Health Breach Notification Rule
Notice of proposed rulemaking; request for public comment.
CFR Part: "16 CFR Part 318"
Citation: "88 FR 37819"
Page Number: "37819"
"Proposed Rules"
Agency: "
SUMMARY: The
DATES: Written comments must be received on or before
ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write "Health Breach Notification Rule, Project No. P205405" on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address:
FOR FURTHER INFORMATION CONTACT:Ryan Mehm (202) 326-2918,
SUPPLEMENTARY INFORMATION:The amendments would: (1) clarify the Rule's scope, including its coverage of developers of many health applications ("apps"); (2) amend the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures; (3) revise the definition of PHR related entity; (4) clarify what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources; (5) modernize the method of notice; (6) expand the content of the notice; and (7) improve the Rule's readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, and articulating the penalties for non-compliance.
I. Background
FOOTNOTE 1 American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (2009). END FOOTNOTE
FOOTNOTE 2 Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (1996). END FOOTNOTE
Specifically, section 13407 of the Recovery Act created certain protections for "personal health records" or "PHRs," /3/ electronic records of PHR identifiable health information on an individual that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual. /4/
FOOTNOTE 3 42 U.S.C. 17937. END FOOTNOTE
FOOTNOTE 4 42 U.S.C. 17921(11). END FOOTNOTE
FOOTNOTE 5 74 FR 42962 (
The Rule requires vendors of personal health records and PHR related entities to provide: (1) notice to consumers whose unsecured PHR identifiable health information has been breached; (2) notice to the Commission; and (3) notice to prominent media outlets /6/ serving a State or jurisdiction, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by a breach. /7/ The Rule also requires third party service providers (i.e., those companies that provide services such as billing, data storage, attribution, or analytics) to vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach. /8/
FOOTNOTE 6 The Recovery Act does not limit this notice to particular types of media. Thus, an entity can satisfy the requirement to notify "prominent media outlets" by, for example, disseminating press releases to a number of media outlets, including internet media in appropriate circumstances, where most of the residents of the relevant state or jurisdiction get their news. This will be a fact-specific inquiry that will depend upon what media outlets are "prominent" in the relevant jurisdiction. 74 FR 42974. END FOOTNOTE
FOOTNOTE 7 16 CFR 318.3, 318.5. END FOOTNOTE
FOOTNOTE 8 Id. 318.3. END FOOTNOTE
The Rule requires notice to individuals "without unreasonable delay and in no case later than 60 calendar days" after discovery of a data breach. /9/ If the breach affects 500 or more individuals, notice to the
FOOTNOTE 9 Id. 318.4. END FOOTNOTE
FOOTNOTE 10 Id. 318.5(c). END FOOTNOTE
FOOTNOTE 11 Fed.
FOOTNOTE 12 Fed.
The Rule applies only to breaches of "unsecured" health information, which the Rule defines as health information that is not secured through technologies or methodologies specified by the
FOOTNOTE 13 Per HHS guidance, electronic health information is "secured" if it has been encrypted according to certain specifications set forth by HHS, or if the media on which electronic health information has been stored or recorded is destroyed according to HHS specifications. See 74 FR 19006; see also
FOOTNOTE 14 45 CFR 164.400-414. END FOOTNOTE
Since the Rule's issuance, apps and other direct-to-consumer health technologies, such as fitness trackers and wearable blood pressure monitors, have become commonplace. /15/ Further, as an outgrowth of the COVID-19 pandemic, consumer use of such health-related technologies has increased significantly. /16/
FOOTNOTE 15 See, e.g.,
FOOTNOTE 16 See id.; see also
In
FOOTNOTE 17 85 FR 31085 (
Many of the commenters encouraged the Commission to clarify that the Rule applies to apps and similar technologies. /18/ In fact, no commenter opposed this type of clarification regarding the Rule's coverage of health apps. Several commenters pointed out examples of health apps that have abused users' privacy, such as by disclosing sensitive health information without consent. /19/ Several commenters noted the urgency of this issue, as consumers have further embraced digital health technologies during the COVID-19 pandemic. /20/ Commenters argued that the Commission should take additional steps to protect unsecured PHR identifiable health information that is not covered by HIPAA, both to prevent harm to consumers /21/ and to level the competitive playing field among companies dealing with the same health information. /22/ To that end, commenters not only urged the Commission to revise the Rule, but also to increase its enforcement efforts. /23/
FOOTNOTE 18 E.g., Amer. Health Info. Mgmt. Ass'n ("AHIMA") at 2;
FOOTNOTE 19
FOOTNOTE 20 Lisa McKeen at 2-3;
FOOTNOTE 21 Georgia Morgan; Amer. Acad. of Ophthalmology at 2-3 (arguing that the breach of health information held by a non-HIPAA-covered app, for example, harms the patient-provider relationship, because the patient erroneously believes that the provider is the source of the breach); CHIME at 3 (arguing that apps' privacy practices impact the patient-provider relationship because providers do not know what technologies are sufficiently trustworthy for their patients); AMA at 2-3 (expressing concern that patients share less health data with health care providers, perhaps because of "spillover from privacy and security breaches"). END FOOTNOTE
FOOTNOTE 22
FOOTNOTE 23
1. The Commission's 2021 Policy Statement
On
FOOTNOTE 24 Statement of the
FOOTNOTE 25 16 CFR 318.2(d). END FOOTNOTE
The Commission explained that PHR identifiable health information includes individually identifiable health information created or received by a health care provider, /26/ and that "health care providers" include any entities that "furnish[] health care services or supplies." /27/ Because these health app purveyors furnish health care services to their users through the mobile applications they provide, the information held in the app is PHR identifiable health information, and therefore many app makers likely qualify as vendors of personal health records. /28/
FOOTNOTE 26 Id. 318.2(e). END FOOTNOTE
FOOTNOTE 27 Id. 318.2(e); 42 U.S.C. 1320d(6), d(3). END FOOTNOTE
FOOTNOTE 28 See Policy Statement at 1. END FOOTNOTE
The Policy Statement further explained that the statute directing the
FOOTNOTE 29 The Policy Statement provided this example: "[I]f a blood sugar monitoring app draws health information only from one source (e.g., a consumer's inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone's calendar), it is covered under the Rule." Id. at 2. END FOOTNOTE
FOOTNOTE 30 16 CFR 318.2(a). END FOOTNOTE
FOOTNOTE 31 Policy Statement at 2; 74 FR 42967 (Commentary to 2009 Final Rule) ("On a related issue, the final rule provides that a breach of security means acquisition of information without the authorization 'of the individual.' Some commenters raised questions about how the extent of individual authorization should be determined. For example, if a privacy policy contains buried disclosures describing extensive dissemination of consumers' data, could consumers be said to have authorized such dissemination?
The Commission believes that an entity's use of information to enhance individuals' experience with their PHR would be within the scope of the individuals' authorization, as long as such use is consistent with the entity's disclosures and individuals' reasonable expectations. Such authorized uses could include communication of information to the consumer, data processing, or Web design, either in-house or through the use of service providers. Beyond such uses, the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers' information, unless the consumers exercise meaningful choice in consenting to such sharing.") (citations omitted). END FOOTNOTE
2. Enforcement History
In 2023, the Commission has brought its first enforcement actions under the Rule against vendors of personal health records. In
FOOTNOTE 32 U.S. v.
In its complaint, the Commission alleged that between 2017 and 2020,
FOOTNOTE 33 In addition, the Commission alleged that
Similarly, on
FOOTNOTE 34 U.S. v.
3. Summary of Proposed Rule Changes
Having considered the public comments, described in further detail below, and its Policy Statement, the Commission now proposes to revise the Rule, 16 CFR part 318, in seven ways.
* First, the Commission proposes to revise several definitions in order to clarify the Rule and better explain its application to health apps and similar technologies not covered by HIPAA. Consistent with this objective, the proposed Rule would modify the definition of "PHR identifiable health information" and add two new definitions ("health care provider" and "health care services or supplies"). These changes are consistent with a number of public comments supporting the Rule's coverage of these technologies.
* Second, the Commission proposes to revise the definition of breach of security to clarify that a breach of security includes an unauthorized acquisition of PHR identifiable health information in a personal health record that occurs as a result of a data security breach or an unauthorized disclosure.
* Third, the Commission proposes to revise the definition of PHR related entity in two ways. Consistent with its clarification that the Rule applies to health apps, the Commission first proposes clarifying the definition of "PHR related entity" to make clear that the Rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. In addition, the Commission proposes revising the definition of "PHR related entity" to provide that entities that access or send unsecured PHR identifiable health information to a personal health record--rather than entities that access or send any information to a personal health record--are PHR related entities.
* Fourth, the Commission proposes to clarify what it means for a personal health record to draw PHR identifiable health information from multiple sources.
