The Federal Trade Commission (FTC) has announced a new Health Breach Notification Rule (HBNR) to take effect on June 29, 2024. This is not a HIPAA rule, but senior living communities and healthcare providers should understand HBNR and its application. 

HBNR applies primarily to online health apps, websites and vendors that collect health care data from consumers and other sources. While HBNR does not apply to entities already covered by HIPAA, many entities, including senior living communities, partner with online vendors to deliver health and wellness services to their residents and patients.   

The FTC rule follows recent enforcement actions, including actions against GoodRx and others for sharing consumer health data with advertising and marketing firms. 

HBNR applies to businesses offering health-related technologies that have the ability to collect health data from multiple sources in a way that creates an electronic personal health record (PHR). Similar to “protected health information” under HIPAA, a PHR includes health data collected from online sources that track or monitor an individual’s health information, such as vital signs, sleep patterns, mental health, genetic information, diet, medication use, etc. Some critics of the new rule, including two dissenting FTC commissioners, have expressed concern that HBNR is too broad, possibly extending to online retailers of general fitness products, such as sneakers and vitamins. In response, FTC guidance states that the online offerings must relate “more than tangentially” to health, but no bright line test is provided.    

If HBNR is applicable, a vendor that breaches the security of a consumer’s PHR (including the unauthorized sharing of PHR with a third party), must provide prompt notice of the breach to the consumer, and in some cases to the FTC. Similar to a breach notice under HIPAA, the HBNR notice must be provided within 60 days after discovery of the breach. 

The new HBNR rule adds to the plethora of privacy restrictions that senior living communities and healthcare providers now must navigate, even when HIPAA does not apply. For example, in May of last year, Pennsylvania amended its Breach of Personal Information Notification Act to include “any” entity that stores electronic medical information, even senior living entities that are not technically health care providers.

However, even if HBNR is not directly applicable, senior living communities and healthcare providers should be knowledgeable about its requirements before partnering with online vendors to ensure that these vendors are compliant with the new requirements. This will serve to protect their residents and patients, as well as their investment in new technologies, which will likely include artificial intelligence in the not too distant future. 

If you have any questions about the FTC’s Health Breach Notification Rule or compliance with the rule or other privacy laws, please contact partner Christopher J. Churchill or any member of Barley Snyder’s Senior Living or Health Care industry groups.