The new FTC Data Breach Notification Final Rule is a win for Consumers/Patients and Privacy

by Eric Perakslis & Andrea Downing

On April 26, 2024, the Federal Trade Commission (FTC) issued its finalized changes to the Health Breach Notification Rule.  Some may remember the prior history of the FTC failing to provide protections for health groups back in 2019. At the time patients raised an FTC Complaint about the privacy of ‘Closed’ groups, yet the complaint went unheeded. It is a notable to see after five years the tides are turning toward stronger consumer protection and health privacy.

With copious input from stakeholders across the health data economy, the finalized rule fills multiple data disclosure loopholes without hindering greatly needed innovation.  The transparent application of extensive public input represents a welcome example of participative government as well as a unique window into the highly varied players including healthcare providers, patient advocacy groups and technology/data companies.  But it is the impacts on and the opinions of the advertising agency that provides the most enlightening view of the healthcare surveillance economy.  Below is a reflection of the key elements within the rule, and the debate from public comments.

While top of mind with respect to health data regulation is the Health Insurance Portability and Accountability Act (HIPAA), administered by Health and Human Services (HHS), the Federal Trade Commission (FTC), which exists to protect consumers (and most patients are also consumers) from fraudulent and predatory business practices, serves a supporting role in healthcare by administering 16 CFR Part 13, the Health Breach Notification Rule.  Specifically, the Rule requires ‘vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media’.

Key elements of the updated final rule include clarification of the rule’s scope, a revised definition and guidance on personal health record (PHR) related entities, revised the definition of breach of security to include unauthorized disclosures, the nature of ‘authorization’, altered the timing requirement for notification of breaches, modernization of the method of notice as well as other expanded content and improved readability.  Even more interesting and enlightening were the elements of public comments which were included by the FTC throughout the notice. 

The format was simple: topic was raised and the FTC commission that authored the notice related varying perspectives in support or against various elements of the rule.  The FTC then plainly shared their decision and exactly how the issue was codified in the final rule.

Don’t disclose health information without proper authorization.

The debate on this element of the Final Rule was more revealing and interesting than the final decision from the FTC.  For example, on most issues where the Commission sought to expand the types of entities, actors or services accountable to the new rule, the protestations were often answered by the pragmatic response, ‘it only matters if you suffer a breach.  Don’t suffer a breach and you are not accountable’. 

Healthcare is currently reaping the bitter harvest of a decade of largely ignoring cyberthreat and their own culpability foe extensive digitization without commensurate protections, and this is exactly the message that may inspire more responsible behaviors from the industry. In 2021, the American Hospital Association reported 36,241,815 hospitalizations in the United States and during the same period, 40,099,751 medical records were stolen.  Tough love is still love and clearly healthcare organizations and all who handle healthcare data must recommit to protecting consumers and patients.

Within this general theme of accountability, there were several overarching issues that are addressed by the rule.  First, the FTC made it clear that health breach accountability goes beyond healthcare providers and gave many examples of health or wellness apps that hold personal health information that will be held accountable.  Key to this accountability were the requirement for a health app to hold personal health information and to obtain health data from multiple sources.  An example of these elements from the notice are shown in the breakout box below. 

Health Advertisers: our health data is not your business model.

Perhaps the most telling element of the debate about the Final Rule was the feedback to most of the changes by marketing and advertising institutions and industry groups.  These groups pushed back almost wholesale on each proposed change.  This is not surprising.  In advertising, consumer data trade and utilization are key elements of the current business model but recent studies on impacts of advertising technologies, including ours, such as web trackers, have put the advertising and hospital industry on the defensive and offensive against steps by HHS to protect consumers and patients from these types of predatory activity. 

Specifically, the marketing and advertising industry pushed back on almost every element of the proposed changes including the definition of a health provider, the definition of a data breach, the updated definition of a PHR and changes to the requirements and formats for breach notification to consumers.  Reasons cited included the creation of disincentives to advertising and, frequently, that these types of changes are not what congress intended in the original lawmaking. 

Of course, that lawmaking precedes the internet age so neither the technology or related potential harms were considered during that original rulemaking by congress.  Sticking to their guns, at multiple points, the commission acknowledges the concerns raised but frequently responded in a direct manner, ‘The Commission is not persuaded that applying the Rule to health apps and similar technologies will have deleterious consequences for individual firms or competition or result in over-notification of consumers. Importantly, the only obligation the Rule imposes is to notify the Commission, consumers, and, in some cases, the media of a breach of unsecured PHR identifiable health information’.

De-identification remains a legal privacy placebo.

This second front in the battle for patient privacy, the other being healthcare cybersecurity, is essential to understand. Back in November of 2023, Salesforce, a longtime industry leader in customer relationship management software (CRM), called out the exploitative practices of the tech industry with their ‘your data is not our business model’ campaign. Indeed, the exact opposite has occurred in healthcare. Companies from monopolistic electronic medical record provider EPIC to individual hospitals continue to rush to monetize health data, and this rulemaking will, thankfully, chill elements of that practice. Unfortunately, one lost opportunity of this rulemaking did not occur. The commission chose not to make any specific changes with respect to de-identified health data, although some of the changes will impact accountability in the de-identified health data market.

 We feel that this is a mistake given the carte blanche that de-identification provides to researchers and commercial entities.  For example, most institutional review boards (IRB), will provide exemption from review for research based upon de-identified data as a result most research utilizing de-identified health data is never even presented to an IRB to ensure the rights and welfare of the unconsented ‘participants’.  De-identified data is created and traded in a completely unregulated fashion despite the ease of re-identification and the large number of resulting potential harms.  

Regardless, we thankfully commend the FTC and the commission members for their excellent work on the updated breach notification final rule and look forward to continuing progress to protect consumers and patients from unauthorized disclosure of our health information.

by Eric Perakslis & Andrea Downing