* Fifth, in response to public comments expressing concern that mailed notice is costly and not consistent with how consumers interact with online technologies like health apps, the Commission proposes to revise the Rule to authorize electronic notice in additional circumstances. Specifically, the proposed Rule would adjust the language in the "method of notice section" and add a new definition of the term "electronic mail." The proposed Rule also requires that any notice delivered by electronic mail be "clear and conspicuous," a newly defined term, which aligns closely with the definition of "clear and conspicuous" codified in the
FOOTNOTE 35 16 CFR 313.3(b). The
* Sixth, the proposed Rule would expand the required content of the notice to individuals, to require that consumers whose unsecured PHR identifiable information has been breached receive additional important information, including information regarding the potential for harm from the breach and protections that the notifying entity is making available to affected consumers. In addition, the proposed Rule would include exemplar notices, which entities subject to the Rule could use to notify consumers in terms that are easy to understand.
* Seventh, in response to public comments, the Commission proposes to make a number of changes to improve the Rule's readability. Specifically, the Commission proposes to include explanatory parentheticals for internal cross-references, add statutory citations in relevant places, consolidate notice and timing requirements in single sections, respectively, of the Rule, and add a new section that plainly states the penalties for non-compliance.
Finally, this Notice also includes a section discussing several alternatives the Commission considered but is not proposing. Although the Commission has not put forth any proposed modifications on those issues, the Commission nonetheless seeks public comment on them.
The Commission believes that the proposed changes are consistent with the language and intent of the Recovery Act, will address the concerns raised by the public comments, and will ensure that the Rule remains relevant in the face of changing business practices and technological developments. The Commission invites comment on the proposed rule revisions generally and on the specific issues outlined through section III. Written comments must be received on or before
II. Analysis of the Proposed Rule
The following discussion analyzes the proposed changes to the Rule.
1. Clarification of Entities Covered
The Commission proposes revisions to clarify the Rule's treatment of health apps and similar technologies not covered by HIPAA. As the Commission's Policy Statement makes clear, many health apps and similar technologies not covered by HIPAA are covered by the
FOOTNOTE 36 See supra note 18. END FOOTNOTE
First, consistent with one commenter's recommendation, /37/ the Commission proposes revising "PHR identifiable information" to import language from section 1171(6) of the Social Security Act, 42 U.S.C. 1320d(6), which is included in the current Rule only by cross-reference to that statute. /38/ This revision is not substantive and is being proposed to improve readability.
FOOTNOTE 37 See
FOOTNOTE 38 The HBN Rule, as currently drafted, defines "PHR identifiable health information "as" individually identifiable health information," as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) That is provided by or on behalf of the individual; and (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. See 16 CFR 318.2(e). Section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)) states: "The term 'individually identifiable health information' means any information, including demographic information collected from an individual, that--
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and--
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual." END FOOTNOTE
As revised, "PHR identifiable information" would be defined as information (1) that is provided by or on behalf of the individual; (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; (3) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (4) is created or received by a health care provider, health plan (as defined in 42 U.S.C. 1320d(5)), employer, or health care clearinghouse (as defined in 42 U.S.C. 1320d(2)).
The Commission believes that this definition covers traditional health information (such as diagnoses or medications), health information derived from consumers' interactions with apps and other online services (such as health information generated from tracking technologies employed on websites or mobile applications or from customized records of website or mobile application interactions), /39/ as well as emergent health data (such as health information inferred from non-health-related data points, such as location and recent purchases). /40/ The Commission requests comment as to whether any further amendment of the definition is needed to clarify the scope of data covered.
FOOTNOTE 39 In the Matter of
FOOTNOTE 40 See e.g.,
The proposed Rule also defines a new term, "health care provider," in a manner similar to the definition of "health care provider" found in 42 U.S.C. 1320d(3) (and referenced in 1320d(6)). Specifically, the proposed Rule defines "health care provider" to mean a provider of services (as defined in 42 U.S.C. 1395x(u) /41/ ), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing health care services or supplies.
FOOTNOTE 41 Under 42 U.S.C. 1395x(u), the term "provider of services" means a hospital, critical access hospital, rural emergency hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, or, for purposes of section 1395f(g) and section 1395n(e) of this title, a fund. END FOOTNOTE
The proposed Rule adds a new definition for the term "health care services or supplies" to include any online service, such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools. /42/ The Commission's proposed definition of "health care services and supplies" is based on a number of factors, including the Commission's institutional knowledge, expertise, and law enforcement experience in health data technology. This definition is designed to reflect the current state of technology for health apps and connected devices, as well as emerging technological capabilities that the Commission has observed through its investigatory, enforcement, and policy work.
FOOTNOTE 42 See Joint Statement of Commissioner
These changes clarify that developers of health apps and similar technologies providing these types of "health care services or supplies" qualify as "health care providers" under the Rule. Accordingly, any individually identifiable health information these products collect or use would constitute "PHR identifiable health information" covered by the Rule. These changes also clarify that mobile health applications, therefore, are a "personal health record" covered by the Rule (as long as other conditions set forth in the definition of "personal health record" are met) and accordingly the developers of such applications are "vendors of personal health records." /43/ The proposed definition of "health care services or supplies" clarifies the Rule's scope in two ways. First, it makes clear that the Rule applies generally to online services, including websites, apps, and internet-connected devices that provide health care services or supplies. Second, it illustrates that the Rule covers online services related not only to medical issues (by including in the definition terms such as "diseases, diagnoses, treatment, medications") but also wellness issues (by including in the definition terms such as fitness, sleep, and diet). The Commission intends to ensure app developers understand their notice obligations, even if an app is positioned as a "wellness" product rather than a "health" product.
FOOTNOTE 43 The mobile health applications covered as "vendors of personal health records" under the Rule are distinct from the "online applications" referenced in footnote 78 of the 2009 Statement of Basis and Purpose as "PHR related entities." Footnote 78 from the 2009 Statement of Basis and Purpose states that PHR related entities include "online applications through which individuals connect their blood pressure cuffs, blood glucose monitors, or other devices" so they can track the results through their personal health records. See 74 FR 42962, 42969 n.78 (2009). Footnote 78 refers narrowly to online applications that collect health information from a single source and transfer it to a personal health record maintained separate and apart from the PHR related entity by the PHR vendor. In other words, a PHR related entity sends health information to a personal health record which the PHR related entity does not itself maintain. END FOOTNOTE
The Commission's proposed changes are consistent with the public comments, which recommended the Rule cover health apps and similar technologies. /44/ In revising and adding these definitions, Commission staff also sought informal input from staff at the Federal agencies that interpret or enforce the referenced statutory provision, 42 U.S.C. 1320d, including staff at HHS. The Commission's definition of "health care provider" differs from, but does not contradict, the definitions or interpretations adopted by HHS. /45/ The Commission's proposed definition is consistent with the statutory scheme established by
FOOTNOTE 44 See supra note 18. END FOOTNOTE
FOOTNOTE 45 Although in other contexts HHS has defined the term "health care provider" based upon a more limited understanding of that term (e.g., referring primarily to persons and entities such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), its definition does not contradict or preclude an interpretation of the referenced statutory provision, 42 U.S.C. 1320d, that encompasses developers of health applications and similar technologies. END FOOTNOTE
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether these changes sufficiently clarify the Rule's application to purveyors of health apps and similar technologies that are not covered by HIPAA. The Commission also seeks comment as to whether the proposed rule, as explained here, makes clear to the market which entities are covered by the Rule and under what circumstances. As the Commission has explained, the Rule is intended to cover developers and purveyors of health apps and internet-connected health devices, such as fitness trackers, that are not covered by HIPAA. The Commission seeks comment as to whether the proposed changes and added definitions would apply to entities that offer other technologies and, if so, whether these definitions include appropriate distinctions. If the scope should be limited, the Commission seeks comment as to how that limitation could be effected through the Rule's language, consistent with the language and purpose of the Recovery Act. The Commission seeks comment on defining "health care provider" in a manner that is broader than a more limited definition of that term used in other contexts (e.g., referring primarily to persons and entities such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies /46/ ). And, finally, the Commission seeks comment on the definition of "healthcare services or supplies," including whether any modifications should be made to this definition.
