, apps, and data repositories. The definition of “PHR related entity” has also been clarified, expanding the types of organizations subject to the rule. The updated rule will be effective 60 days after its publication in the Federal Register, with violations potentially resulting in significant civil penalties.