Tech & Innovation in Healthcare

Question: I read the article “Unauthorized Data Sharing Results in Monetary Penalties” in Tech and Innovation in Healthcare, Volume 3, Issue 7. Could you explain the Health Breach Notification Rule?

Colorado Subscriber

Answer: Sure! The Health Breach Notification Rule (HBNR) requires entities holding personal health records to notify consumers after a breach occurs that involves sensitive information. The entities must also tell the government.

Essentially, if a malicious threat actor accesses personal medical records held by a healthcare organization, medical billing company, or health insurance company, then the breached organization must alert the federal government and the consumers. This allows the consumers to take necessary steps to protect their information from being misused.

On May 18, 2023, the Federal Trade Commission (FTC) proposed changes to strengthen the HBNR and refine how it applies to health apps and related technologies. Several of the proposed amendments include, but are not limited to:

• Clarifying how the HBNR applies to health apps and technologies not covered by HIPAA;
• Explaining what constitutes a security breach under the rule; and
• Allowing email and other electronic means of communi­cation to notify consumers.

“The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection in a press release.

The FTC is seeking written comments by Aug. 8, 2023.