FOOTNOTE 46 See, e.g.,
2. Clarification Regarding Types of Breaches Subject to the Rule
The Commission proposes a definitional change to clarify that a breach of security under the Rule encompasses unauthorized acquisitions that occur as a result of a data breach or an unauthorized disclosure. The current Rule defines "breach of security" as the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual. /47/ This language mirrors the definition of "breach of security" in section 13407(f)(1) of the Recovery Act. The current Rule also includes a rebuttable presumption for unauthorized access to an individual's data. It states that when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach "has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information." /48/
FOOTNOTE 47 16 CFR 318.2(a). END FOOTNOTE
FOOTNOTE 48 16 CFR 318.2(a). END FOOTNOTE
The Commission's proposed changes are consistent with the plain language of the current Rule and the Recovery Act definition of "breach of security." /49/ Additionally, the Commission's Policy Statement makes clear that "[i]ncidents of unauthorized access, including sharing of covered information without an individual's authorization, triggers notification obligations under the Rule," and that a breach "is not limited to cybersecurity intrusions or nefarious behavior." /50/ Further, recent Commission enforcement actions against
FOOTNOTE 49 The commentary to the current Rule already provides guidance on the types of disclosures that the Commission considers to be "unauthorized." For instance, it states: "Given the highly personal nature of health information, the Commission believes that consumers would want to know if such information was read or shared without authorization." It further states that data sharing to enhance consumers' experience with a PHR is authorized only "as long as such use is consistent with the entity's disclosures and individuals' reasonable expectations" and that "[b]eyond such uses, the Commission expects that vendors of personal health records and PHR related entities would limit the sharing of consumers' information, unless the consumers exercise meaningful choice in consenting to such sharing. Buried disclosures in lengthy privacy policies do not satisfy the standard of 'meaningful choice.' " 74 FR 42967. END FOOTNOTE
FOOTNOTE 50 Policy Statement at 2. END FOOTNOTE
FOOTNOTE 51 See AMA at 5-6 ("The
Accordingly, consistent with the Recovery Act definition, the Policy Statement,
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on (1) whether this addition to the definition of "breach of security" is necessary, given that the definition in the current Rule already encompasses unauthorized acquisitions beyond security breaches, and (2) whether the proposed definitional change sufficiently clarifies for the marketplace the Rule's coverage.
3. Revised Scope of PHR Related Entity
The Commission also proposes revising the definition of "PHR related entity" in two ways that pertain to the Rule's scope. Currently, the Rule defines "PHR related entity" to mean an entity, other than a HIPAA-covered entity or a business associate of a HIPAA-covered entity, that: (1) offers products or services through the website of a vendor of personal health records; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals personal health records; or (3) accesses information in a personal health record or sends information to a personal health record. /52/
FOOTNOTE 52 16 CFR 318.2(f). END FOOTNOTE
First, the Commission proposes language to clarify that PHR related entities include entities offering products and services not only through the websites of vendors of personal health records, but also through any online service, including mobile applications. Commenters urged this change because websites are no longer the only means through which consumers access health information online. /53/ To the contrary, online services such as apps are equally relevant to consumers' online experiences with health information.
FOOTNOTE 53 See, e.g., AHIMA at 2 ("[W]e also recommend that the Commission consider updating the existing definition of a 'PHR-related entity' [sic] at 318.2(f) as 318.2(f)(1) and 318.2(f)(2) appear to focus primarily on products and services offered through a vendor's website and may not be entirely reflective of today's environment as new platforms and related services are increasingly deployed and adopted."; Amer. Acad. of Ophthalmology at 3-4 (recommending that the definition cover apps); PEHRC at 4 (same). END FOOTNOTE
Second, the Commission proposes to revise the third prong of the definition so that only entities that access or send unsecured PHR identifiable health information to a personal health record--rather than entities that access or send any information to a personal health record--qualify as PHR related entities. This change--from any information to unsecured PHR identifiable health information--is intended to eliminate potential confusion about the Rule's breadth and promote compliance by narrowing the scope of entities that qualify as PHR related entities. /54/
FOOTNOTE 54 The revised definition would state that a PHR related entity is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that (1) offers products or services through the website, including any online service, of a vendor of personal health records; (2) offers products or services through the websites, including any online services, of HIPAA-covered entities that offer individuals personal health records; or (3) accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record. Although the Rule is only triggered when there is a breach of security involving unsecured PHR identifiable health information, the Commission nevertheless believes there is a benefit to revising the third prong of PHR related entity to make clear that only entities that access or send unsecured PHR identifiable health information to a personal health record--rather than entities that access or send any information to a personal health record--are PHR related entities. Otherwise, under the Rule's current formulation, many entities could be a PHR related entity under the definition's third prong and such entities would then, in the event of a breach, need to analyze whether they experienced a reportable breach under the Rule. If an entity, per this proposed revision, does not qualify as a PHR related entity in the first place, there is no need to consider whether it experienced a reportable breach. END FOOTNOTE
As the Rule is currently drafted, for example, a grocery delivery service that integrates with a diet and fitness app could arguably be considered a PHR related entity when the grocery delivery service sends information about food purchases to the diet and fitness app. This expansive reading of the Rule is not consistent with the purposes of the statute or the Commission's intent when it drafted the Rule. The Commission believes that a more appropriate interpretation of the term PHR related entity encompasses entities that access unsecured PHR identifiable health information in a personal health record or send unsecured PHR identifiable health information to a personal health record. Remote blood pressure cuffs, connected blood glucose monitors, and fitness trackers are all examples of devices that could qualify as a PHR related entity when individuals sync them with a personal health record (i.e., mobile health application). /55/
FOOTNOTE 55 For example, the maker of a wearable fitness tracker may be both a vendor of personal health records (to the extent that its tracker interfaces with its own app, which also accepts consumer inputs) and a PHR related entity (to the extent that it sends information to another company's health app). Regardless of whether the maker of the fitness tracker is a vendor of personal health records or a PHR related entity, its notice obligations are the same: it must notify individuals, the
As a result of this proposed change, a firm that performs attribution and analytics services for a health app might be considered both a PHR related entity (to the extent it accesses unsecured PHR identifiable health information in a personal health record) and a third party service provider. This overlap could create competing notice obligations, where, in the event of a breach, the firm would be required to notify individuals and the
The Commission does not intend this result. Instead, the Commission considers firms that perform services such as attribution and analytics for apps and technologies providing healthcare services and supplies to be third party service providers. Such service providers must notify the health app developers for whom they provide services, who in turn would notify affected individuals. /56/ Otherwise, treating such service providers as PHR related entities would create a problematic result for the consumer, who would receive notice from an unfamiliar company. To clarify this issue, the Commission proposes to revise
FOOTNOTE 56 In attempting to help distinguish between PHR related entities and third party service providers, the Commission offers the following observation: in most cases, third party service providers are likely to be non-consumer facing. Thus, examples of PHR related entities include, as noted above, fitness trackers and health monitors when consumers sync them with a mobile health app. Examples of third party service providers include entities that provide support or administrative functions to vendors of personal health records and PHR related entities. END FOOTNOTE
Moreover, this result will create incentives for responsible data stewardship and for de-identification. Specifically, PHR vendors will have incentives to select and retain service providers, such as those that perform services such as attribution or analytics for apps, capable of treating data responsibly (e.g., not engaging in any onward disclosures of data that could result in a reportable breach) and incentives to oversee their service providers to ensure ongoing responsible data stewardship (which would avoid a breach). Further, it will create incentives for PHR vendors to avoid breaches by service providers by de-identifying health information before sharing it with any service provider, as de-identification would render the data no longer PHR identifiable health information subject to the Rule.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on whether additional changes to the Rule would be necessary or helpful to clarify this result. The Commission also requests comment on the following scenario: a third party service provider, such as an analytics firm, receives PHR identifiable health info (e.g., device identifier and geolocation data from which health information about an individual can be inferred) and then sells it to another entity without the consumer's authorization. The Commission considers this to be a reportable breach, even if the consumer consented to the original collection. In such a scenario, the third party service provider would be required to notify the vendor of personal health records or PHR related entity, who in turn would notify affected individuals. The Commission requests comment on this approach, including whether as a policy matter it is advisable under the Rule to require a vendor of personal health records or PHR related entity to notify its customers about such onward disclosures.
The Commission also seeks comment on the definition of "PHR related entity," including the scope. Conversely, the Commission seeks comment as to whether, by limiting the third prong of the definition to entities that access or send unsecured PHR identifiable health information, the proposed definition is too narrow and would exclude entities that should be required to notify consumers of breaches, consistent with the Recovery Act. To assess this question of breadth, the Commission requests comment on what entities are (1) offering products or services through personal health records such as apps; or (2) sending or accessing information, including but not limited to identifiable health information, in health apps and other personal health records. Finally, the Commission requests comment on the potential overlap between the definitions of "PHR related entity" and "third party service provider," and how to sufficiently distinguish between them.
4. Clarification of What it Means for a Personal Health Record To Draw Information From Multiple Sources
The Commission proposes revising the definition of "personal health record" to clarify what it means for a personal health record to draw information from multiple sources. Under the current Rule, a personal health record is defined as an electronic record of PHR identifiable health information that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.
Under the revised definition, a "personal health record" would be defined as an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. /57/
FOOTNOTE 57 One commenter specifically recommended that the definition of PHR be broadened to "to explicitly include any website, mobile application, or other electronic record system that collects and stores individually identifiable information, including health information, even if it draws that information from a single source."
