top of page

What to Know About the Proposed Changes to the FTC's Health Breach Notification Rule

In a rapidly evolving digital landscape, the protection of personal health information has become a critical concern. In response to the growing complexities of health data privacy, the Federal Trade Commission (FTC) proposed significant updates to the Health Breach Notification Rule. These changes aim to address the challenges posed by the proliferation of health apps and wearable devices that collect sensitive health data, often without adherence to the Health Insurance Portability and Accountability Act (HIPAA) rules. In this article, we delve into the implications of these proposed changes and the diverse perspectives they have garnered.

A Shift in the Landscape

The proposed changes to the Health Breach Notification Rule come after a decade of its existence. This update acknowledges the drastic transformation the healthcare sector has undergone, with the rise of direct-to-consumer technologies collecting vast amounts of health data. These technologies, including health apps and wearable devices, have raised concerns due to their collection of sensitive health information that falls outside the purview of HIPAA.

Key Proposed Changes

  1. Broadening the Scope of the Rule: The proposed changes broaden the definition of entities subject to the Rule, encompassing health care providers, health services, and even wellness-related platforms. This extended scope aims to cover health apps and technologies that were not previously considered under the Rule.

  2. Expanding the Definition of a Security Breach: The update redefines a security breach to encompass unauthorized acquisition of identifiable health information resulting from unauthorized disclosure or data breaches. This change emphasizes the importance of consumer consent and secure data handling.

  3. Clarification of Data Collection: The proposed rule clarifies that a Personal Health Record (PHR) must have the technical capacity to draw information from multiple sources, regardless of whether that functionality is actively used. This aims to ensure that consumers are protected regardless of the platform's capabilities.

  4. Modernizing Notice Methods: In line with changing consumer interaction patterns, the update allows electronic notices through various channels, including email, text messaging, within-application messaging, and electronic banners.

  5. Expansion of Notice Content: Companies will be required to provide additional information in breach notifications, including a description of potential harm, full names of third parties with access to breached data, and a broader range of exposed health information types.

Feedback on the proposed changes:

  1. User Consent and Transparency: Advocates for user consent and transparency, such as Mozilla, emphasize the need for clearly defined authorization language and user consent in data sharing. The aim is to prevent data misuse and enhance user trust in health apps.

  2. Unintended Consequences: Critics, including the Identity Theft Resource Center (ITRC), point out potential negative consequences of electronic notifications, which might hide significant data breaches from public scrutiny. They suggest aligning the rule with state laws requiring broader public notice.

  3. Reproductive Health Protection: Organizations like Planned Parenthood stress the importance of protecting sensitive sexual and reproductive health data. They recommend explicit definitions in the rule to ensure safe usage of health apps without fear of data misuse.

  4. Data Broker Coverage: Public interest groups, such as the U.S. Public Interest Research Group, push for rule inclusion of data brokers like Tremor, to prevent aggregation of consumer health signals for targeted advertising.

  5. Harmonizing with HIPAA: Healthcare Information and Management Systems Society (HIMSS) suggests aligning the definition of PHR with HIPAA to ensure comprehensive health data coverage and proactive privacy practices.

  6. Expanding Protection: American Medical Informatics Association (AMIA) suggests a broader definition of a breach, expanding protection to usernames/passwords and ensuring comprehensive security measures to prevent data breaches.

  7. Balancing and Narrowing: The Consumer Technology Association (CTA) advocates for narrowing the rule's scope to avoid overreach, focusing on entities that gather health-related information. They also propose simplifying notice content.


The FTC's proposed changes to the Health Breach Notification Rule represent a significant step toward modernizing health data privacy protection. As digital health technologies continue to flourish, ensuring the security and privacy of sensitive health information remains paramount. The diverse perspectives on the proposed changes reflect the complexities of this issue, from the need for clear user consent to concerns about public awareness of data breaches. Ultimately, striking a balance between innovation, user trust, and data security will be crucial in shaping the future of health data privacy regulation.

9 views0 comments


bottom of page