The changes clarify the rule’s scope regarding health apps and similar technologies while expanding the information covered entities must provide to consumers in the event of a breach of their health data, according to an April 26 FTC news release.
Under the new rule, vendors of personal health records and related entities not governed by HIPAA are mandated to notify individuals, the FTC and, when applicable, the media, in case of a breach of unsecured personally identifiable health data.
Additionally, third-party service providers to vendors of protected health records must inform such vendors and entities upon the discovery of a breach.
Here are other key revisions to the rule:
- Revised definitions: Definitions such as “PHR identifiable health information” were adjusted to underscore the rule’s applicability to health apps and similar technologies not covered by HIPAA.
- Clarification of breach of security: The rule clarifies that a “breach of security” encompasses unauthorized acquisition or disclosure of identifiable health information resulting from a data security breach.
- Expansion of electronic notification: The final rule permits expanded use of email and other electronic means for notifying consumers of a breach.
- Enhanced consumer notice content: The required content of breach notices to consumers is expanded, including disclosure of any third parties that acquired unsecured PHR identifiable health information due to the breach.
- Modified timing requirement: For breaches involving 500 or more individuals, covered entities must notify the FTC simultaneously with affected individuals, within 60 calendar days of discovering a breach.
The final rule will become effective 60 days after its publication in the Federal Register.
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