This change clarifies the application of the statutory definition of a personal health record that can draw information from multiple sources. Adding the phrase "technical capacity to draw information" serves several purposes. First, it clarifies that a product is a personal health record if it can draw information from multiple sources, even if the consumer elects to limit information from a single source only, in a particular instance. For example, a depression management app that accepts consumer inputs of mental health states and has the technical capacity to sync with a wearable sleep monitor is a personal health record, even if some customers choose not to sync a sleep monitor with the app. Thus, whether an app qualifies as a personal health record would not depend on the prevalence of consumers' use of a particular app feature, like sleep monitor-syncing. Instead, the analysis of the Rule's application would be straightforward: either the app has the technical means (e.g., the application programming interface or API) to draw information from multiple sources, or it does not. Next, adding the phrase "technical capacity to draw information" would clarify that a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source. This change further clarifies the Commission's interpretation of the Recovery Act, as explained in the Policy Statement. /58/
FOOTNOTE 58 Policy Statement at 2. END FOOTNOTE
To illustrate the intended meaning of the proposed revisions to the term "personal health record," the Commission offers the example of two non-HIPAA covered diet and fitness apps available for consumer download in an app store. The proposed Rule makes clear that each is a personal health record.
* Diet and Fitness App Y allows users to sync their app with third-party wearable fitness trackers with the app. Diet and Fitness App Y has the technical capacity to draw identifiable health information both from the user (name, weight, height, age) and the fitness tracker (user's name, miles run, heart rate), even if some users elect not to connect the fitness tracker.
* Diet and Fitness App Y has the ability to pull information from the user's phone calendar via the calendar API to suggest personalized healthy eating options. Diet and Fitness App Y has the technical capacity to draw identifiable health information from the user (name, weight, height, age) and non-health information (calendar entry info, location, and time zone) from the user's calendar.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether the proposed changes sufficiently clarify the Rule's application to developers and purveyors of products that have the technical capacity to draw information from more than one source. In particular, the Commission invites comment on its interpretation that an app is a personal health record because it has the technical capacity to draw information from multiple sources, even if particular users of the app choose not to enable the syncing features. The Commission also requests comment about whether an app (or other product) should be considered a personal health record even if it only draws health information from one place (in addition to non-health information drawn elsewhere); or only draws identifiable health information from one place (in addition to non-identifiable health information drawn elsewhere). The Commission also requests comment about whether the Commission's bright-line rule (apps with the "technical capacity to draw information" are covered) should be adjusted to take into account consumer use, such as where no consumers (or only a de minimis number) use a feature. For example, an app might have the technical capacity to draw information from multiple sources, but its API is entirely or mostly unused, either because it remains a Beta feature, has not been publicized, or is not popular. The Commission also requests comment on the likelihood of such scenarios.
5. Facilitating Greater Opportunity for Electronic Notice
Fourth, the Commission proposes to authorize expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers. Increasingly, consumers interact with vendors of personal health records (and vice versa) solely online and communicate primarily or exclusively through electronic means.
Currently, the Rule permits notice by either postal mail or, in limited circumstances, email. The Rule provides that vendors of personal health records or PHR related entities that discover a breach of security must provide "[w]ritten notice, by first-class mail to the individual at the last known address of the individual, or by email, if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not exercise that choice." /59/
FOOTNOTE 59 16 CFR 318.5(a)(1). END FOOTNOTE
Several commenters noted the cost and inconvenience associated with postal mail notice to companies and consumers alike. /60/ Several commenters encouraged the Commission to update the methods of notice to permit notice by electronic means. /61/ Commenters suggested that the Commission revise the Rule to encourage different kinds of electronic notice, including email, in-app messaging, and QR codes. /62/ For example, one commenter stated that the Rule's notice requirement should be updated to permit notification by email or within an application, including through such means as banner, "pop-up," and clickthrough notifications. /63/ This commenter also noted that an electronic communication is more likely to be read by an individual who is using an application, and is more cost effective. /64/ Another commenter urged the Commission to increase the options for breach notification to include email rather than certified mail as the only option. /65/ And another commenter noted that in-app messaging, text messages, and platform messaging are widely used tools and should be allowed to be utilized to more effectively communicate with consumers that consent to them. /66/ This commenter added that it is common sense that consumers should be able to consent to receiving communications under the Rule via these modalities as well as via email. /67/
FOOTNOTE 60
FOOTNOTE 61 The App Ass'n's Connected Health Initiative ("CHI") at 3; CARIN All. at 2;
FOOTNOTE 62 Id. END FOOTNOTE
FOOTNOTE 63
FOOTNOTE 64 Id. END FOOTNOTE
FOOTNOTE 65 All. for Nursing Informatics at 2. END FOOTNOTE
FOOTNOTE 66 CHI at 3. END FOOTNOTE
FOOTNOTE 67 Id. END FOOTNOTE
The Commission recognizes that, as commenters noted, the relationship between vendors of personal health records and PHR related entities, on the one hand, and individuals takes place online and increasingly via applications present on devices such as mobile phones and tablets. These applications communicate with individuals by various electronic means, including text, within-application message, and email.
a. Notice via Electronic Mail
Accordingly, the Commission proposes to update this provision to specify that vendors of personal health records or PHR related entities that discover a breach of security must provide written notice at the last known contact information of the individual and such written notice may be sent by electronic mail, if an individual has specified electronic mail as the primary contact method, or by first-class mail.
Authorizing entities to provide notice about a breach of security by electronic mail is consistent with how consumers often receive other communications from these entities and will align with consumers' expectations. As a result, they are less likely to be ignored or viewed as suspicious by individuals.
Consistent with this objective, the Commission proposes defining "electronic mail" to mean email in combination with one or more of the following: text message, within-application messaging, or electronic banner. The proposed Rule would facilitate more notice by electronic mail. This new definition of electronic mail would ensure that the notice is both (1) convenient and low-cost (because it is electronic) and (2) unavoidable and consistent with the consumer's relationship with the product. For example, if an app developer is providing notice, it could send written notice by email and in-app message, ensuring that the consumer receives notice in a manner consistent with her experience with the app. Similarly, a website operator could send written notice by email and an electronic banner on the home page of its website. The two prongs of the definition would ensure that a notifying entity cannot select a single form of electronic notice that is unlikely to reach consumers--for example, sending an in-app message alone to app users who do not frequently check in-app notifications.
The goal of structuring the notice in two parts is to increase the likelihood that consumers encounter the notice. Many individuals routinely check email messages, making email a useful vehicle to communicate a breach notification. However, some individuals do not read email often, and these consumers under the proposed definition would also receive notice via text, in-app, or banner notice, thereby increasing the likelihood that they will encounter the breach notification.
The Commission believes any notification delivered via electronic mail should be clear and conspicuous. The proposed Rule defines "clear and conspicuous." Among other things, for a notice to be clear and conspicuous, the notice must be reasonably understandable and designed to call attention to the nature and significance of the information in the notice. The proposed definition of "clear and conspicuous" closely tracks the definition of clear and conspicuous in the
FOOTNOTE 68 16 CFR 313.3(b)(1). END FOOTNOTE
Vendors of personal health records and PHR related entities must obtain consumer consent prior to adopting "electronic mail" as their notification method for affected individuals. The proposed Rule would require that entities covered by the Rule may provide "electronic mail" notifications if the individual user has specified electronic mail as their primary method of communication with the entity. This is consistent with section 13402 of the Recovery Act, which requires that entities can only send notice by electronic mail "if specified as a preference by the individual." The Commission interprets this phrase as allowing entities to send an email or in-app alert notifying their users that they will receive breach notices by electronic mail and offering them the opportunity to opt out of electronic mail notification and instead receive notice by first class mail. The proposed Rule also allows for notification by first-class mail where electronic mail is not available.
b. Model Notice
To assist entities that are required to provide notice to individuals under the Rule, the Commission has developed a model notice that entities may use, in their discretion, to notify individuals. This model notice is attached as Exhibit A to this Notice of Proposed Rulemaking. The Commission invites comment on this model notice, including: (1) whether the model notice should be mandatory and any advantages or disadvantages of mandating use of the model notice; (2) whether and how the model notice could be compatible with the methods of notice contemplated by the proposed definition of electronic mail, such as text, banner and within-application messaging, including whether and how entities could suitably link to model notice language from a text message, /69/ electronic banner, or in-application message; (3) and recommended changes to the substance and format of the model notice.
FOOTNOTE 69 The proposed text message and in-app language in the exemplar notice invites consumers to "Visit [add non-clickable URL] to learn what happened, how it affects you, and what you can do to protect your information." The exemplar proposes a non-clickable URL due to the risk that a clickable URL could expose consumers to, for example, malware or scams. END FOOTNOTE
c. Topics on Which the Commission Seeks Public Comment
The Commission also requests comment on the proposed changes, including whether the definition of "electronic mail" would achieve the Commission's goal to make notice unavoidable and consistent with the consumer's relationship with the product. The Commission also requests comment as to whether this definition would result in over-notification from "duplicate" notices, including the extent to which the proposed two-pronged approach could confuse consumers or reduce the impact that a single notice might have. And the Commission requests comment as to whether this definition is consistent with principles of data minimization, i.e., whether an entity might collect more data (e.g., email or text) than it otherwise would have simply to obtain sufficient information to send notice via "electronic mail" in the event of a breach.
