On April 26, 2024, the Federal Trade Commission (FTC) finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. With the explosive growth of health apps, wearable devices, and direct-to-consumer digital health services, these updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data.
This development signals a major shift in digital health regulation, placing non-HIPAA-covered entities under heightened scrutiny. But beyond app developers and consumer health platforms, these updates carry broad implications for Health Information Exchanges (HIEs) and Health Information Networks (HINs), which are at the forefront of data interoperability and patient information sharing.
[UPDATED: a copy of the Final Rule (89 Fed Reg 47028 (May 30 2024)) can be downloaded here]
Key Updates to the Health Breach Notification Rule
The HBNR was originally implemented in 2009 as part of the HITECH Act, primarily targeting PHR vendors and related entities that collect health data but fall outside HIPAA’s jurisdiction. The FTC’s 2024 revisions aim to modernize the rule, aligning it with the realities of today’s tech-driven healthcare ecosystem.
1. Health Apps and Digital Platforms Clearly Covered
The FTC expanded the definition of PHR identifiable health information to explicitly cover health apps, wearable devices, and online health services that collect or share health data.
The rule now applies to entities offering health-related services via digital platforms, APIs, and mobile applications.
2. Unauthorized Data Sharing Now Considered a Breach
A “breach of security” now includes unauthorized disclosures, not just hacking incidents.
This means if a health app shares user data with advertisers or analytics platforms without proper consent, it could trigger breach notification requirements.
3. Stronger Consumer Notification Requirements
Companies must notify affected users electronically (via email or other digital means) to ensure faster communication.
Consumer notices must now include the names (or descriptions) of third parties that acquired breached data, increasing transparency around data-sharing practices.
For breaches affecting 500 or more individuals, the FTC must be notified at the same time as impacted users.
4. Tighter Deadlines for Breach Notifications
Organizations must notify individuals “without unreasonable delay” and no later than 60 days after discovering a breach.
This brings HBNR reporting timelines closer to HIPAA’s breach notification requirements.
5. Enforcement Actions and Compliance Expectations
The FTC has already demonstrated its willingness to enforce these rules, citing recent settlements with GoodRx and Easy Healthcare (Premom app) for failing to adequately protect and disclose consumer health data practices.
The Broader Impact: What This Means for HIEs, HINs, and Health Data Interoperability
While the HBNR primarily targets consumer health apps, its impact will inevitably extend to Health Information Exchanges (HIEs) and Health Information Networks (HINs)—the backbone of health data interoperability.
1. HIEs and HINs Will Face Increased Pressure to Monitor Third-Party Data Sharing
Many HIEs and HINs facilitate data exchange between HIPAA-covered entities (hospitals, providers, payers) and non-HIPAA-covered consumer health platforms. These new rules create a heightened expectation that data intermediaries ensure compliance when transmitting health data to PHRs, health apps, or patient portals.
HIEs and HINs must reassess their vendor relationships to ensure any connected third-party apps follow FTC breach notification rules.
If an HIE facilitates data sharing with non-HIPAA-regulated entities, those entities must be contractually obligated to comply with HBNR.
2. Stricter Consent and Data Use Transparency for HIE-Connected Apps
Many HIEs integrate with third-party apps and patient portals to enable individuals to access and manage their health data.
Under these new rules, HIEs will likely need to implement stronger patient consent mechanisms before routing data to non-HIPAA-covered platforms.
Clearer disclosures about data use and third-party access will be required to avoid violations.
3. Potential Need for Dual Compliance with HIPAA and HBNR
Some HIEs operate in a hybrid model, exchanging data between HIPAA-regulated entities and non-HIPAA-covered applications.
These organizations will now need to track compliance with both HIPAA and FTC rules, adding new complexity to regulatory oversight.
4. Push Toward Greater Regulatory Alignment Between HIPAA and Consumer Health Data Protection
The FTC’s move to strengthen HBNR mirrors recent HIPAA modernization efforts, signaling a potential shift toward greater regulatory alignment.
Policymakers may continue expanding protections for patient-generated health data, leading to new frameworks that bring HIPAA and FTC rules closer together.
What’s Next: Preparing for a Stricter Regulatory Environment
With the new HBNR rules set to take effect 60 days after their publication, digital health platforms, HIEs, and HINs must act quickly to ensure compliance.
Steps Organizations Should Take Now:
🔹 Review Data-Sharing Agreements: Ensure any third-party apps, PHRs, or non-HIPAA-covered partners follow the new breach notification requirements.
🔹 Strengthen Consent Mechanisms: Implement clearer, more transparent user agreements and privacy notices before sharing data with non-traditional health platforms.
🔹 Enhance Incident Response Plans: Update breach detection and notification policies to meet the FTC’s stricter timelines and disclosure requirements.
🔹 Align Compliance Efforts with HIPAA & HBNR: Organizations operating in both HIPAA and non-HIPAA health data ecosystems should streamline compliance strategies to avoid regulatory conflicts.
Conclusion: A New Era of Digital Health Accountability
The FTC’s final rule changes to the Health Breach Notification Rule mark a pivotal moment for digital health regulation. While the primary focus is on consumer health apps and PHRs, the ripple effects will reshape the broader health data ecosystem, including HIEs, HINs, and health data interoperability frameworks.
As regulators continue closing loopholes in consumer health data protection, organizations handling patient information—whether under HIPAA or FTC jurisdiction—must be proactive in safeguarding data, ensuring compliance, and building patient trust in an increasingly digital health landscape.
The future of health data exchange is evolving, and those who prioritize privacy, transparency, and regulatory alignment will be best positioned to navigate this changing environment.
