Health and fitness mobile application developers and other businesses that collect or handle electronic or other health care information that are not subject to the by the Health Insurance Portability and Accountability Act (“HIPAA”) should evaluate their responsibility to comply with the personal health record (“PHR”) breach notification requirements of the recently amended Federal Trade Commission (“FTC”) Health Breach Notification Final Rule (the “HBN Rule”) and if subject to the HBN, ensure their compliance taking into account amendments to the HBN Rule that took effect on July 29, 2024.
The HIPAA Breach Notification Rule imposes specific requirements on health care providers, health plans, health care clearinghouses and their business associates (“HIPAA Entities”) to protect individually identifiable health information (“PHI”) against improper use, access, disclosure or destruction and to provide breach notification to individuals, the Department of Health and Human Services Office of Civil Rights (“OCR”) and the media if a breach of unsecured electronic protected information happens.
To provide for notifications of breaches of electronically identifiable health information not covered by HIPAA, the HBN Rule generally requires each vendor of PHRs covered by its rules (“PHR Vendors”) and related entity that discovers a breach of security of unsecured personally identifiable health information (“UPHI”) in a PHR it maintains or provides to notify:
- Each individual who is a citizen or resident of the United States whose unsecured UPHI was acquired by an unauthorized person as a result of the security breach
- The Federal Trade Commission; and
- If the breach involved UPHI of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach, prominent media outlets serving a State or jurisdiction,
Applicability To HBN Rule
Amendments to the HBN Rule that took effect on July 29, 2024, clarify that the HBN Rule breach notification requirements apply more broadly than many parties dealing with PHR and PHR technologies previously understood as well as other requirements of the HBN Rule. The FTC revised several definitions in the HBN Rule to clarify that it applies health apps and similar technologies not covered by HIPAA by modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.” It also revised the definition of “PHR related entity” to make clear that 1) the HBN Rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records and 2) only entities that access or send UPHR to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
These changes clarify that the HBN breach notification requirements generally apply to p Providers and developers of websites, mobile applications, or internet-connected devices that provide mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, or diet, or that provides other health-related services or tools and other similar technologies that provide healthcare services and supplies, and related technologies not covered.
Other Changes & Clarifications To HBN Rule
- Breach Of Security: The Final Rule clarifies that a “breach of security” includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
- Clarifying Multiple Sources Of PHR Identifiable Health Information: The FTC clarified what it means for a personal health record to draw PHR identifiable health information from multiple sources;
- Electronic Notification: The FT expanded the allowable use of email and other electronic means of providing clear and effective notice to consumers of a breach;
- Expanding Required Consumer Notice Content: The amendments to the HBN Rule expand the required content that notifications of breaches must include. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
- Changing Notification Timing: The amendment to the HBN Rule changes the deadline for providing breach notification to the FTC under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and
- Improving readability: The amendments to the HBN Rule also include changes to improve the rule’s readability and promote compliance.
HIPAA-Covered Breaches
HIPAA Entities are reminded that in addition to its broadly applicable Privacy, Security and Breach Notification Rules, OCR also has promulgated specific guidance about mobile application and related technology. This mobile application guidance, among other things, include risk analysis, configuration to reduce risks, and workforce training on appropriate use when HIPAA Entities use mobile application technologies.
Additionally OCR also has adopted specific requirements on the Use of Online Tracking Technologies by HIPAA Entities to collect and analyze information about how users interact with regulated entities’ websites or mobile applications. While the U.S. District Court for the Northern District of Texas ruled Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d —-, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024) ruled unlawful and invalidated the portion of this rule that provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” the remainder of that rule remains effective. HIPAA-Entities should ensure compliance with both of these rules as well as all other applicable HIPAA Breach and other rules.
To aid in this process, OCR has published various tools and resources on building privacy and security protections into mobile application technologies including the following:
- Mobile Health Apps Interactive Tool – The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), have updated the popular Mobile Health Apps Interactive Tool. This tool is designed to help developers of health-related mobile apps, including HIPAA-regulated entities, understand what federal laws and regulations might apply to them. The guidance tool asks developers a series of questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on a developer’s answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) Rules, and the Federal Food, Drug and Cosmetics Act (FD&C Act), Children’s Online Privacy Protection Rule (COPPA), and 21st Century Cures Act and ONC Information Blocking Regulations.
- Health App Use Scenarios & HIPAA – PDF – This guidance details various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
- Access Right, Apps, and APIs – View frequently asked questions about how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
- Health Information Technology – View frequently asked questions on HIPAA and health IT.
- Guidance on HIPAA & Cloud Computing – OCR developed guidance to assist HIPAA covered entities and business associates, including cloud services providers (CSPs), in understanding how they can use cloud computing technologies while complying with their HIPAA obligations.
These resources can be helpful for both HIPAA-Entities to comply with HIPAA and non-HIPAA covered entities to comply and manage risks under the HBR Rule.
In the face of these and other Federal and state law rules, all parties dealing with electronic health information should confirm their status under the FTC and OCR Rules and take documented steps to verify, monitor and maintain their compliance with breach notification and other requirements.
About the Author
Scribe responsible for planning and leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with HHS-OCR for more than a decade and author of many highly regarded publications on HIPAA and other privacy and data security, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of HIPAA and other cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,
A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Co-Chair of its International Employment Law Committee, and its Health Care Liaison; Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; Former Chair of the ABA RPTE Employee Benefits & Other Compensation Group and Chair or Co-Chair of its Welfare Benefit Committee for more than 10 years , and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Laws Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™
slphrbenefitsupdate.com 