6. Expanded Content of Notice
The Commission proposes several modifications to the content of the required notice to individuals. Currently, the Rule requires that the notice include a description of what happened; a description of the types of unsecured PHR identifiable health information that were involved in the breach; the steps individuals should take to protect themselves from potential harm; a description of what the vendor of personal health records or PHR related entity involved is doing to investigate the breach, to mitigate any losses, and to protect against any further breaches; and contact procedures for individuals to ask questions or learn additional information. /70/ The Commission proposes five changes to the content of the notice.
FOOTNOTE 70 16 CFR 318.6. END FOOTNOTE
a. Summary of Changes to Content of the Notice
First, in
The Commission proposes adding this provision so that individuals better understand the nexus between the information breached and the potential harms that could result from the breach of such information. In some cases, it is unclear to individuals what harms may flow from the breach of their information. The Commission believes it is important to equip individuals with information about the harms they may experience so that they can better understand the potential risks from a breach and determine what steps or measures to take following a breach. The Commission invites comment on this proposed provision, including (1) whether the requirement that the notice describe potential harms would serve the public interest and benefit consumers, (2) whether notifying entities typically possess information following a breach to assess the potential harms to individuals, (3) whether, in the absence of such information, notifying entities may minimize the potential risks by informing individuals that they are unaware of any harms that may result from the breach, (4) how notifying entities, in the absence of known, actionable harm resulting from a breach, should best describe to individuals the potential harms they may experience, and (5) whether additional and more specific data elements may overwhelm or confuse recipients of the notice.
Second, the Commission also proposes to amend the requirements for the notice under
Third, the Commission proposes modifications to
The Commission proposes that this exemplar list be expanded to include additional types of PHR identifiable health information, such as health diagnosis or condition, lab results, medications, other treatment information, the individual's use of a health-related mobile application, and device identifier. The Commission believes it is important for individuals to receive notice of the specific types of PHR identifiable health information involved in a breach, given that the exposure of health information can lead to a wide spectrum of harms. /71/ For example, even the disclosure of an individual's use of a health-related mobile application (e.g., a HIV management app, mental health app, or addiction recovery app) could, depending on the type of health app at issue, lead to a number of potential injuries, including embarrassment, social stigma, more expensive health insurance premiums, or even loss of employment.
FOOTNOTE 71 See, e.g., Fed.
Fourth,
Fifth, the Commission proposes to modify
7. Proposed Changes To Improve Rule's Readability
The Commission proposes several changes to improve the Rule's readability. Specifically, the Commission proposes to include explanatory parentheticals for internal cross-references, add statutory citations in relevant places, consolidate notice and timing requirements in single sections, and revise the Enforcement section to state more plainly the penalties for non-compliance.
a. Explanatory Parentheticals and Statutory References
Throughout the Rule, the Commission proposes to include explanatory parentheticals for each internal cross-reference and add statutory citations to help orient the reader. /72/ The Commission invites comment on whether the inclusion of explanatory parentheticals and statutory citations improves the Rule's readability and promotes comprehension.
FOOTNOTE 72 For example, the Commission proposes to add a statutory citation for the Recovery Act section referenced in the definition of "unsecured," to improve the clarity and readability of this defined term. The revised definition would provide that "unsecured" means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary of
(1) Consolidated Notice and Timing Requirements
To facilitate reader understanding, the Commission proposes consolidating into single sections, respectively, the Rule's breach notification and timing requirements. Currently, the breach notification requirements are located in sections 318.3 and 318.5 and the timing requirements are located in sections 318.4 and 318.5.
To consolidate the Rule's notice requirements, the Commission proposes to move the provision in
New
FOOTNOTE 73 See supra note 6. END FOOTNOTE
FOOTNOTE 74 As noted above, the Commission does not intend this consolidation of timing requirements to have any effect on the substantive requirements of the Rule. In making this proposed change, minor revisions are required to
Second, to consolidate requirements regarding the timing of notification, the Commission proposes moving timing requirements for notice to the
FOOTNOTE 75 As noted above, the Commission does not intend this consolidation of timing requirements to have any effect on the substantive requirements of these sections. Section 318.5(c) of the proposed Rule would provide: "(c) Notice to
Importantly, the Commission does not intend to make any substantive change to the timing requirements; this change is merely intended to consolidate timing requirements in a single section to improve readability and promote compliance. The Commission requests comment as to whether the inclusion of explanatory parentheticals and the proposed consolidation of timing requirements improves the Rule's readability and will promote compliance.
(2) Revised Enforcement Provision
Commenters suggested that the Rule be revised to specify the penalties for non-compliance. /76/ Currently, the Rule provides that a violation of
FOOTNOTE 76 See
Under section 18 of the FTC Act, 15 U.S.C. 57a, the Commission is authorized to prescribe "rules which define with specificity acts or practices which are unfair or deceptive acts or practices in or affecting commerce" within the meaning of section 5(a)(1) of the FTC Act, 15 U.S.C. 45(a)(1). Once the Commission has promulgated a trade regulation rule, anyone who violates the rule with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such act is unfair or deceptive and is prohibited by such rule is liable for civil penalties for each violation. 15 U.S.C. 45(m)(1)(A). Entities that fail to comply with the Rule are subject to penalties of up to
FOOTNOTE 77 16 CFR 1.98; see also
III. Changes Considered but Not Proposed and on Which the Commission Seeks Public Comment
1. Defining Authorization and Affirmative Express Consent
As previously noted above, when a health app or other device discloses sensitive health information without users' authorization, this is a "breach of security" under the Rule. The Commission considered defining the term "authorization," which appears in
FOOTNOTE 78 The Commission considered defining "affirmative express consent" as follows:
Affirmative express consent means any freely given, specific, informed, and unambiguous indication of an individual's wishes demonstrating agreement by the individual, such as by a clear affirmative action, following a clear and conspicuous disclosure to the individual, apart from any "privacy policy," "terms of service," "terms of use," or other similar document, of all information material to the provision of consent. Acceptance of a general or broad terms of use or similar document that contains descriptions of agreement by the individual along with other, unrelated information, does not constitute affirmative express consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute affirmative consent. Likewise, agreement obtained through use of user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, does not constitute affirmative express consent. END FOOTNOTE
In considering whether to define "authorization" and "affirmative express consent," the Commission considered public comments that argued the Rule should do more to prevent data collection and use without the individual's consent. /79/ Defining these terms to emphasize the importance of meaningful consent would partially address the concerns of some commenters that privacy compliance obligations for entities not covered by HIPAA should be similar to obligations for HIPAA covered entities, both to ensure consistent protections for consumers' health information and to level the competitive playing field among companies holding that information. /80/
FOOTNOTE 79 Lisa McKeen at 1 (recommending that the Rule require "express written acknowledgement and consent of the consumer/person(s) to which this information is personally owned");
FOOTNOTE 80 E.g., OAG-CA at 5. END FOOTNOTE
The Commission is not, however, proposing to make those changes at this time, because the commentary to the current Rule already provides guidance on the types of disclosures that the Commission considers to be "unauthorized." /81/ Further, recent Commission orders, such as
FOOTNOTE 81 See supra note 49. END FOOTNOTE
The Commission seeks public comment about whether the commentary above and
To the extent that including such definitions would be appropriate, the Commission seeks comment on the definitions of "authorization" and "affirmative express consent," as described above, and the extent to which such definitions are consistent with the language and purpose of the Recovery Act. The Commission also seeks comment on what constitutes acceptable methods of authorization, particularly when unauthorized sharing is occurring. For example, the Commission seeks comment on the following: when a vendor of personal health records or a PHR-related entity is sharing information covered by the Rule, is it acceptable for that entity to obtain the individual's authorization to share that information when an individual clicks "agree" or "accept" in connection with a pre-checked box disclosing such sharing? Is it sufficient if an individual agrees to terms and conditions disclosing such sharing but that individual is not required to review the terms and conditions? Or is it sufficient if an individual uses a health app that discloses in its privacy policy that such sharing occurs, but the app knows via technical means that the individual never interacts with the privacy policy?
Relatedly, the Commission seeks comment on whether there are certain types of sharing for which authorization by consumers is implied, because such sharing is expected and/or necessary to provide a service to consumers. Finally, the Commission emphasizes that its decision to not define "authorization" or "affirmative express consent" does not mean that a "breach of security" is limited only to cybersecurity events.
2. Modifying Definition of Third Party Service Provider
The Commission also considered modifying the definition of "third party service provider." Under the Rule, a "third party service provider" means an entity that "(1) [p]rovides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) [a]ccesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services." /82/ The 2009 Notice of Proposed Rulemaking notes that third party service providers include, for example, entities that provide billing or data storage services to vendors of personal health records or PHR related entities. /83/ Although the Commission is not proposing to modify the definition of "third party service provider" at this time, the Commission requests comment on certain issues related to the definition. Given technological changes and the proliferation of new business models that have occurred since the Rule's issuance, the Commission invites comments on the scope of entities that should be considered third party service providers under the Rule. While the 2009 Notice of Proposed Rulemaking provides examples of third party service providers, the examples are illustrative. For example, under the Rule, should all advertising and analytics providers and platforms be considered third party service providers anytime they access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHR identifiable health information when providing services to vendors of personal health records and PHR related entities? Relatedly, the Commission requests comment on what it means to "provide services" under the Rule's definition.
