The Federal Trade Commission (FTC) recently updated the HIPAA Health Breach Notification Rule (HBNR) to better safeguard consumer health information in today’s digital age. This update is particularly relevant for organisations that handle health data, including those that may not be covered by HIPAA.
HIPAA, or the Health Insurance Portability and Accountability Act, is the existing regulation that protects sensitive patient data within the healthcare industry. However, HIPAA doesn’t cover everything. The HBNR addresses data privacy concerns for health apps and similar technologies not covered by HIPAA.
Let’s explore how this update impacts your organisation and the steps you might need to take to ensure compliance.
Who should care about the HIPAA health breach notification update?
This primarily applies to businesses and entities dealing with health data electronically, especially those not covered by HIPAA. This includes:
- Health app developers. The Rule now explicitly covers health apps and similar technologies.
- Personal health record (PHR) vendors. These vendors and related entities must comply with the updated notification procedures.
- Other health data companies. Organisations offering products or services through online platforms that handle health information need to review their compliance.
The HIPPA health breach notification rule specifically applies to organisations operating in the United States but the implications can extend beyond US borders. It’s important to consider the location of the health data and any international data transfers involved. Below are some nuances to consider.
- Global reach of US companies. If a US-based organisation handles health data of individuals worldwide, they might still need to comply depending on the data’s location and the specific breach scenario.
- International data transfers. Organisations transferring health data from the US to other countries may need to consider additional regulations depending on the destination country’s data privacy laws.
What you can do about the HIPAA health breach notification update
The FTC’s updated health breach notification rule strengthens data security and notification requirements for organisations handling health information. Below’s what you can do to ensure compliance.
Understand the scope
- Review the applicability. Determine if your organisation falls under the definition of a “covered entity” under the HIPAA health breach notification rule. This includes vendors of PHRs, health apps, and entities offering products or services through their online platforms.
- Conduct an impact assessment. Once you have determined if your organisation falls under the definition of “covered entity” conduct and impact assessment to determine how the HIPAA health breach notification update impacts your organisation.
Strengthen data security
- Implement strong security measures. Focus on preventing unauthorised access to health data through measures like encryption, access controls, and regular security assessments.
- Conduct a data protection health check. Michalsons offers a health check that your organisation can take from time to time (we recommend it annually) to check whether their organisation has an effective data protection programme and security measures.
Enhance breach notification procedures
- Update notification procedure. Develop a clear process for identifying, investigating, and reporting data breaches involving unsecured health information.
- Prioritise clear communication. Use plain language and multiple channels like email and text messages to reach affected individuals promptly. The notification should be “clear and conspicuous” and “reasonably understandable.” Michalsons has trained hundreds of people on plain legal language in both public and private workshops. Contact us to find out how we can empower your organisation.
- Shorten notification timelines. For breaches impacting 500 or more individuals, notify the FTC simultaneously with notifying affected consumers. This needs to happen “without unreasonable delay” and no later than 60 days after the breach discovery.
By taking these steps, you can ensure you are meeting the FTC’s expectations for data security and breach notification under the updated HBNR. This will not only protect consumer privacy but also minimise the risk of penalties for non-compliance.
Overview of the HIPAA health breach notification update
The FTC is taking a stronger stance on protecting health information with an updated HBNR. This update reflects the growing use of health apps and wearable devices, ensuring these technologies are held accountable for safeguarding your sensitive data.
What is the health breach notification rule
The HBNR requires companies that handle your electronic health records (outside of HIPAA regulations) to notify you, the FTC, and potentially even the media if there’s a data breach.
What’s new in the updated rule
The FTC listened to public feedback and made several key changes.
- Revised definitions. The rule now clearly applies to health apps, ensuring they are held to the same data security standards as other health data providers.
- Clarified breach of security. The update clarifies what constitutes a “breach of security,” including both unauthorised access and accidental disclosures of health information.
- Expanded use of electronic notification. The rule expanded on the use of emails and other electronic means of notifying consumers of the breach.
- Expanded on consumer notice content. The rule expanded on the content which should be included in the notice to consumers.
- Changing timing requirement. For breaches affecting 500 or more people, companies must notify the FTC simultaneously with the affected individuals
- Improved readability. The FTC is promoting clear and concise communication by requiring companies to use plain language and multiple channels (like email) to reach you in case of a breach.
Why this matters
With the increasing popularity of health apps and connected devices, this update is crucial for ensuring your health information remains secure. The FTC is actively enforcing the HBNR, taking action against companies like GoodRx and Easy Healthcare for failing to comply.
Actions to take next
- Ensure that your organisation has the necessary safeguards in place by asking Michalsons to conduct a data protection health check and updating your privacy policies.
- Empower yourself with the necessary knowledge for data protection compliance by joining our data protection programme.
- Determine the impact the updated notification rule has on your organisation by asking Michalsons to conduct an impact assessment for you.