FOOTNOTE 82 16 CFR 318.2(h). END FOOTNOTE
FOOTNOTE 83 74 FR 17917 (
3. Changing Timing Requirements
The Commission also weighed whether to propose changing the Rule's timing requirements. Specifically, the Commission considered public comments about whether the timing requirements were appropriate, /84/ introduced unnecessary delay, /85/ or did not give notifying entities sufficient time to investigate the facts of a breach. /86/ One commenter expressed concern that the timing requirements do not provide consumers with important information as soon as would be valuable to them and there is no compelling reason for delaying notice. /87/ Other commenters, however, expressed concern that entities experiencing a breach may not have sufficient information to be able to give the Commission a meaningful notification within 10 days. /88/ These commenters recommended that the Commission extend the 10-day requirement for the notice to the
FOOTNOTE 84 Lisa McKeen at 5; CHIME at 3;
FOOTNOTE 85 Hilal Johnson at 1. END FOOTNOTE
FOOTNOTE 86 CARIN All. at 2;
FOOTNOTE 87 Hilal Johnson at 1. END FOOTNOTE
FOOTNOTE 88 CARIN All. at 2;
FOOTNOTE 89 45 CFR 164.408 (referencing timing requirement in 404). END FOOTNOTE
Although the Commission has not proposed any timing changes, the Commission requests comments on several issues related to timing. First, the Commission requests comment about the timing of notifications to consumers. In particular, the Commission requests comment regarding whether earlier notification of consumers would better protect them or whether it would lead to partial notifications, because the entity experiencing the breach may not have had time to identify all the relevant facts. Second, the Commission also requests additional comment on the timing of the notification to the
IV. Paperwork Reduction Act
The Commission is submitting this Notice of Proposed Rulemaking and a Supporting Statement to the
The proposed amendments to 16 CFR part 318 would likely result in more reportable breaches by covered entities to the
FOOTNOTE 90 Third party service providers who experience a breach are required to notify the vendor of personal health records or PHR related entity, and then this firm would be required to notify consumers. The Commission expects that the cost of notification to third party service providers would be small, relative to the entities who have to notify consumers. The Commission invites comment on this issue and data that may be used to quantify the costs to third party service providers. END FOOTNOTE
Accordingly, staff has estimated the burdens associated with these proposed information collection requirements as set forth below.
Based on industry reports, staff estimates that the Commission's proposed information collection requirements will cover approximately 170,000 entities, which, in the event that they experience a breach, may be required to notify consumers and the Commission. While there are approximately 1.8 million apps in the
FOOTNOTE 91 See
FOOTNOTE 92 App Store Data (2023)--Business of Apps, https://www.businessofapps.com/data/app-stores/. END FOOTNOTE
FOOTNOTE 93 See App Store Data (2023), supra note 91, which reports 78,764 apps in the
Staff estimates that these entities will, cumulatively, experience 71 breaches per year for which notification may be required. With the proviso that there is insufficient data at this time about the number and incidence rate of breaches at entities covered by the Commission's Rule (due to underreporting prior to issuance of the Policy Statement), staff determined the number of estimated breaches by calculating the breach incidence rate for HIPAA-covered entities, and then applied this rate to the estimated total number of entities that will be subject to the proposed Rule. /94/ Additionally, as the number of breaches per year grew significantly in the recent years, /95/ and staff expects this trend to continue, staff relied on the average number of breaches in 2021 and 2022 to estimate the annual breach incidence rate for HIPAA-covered entities.
FOOTNOTE 94 Staff used information publicly available from HHS on HIPAA related breaches because the HIPAA Breach Notification Rule is similarly constructed. However, while there are similarities between HIPAA-covered entities and HBNR-covered entities, it is not necessarily the case that rates of breaches would follow the same pattern. For instance, HIPAA-covered entities are generally subject to stronger data security requirements under HIPAA, but also may be more likely targets for security incidents (e.g., ransomware attacks on hospitals and other medical treatment centers covered by HIPAA have increased dramatically in recent years); thus, this number could be an under- or overestimate of the number of potential breaches per year. END FOOTNOTE
FOOTNOTE 95 According to the
Specifically, the
FOOTNOTE 96 See Breach Portal,
FOOTNOTE 97 In a recent Federal Register Notice ("FRN") on Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, OCR proposes increasing the number of covered entities from 700,000 to 774,331. 86 FR 6446, 6497 (
Costs
To determine the costs for purposes of this analysis, staff has developed estimates for two categories of potential costs: (1) the estimated annual burden hours and labor cost of determining what information has been breached, identifying the affected customers, preparing the breach notice, and making the required report to the Commission; and (2) the estimated capital and other non-labor costs associated with notifying consumers.
Estimated Annual
Estimated Annual Labor Cost:
First, to determine what information has been breached, identify the affected customers, prepare the breach notice, and make the required report to the Commission, staff estimates that covered firms will require per breach, on average, 150 hours of employee labor at a cost of
FOOTNOTE 98 This estimate is the sum of 40 hours of marketing managerial time (at an average wage of
The capital and non-labor costs associated with breach notifications depends upon the number of consumers contacted and whether covered firms are likely to retain the services of a forensic expert. For breaches affecting large numbers of consumers, covered firms are likely to retain the services of a forensic expert.
FOOTNOTE 99 This estimate is the sum of 40 hours of forensic expert time at a cost of
Using the data on HIPAA-covered breach notices available from HHS for the years 2021-2022,
FOOTNOTE 100 HHS Breach Data, supra note 96 (mean of Individuals Affected during breaches 2017-2022). This analysis uses the last six years of HHS breach data to generate the average, in order to account for the variation in number of individuals affected by breaches observed in the HHS data over time. END FOOTNOTE
Based on a recent study of data breach costs, staff estimates the cost of providing notice to consumers to be
FOOTNOTE 101 See IBM Security, Costs of a Data Breach Report 2022 (2022), https://www.ibm.com/reports/data-breach ("2022 IBM Security Report"). The research for the 2022 IBM Security Report is conducted independently by the
FOOTNOTE 102 See 2022 IBM Security Report at 54. END FOOTNOTE
Staff notes that these estimates likely overstate the costs imposed by the proposed Rule because: (1) it assumes that all entities covered by the Rule will be required to take all the steps required above; and (2) staff made conservative assumptions in developing many of the underlying estimates. Moreover, many entities covered by the Rule already have similar notification obligations under state data breach laws. /103/ In addition, the Commission has taken several steps designed to limit the potential burden on covered entities that are required to provide notice, including by providing exemplar notices that entities may choose to use if they are required to provide notifications and proposing expanded use of electronic notifications.
FOOTNOTE 103 Many state data breach notification statutes require notification when a breach occurs involving certain health or medical information of individuals in that state. See, e.g., Ala. Code 8-38-1 et seq.; Alaska Stat. 45.48.010 et seq.; Ariz.
The Commission invites comments on: (1) whether the proposed collection of information is necessary for the proper performance of the functions of the
Written comments and recommendations for the proposed information collection should also be sent within 30 days of publication of this document to https://www.reginfo.gov/public/do/PRAMain.Find this particular information collection by selecting "Currently under Review--Open for Public Comments" or by using the search function. The reginfo.gov web link is a United States Government website produced by OMB and the
V. Regulatory Flexibility Act
The Regulatory Flexibility Act ("RFA"), 5 U.S.C.
The Commission believes that the proposed amendment would not have a significant economic impact upon small entities, although it may affect a substantial number of small businesses. Among other things, the proposed amendments clarify certain definitions, revise the disclosures that must accompany notice of a breach under the Rule, and modernize the methods of notice to allow additional use of electronic notice such as email by entities affected by a breach. In addition, the proposed amendments improve the Rule's readability by clarifying cross-references and adding statutory citations. The Commission does not anticipate these changes will add significant additional costs to entities covered by the Rule and the revisions to allow additional use of electronic notice may reduce costs for many entities covered by the Rule. Therefore, based on available information, the Commission certifies that amending the Rule as proposed will not have a significant economic impact on a substantial number of small entities. Although the Commission certifies under the RFA that the proposed amendment would not, if promulgated, have a significant impact on a substantial number of small entities, the Commission has determined, nonetheless, that it is appropriate to publish an IRFA to inquire into the impact of the proposed amendment on small entities. Therefore, the Commission has prepared the following analysis:
1. Description of the Reasons That Action by the Agency Is Being Considered
The Commission conducts a review of each of its rules ten years after issuance. In
2. Statement of the Objectives of, and Legal Basis for, the Proposed Rule
The objective of the proposed changes is to clarify existing notice obligations for entities covered by the Rule. The legal basis for the proposed Rule is section 13407 of the Recovery Act.
3. Description and Estimate of the Number of Small Entities to Which the Proposed Rule Will Apply
The proposed amendments, like the current Rule, will apply to vendors of personal health records, PHR related entities, and third party service providers, including developers and purveyors of health apps, connected health devices, and similar technologies. As discussed in the Commission's PRA estimates above,
FOOTNOTE 104 2017 SUSB Annual Data Tables by Establishment Industry,
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The Recovery Act and the proposed Rule impose certain reporting requirements within the meaning of the PRA. The proposed Rule will clarify which entities are subject to those reporting requirements. The Commission is seeking clearance from OMB for these requirements. Specifically, the Act and proposed Rule require vendors of personal health records and PHR related entities to provide notice to consumers, the Commission, and in some cases the media in the event of a breach of unsecured PHR identifiable health information. The Act and proposed Rule also require third party service providers to provide notice to vendors of personal health records and PHR related entities in the event of such a breach. If a breach occurs, each entity covered by Act and proposed Rule will expend costs to determine the extent of the breach and the individuals affected. If the entity is a vendor of personal health records or PHR related entity, additional costs will include the costs of preparing a breach notice, notifying the Commission, compiling a list of consumers to whom a breach notice must be sent, and sending a breach notice. Such entities may incur additional costs in locating consumers who cannot be reached, and in certain cases, posting a breach notice on a website, notifying consumers through media advertisements, or sending breach notices through press releases to media outlets.
In-house costs may include technical costs to determine the extent of breaches; investigative costs of conducting interviews and gathering information; administrative costs of compiling address lists; professional/legal costs of drafting the notice; and potentially, costs for postage, web posting, and/or advertising. Costs may also include the purchase of services of a forensic expert. The Commission seeks further comment on the costs and burdens of small entities in complying with the requirements of the proposed Rule.
5. Other Duplicative, Overlapping, or Conflicting Federal Rules
The
6. Description of Any Significant Alternatives to the Proposed Rule
In drafting the proposed Rule, the Commission has made every effort to avoid unduly burdensome requirements for entities. In particular, the Commission believes that the proposed changes to facilitate electronic notice will assist small entities by significantly reducing the costs of sending breach notices. In addition, the Commission is also proposing exemplar notices that entities covered by the Rule may use, in their discretion, to notify individuals. The Commission anticipates that these exemplar notices will further reduce the potential burden on entities that are required to provide notice under the Rule. The Commission is not aware of alternative methods of compliance that will reduce the impact of the proposed Rule on small entities, while also comporting with the Recovery Act. The statutory requirements are specific as to the timing, method, and content of notice. Accordingly, the Commission seeks comment and information on ways in which the Rule could be modified to reduce any costs or burdens for small entities consistent with the Recovery Act's mandated requirements.
VI. Instructions for Submitting Comments
You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before
Because of the agency's heightened security screening, postal mail addressed to the Commission is subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. To make sure the Commission considers your online comment, please follow the instructions on the web-based form.
If you file your comment on paper, write "Health Breach Notification Rule, Project No. P205405" on your comment and on the envelope, and mail your comment to the following address:
Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's
Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled "Confidential," and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. Your comment will be kept confidential only if the
Visit the
List of Subjects in 16 CFR Part 318 Breach, Consumer protection, Health, Privacy, Reporting and recordkeeping requirements, Trade practices.
For the reasons set out in this document, the Commission proposes to amend part 318 of title 16 of the Code of Federal Regulations as follows:
1. Revise part 318 to read as follows:
PART 318--HEALTH BREACH NOTIFICATION RULE
Sec.
318.1Purpose and scope.
318.2Definitions.
318.3Breach notification requirement.
318.4Timeliness of notification.
318.5Methods of notice.
318.6Content of notice.
318.7Enforcement.
318.8Effective date.
318.9Sunset.
Authority:42 U.S.C. 17937 and 17953.
318.1Purpose and scope.
(a) This part, which shall be called the "Health Breach Notification Rule," implements section 13407 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17937. It applies to foreign and domestic vendors of personal health records, PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the
(b) This part preempts state law as set forth in section 13421 of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17951.
318.2Definitions.
(a) Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.
(b) Business associate means a business associate under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.
(c) Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(1) Reasonably Understandable: You make your notice reasonably understandable if you:
(i) Present the information in the notice in clear, concise sentences, paragraphs, and sections;
(ii) Use short explanatory sentences or bullet lists whenever possible;
(iii) Use definite, concrete, everyday words and active voice whenever possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical business terminology whenever possible; and
(vi) Avoid explanations that are imprecise and readily subject to different interpretations.
(2) Designed to call attention. You design your notice to call attention to the nature and significance of the information in it if you:
(i) Use a plain-language heading to call attention to the notice;
(ii) Use a typeface and type size that are easy to read;
(iii) Provide wide margins and ample line spacing;
(iv) Use boldface or italics for key words; and
(v) In a form that combines your notice with other information, use distinctive type size, style, and graphic devices, such as shading or sidebars, when you combine your notice with other information. The notice should stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
(3) Notices on websites or within-application messaging. If you provide a notice on a web page or using within-application messaging, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the website or software application (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice, and you either:
(i) Place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(ii) Place a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
(d) Electronic mail means (1) email in combination with one or more of the following: (2) text message, within-application messaging, or electronic banner.
(e) Health care services or supplies includes any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.
(f) Health care provider means a provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing health care services or supplies.
(g) HIPAA-covered entity means a covered entity under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.
(h) Personal health record means an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.
(i) PHR identifiable health information means information:
(1) That is provided by or on behalf of the individual;
(2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual;
(3) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
(4) Is created or received by a:
(i) health care provider;
(ii) health plan (as defined in 42 U.S.C. 1320d(5));
(iii) employer; or
(iv) health care clearinghouse (as defined in 42 U.S.C. 1320d(2)).
(j) PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that:
(1) Offers products or services through the website, including any online service, of a vendor of personal health records;
(2) Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records; or
(3) Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record.
(k) State means any of the several States, the
(l) Third party service provider means an entity that:
(1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and
(2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.
(m) Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of
(n) Vendor of personal health records means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.
318.3Breach notification requirement.
(a) In general. In accordance with
(1) Notify each individual who is a citizen or resident of
(2) Notify the
(3) Notify prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach.
(b) Third party service providers. A third party service provider shall, following the discovery of a breach of security, provide notice of the breach to an official designated in a written contract by the vendor of personal health records or the PHR related entity to receive such notices or, if such a designation is not made, to a senior official at the vendor of personal health records or PHR related entity to which it provides services, and obtain acknowledgment from such official that such notice was received. Such notification shall include the identification of each customer of the vendor of personal health records or PHR related entity whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, acquired during such breach. For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this part. While some third party service providers may access unsecured PHR identifiable health information in the course of providing services, this does not render the third party service provider a PHR related entity.
(c) Breaches treated as discovered. A breach of security shall be treated as discovered as of the first day on which such breach is known or reasonably should have been known to the vendor of personal health records, PHR related entity, or third party service provider, respectively. Such vendor, entity, or third party service provider shall be deemed to have knowledge of a breach if such breach is known, or reasonably should have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of such vendor of personal health records, PHR related entity, or third party service provider.
318.4Timeliness of notification.
(a) In general. Except as provided in paragraphs (b) (Timing of notice to
(b) Timing of notice to
(c) Burden of proof. The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay.
(d) Law enforcement exception. If a law enforcement official determines that a notification, notice, or posting required under this part would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This paragraph shall be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under such section.
318.5Methods of notice.
(a) Individual notice. A vendor of personal health records or PHR related entity that discovers a breach of security shall provide notice of such breach to an individual promptly, as described in
(1) Written notice at the last known address of the individual. Written notice may be sent by electronic mail if the individual has specified electronic mail as the primary method of communication. Any written notice sent by electronic mail must be Clear and Conspicuous. Where notice via electronic mail is not available or the individual has not specified electronic mail as the primary method of communication, a vendor of personal health records or PHR related entity may provide notice by first-class mail at the last known address of the individual. If the individual is deceased, the vendor of personal health records or PHR related entity that discovered the breach must provide such notice to the next of kin of the individual if the individual had provided contact information for his or her next of kin, along with authorization to contact them. The notice may be provided in one or more mailings as information is available. Exemplar notices that vendors of personal health records or PHR related entities may use to notify individuals pursuant to this paragraph are attached as Appendix A.
(2) If, after making reasonable efforts to contact all individuals to whom notice is required under
(i) Through a conspicuous posting for a period of 90 days on the home page of its website; or
(ii) In major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting shall include a toll-free phone number, which shall remain active for at least 90 days, where an individual can learn whether the individual's unsecured PHR identifiable health information may be included in the breach.
(3) In any case deemed by the vendor of personal health records or PHR related entity to require urgency because of possible imminent misuse of unsecured PHR identifiable health information, that entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (a)(1) of this section.
(b) Notice to media. As described in
(c) Notice to
318.6Content of notice.
Regardless of the method by which notice is provided to individuals under
(a) A brief description of what happened, including: the date of the breach and the date of the discovery of the breach, if known; the potential harm that may result from the breach, such as medical or other identity theft; and the full name, website, and contact information (such as a public email address or phone number) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security, if this information is known to the vendor of personal health records or PHR related entity;
(b) A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as but not limited to full name,
(c) Steps individuals should take to protect themselves from potential harm resulting from the breach;
(d) A brief description of what the entity that experienced the breach is doing to investigate the breach, to mitigate harm, to protect against any further breaches, and to protect affected individuals, such as offering credit monitoring or other services; and
(e) Contact procedures for individuals to ask questions or learn additional information, which must include two or more of the following: toll-free telephone number; email address; website; within-application; or postal address.
318.7Enforcement.
Any violation of this part shall be treated as a violation of a rule promulgated under section 18 of the Federal Trade Commission Act, 15 U.S.C. 57a, regarding unfair or deceptive acts or practices, and thus subject to civil penalties (as adjusted for inflation pursuant to
318.8Effective date.
This part shall apply to breaches of security that are discovered on or after
318.9Sunset.
If new legislation is enacted establishing requirements for notification in the case of a breach of security that apply to entities covered by this part, the provisions of this part shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.
By direction of the Commission.
Secretary.
Appendix A: Health Breach Notification Rule Exemplar Notices
The notices below are intended to be examples of notifications that entities may use, in their discretion, to notify individuals of a breach of security pursuant to the Health Breach Notification Rule. The examples below are for illustrative purposes only. You should tailor any notices to the particular facts and circumstances of your breach. While your notice must comply with the Health Breach Notification Rule, you are not required to use the notices below.
Mobile Text Message and In-App Message Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the health information you shared with us through [name of product] is now in the hands of unknown attackers. Visit [add non-clickable URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.
Text Message Notification Exemplar 2
You shared health information with us when you used [product name]. We discovered that we shared your health information with third parties for [describe why the company shared the info] without your permission. Visit [add non-clickable URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with more information.
In-App Message Notification Exemplar 1
Due to a security breach on our system, the health information you shared with us through [name of product] is now in the hands of unknown attackers. This could include your [Add specifics--for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.
In-App Message Notification Exemplar 2
You shared health information with us when you used [product name]. We discovered that we shared your health information with third parties for [if known, describe why the company shared the info] without your permission. This could include your [Add specifics--for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.
Web Banner Exemplars
Web Banner Notification Exemplar 1
Due to a security breach on our system, the health information you shared with us through [name of product] is now in the hands of unknown attackers. This could include your [Add specifics--for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information.
* Recommend: Include clear "Take action" call to action button, such as the example below:
See illustration in Original Document.
Web Banner Notification Exemplar 2
You shared health information with us when you used [product name]. We discovered that we shared your health information with third parties for [if known, describe why the company shared the info] without your permission. This could include your [Add specifics--for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information.
* Recommend: Include clear "Take action" call to action button, such as the example below:
See illustration in Original Document.
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company] <company email>
Email Subject Line: [Company] Breach of Your Health Information
We are contacting you because an attacker recently gained unauthorized access to our system and stole health information about our customers, including you.
What happened and what it means for you
On [
A hacker could use your information now or at a later time to commit identity theft or could sell your information to other criminals. For example, a criminal could get medical care in your name or change your medical records or run up bills in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Review your medical records, statements, and bills for signs that someone is using your information. Under the health privacy law known as HIPAA, you have the right to access your medical records. Get your records and review them for any treatments or doctor visits you don't recognize. If you find any, report them to your healthcare provider in writing. Then go to www.IdentityTheft.gov/steps to see what other steps you can take to limit the damage.
Also review the Explanation of Benefits statement your insurer sends you when it pays for medical care.
Some criminals wait before using stolen information so keep monitoring your benefits and bills.
2. Review your credit reports for errors. You can get your free credit reports from the three credit bureaus at www.annualcreditreport.com or call 1-877-322-8228. Look for medical billing errors, like medical debt collection notices that you don't recognize. Report any medical billing errors to all three credit bureaus by following the "What To Do Next" steps on www.IdentityTheft.gov.
3. Sign up for free credit monitoring to detect suspicious activity. Credit monitoring detects and alerts you about activity on your credit reports. Activity you don't recognize could be a sign that someone stole your identity. We're offering free credit monitoring for two years through [name of service]. Learn more and sign up at [URL].
4. Consider freezing your credit report or placing a fraud alert on your credit report. A credit report freeze means potential creditors can't get your credit report without your permission. That makes it less likely that an identity thief can open new accounts in your name. A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new credit account in your name. It tells creditors to contact you before they open any new accounts in your name or change your accounts. A fraud alert lasts for one year. After a year, you can renew it.
To freeze your credit report, contact each of the three credit bureaus, Equifax, Experian, and
To place a fraud alert, contact any one of the three credit bureaus, Equifax, Experian, and
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-1111
Experian, www.experian.com/help, 1-888-397-3742
Learn more about how credit report freezes and fraud alerts can protect you from identity theft or prevent further misuse of your personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
What we are doing in response.
We hired security experts to secure our system. We are working with law enforcement to find the attacker. And we are investigating whether we made mistakes that made it possible for the attackers to get in.
Learn more about the breach.
Go to [URL] to learn more about what happened and what you can do to protect yourself. If we have any updates, we will post them there.
If you have questions or concerns, call us at [telephone number], email us at [address], or go to [URL].
Sincerely,
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company] <company email>
Email Subject Line: Unauthorized disclosure of your health information by [Company]
We are contacting you because you use our company's app [name of app]. When you downloaded our app, we promised to keep your personal health information private. Instead, we disclosed health information about you to another company without your approval.
What happened?
We told Company XYZ (insert website address of Company XYZ) that you use our app, and between [
We gave Company XYZ this information so they could use it for advertising and marketing purposes. For example, to target you for ads for cancer drugs.
You may contact Company XYZ at [insert contact info, such as email or phone] for more information.
What we are doing in response
We will stop selling or sharing your health information with other companies.We will stop using your health information for advertising or marketing purposes. We have asked Company XYZ to delete your health information, but it's possible they could continue to use it for advertising and marketing.
What you can do
We made important changes to our app to fix this problem. Download the latest updates to our app then review your privacy settings. You can also contact Company XYZ to request that it delete your data.
Learn more
Learn more about our privacy and security practices at [URL]. If we have any updates, we will post them there.
If you have any questions or concerns, call us at [telephone number] or email us at [address].
Sincerely,
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company] <company email>
Email Subject Line:[Company] Breach of Your Health Information
We are contacting you about a breach of your health information collected through the [product], a device sold by our company, [Company].
What happened? On [
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Get your free credit report and review it for signs of identity theft. Order your free credit report at www.annualcreditreport.com. Review it for accounts and activity you don't recognize. Recheck your credit reports periodically.
2. Consider freezing your credit report or placing a fraud alert on your credit report. A credit report freeze means potential creditors can't get your credit report without your permission. That makes it less likely that an identity thief can open new accounts in your name. A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new credit account in your name. It tells creditors to contact you before they open any new accounts in your name or change your accounts. A fraud alert lasts for one year. After a year, you can renew it.
To freeze your credit report, contact each of the three credit bureaus, Equifax, Experian, and
To place a fraud alert, contact any one of the three credit bureaus, Equifax, Experian, and
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-1111
Experian, www.experian.com/help, 1-888-397-3742
Learn more about how credit report freezes and fraud alerts can protect you from identity theft or prevent further misuse of your personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
3. Sign up for free credit monitoring to detect suspicious activity. Credit monitoring detects and alerts you about activity on your credit reports. Activity you don't recognize could be a sign that someone stole your identity. We're offering free credit monitoring for two years through [name of service]. Learn more and sign up at [URL].
What we are doing in response
We are investigating our mistakes. We know the database shouldn't have been online and it should have been encrypted. We are making changes to prevent this from happening again.
We are working with experts to secure our system. We are reviewing our databases to make sure we store health information securely.
Learn more about the breach
Go to [URL] to learn more about what happened and what you can do to protect yourself. If we have any updates, we will post them there.
If you have questions or concerns, call us at [telephone number], email us at [address], or go to [URL].
Sincerely,
[Role], [Company]
[FR Doc. 2023-12148 Filed 6-8-23;
BILLING CODE 6750-01-P
Ping An Ranks 16th in Forbes' Global 2000, 7th among Global Financial Enterprises
Interagency Guidance on Third-Party Relationships: Risk Management
Advisor News
- How is consumers’ investing confidence impacting the need for advisors?
- Can a balance of withdrawals and annuities outshine the 4% rule?
- Economy ‘in a sweet spot’ but some concerns ahead
- Trump, Capitol allies likely looking at quick cryptocurrency legislation
- SEC panel reviews mandatory arbitration clause in investment advisory agreements
More Advisor NewsAnnuity News
Health/Employee Benefits News
- Popular Medicare Advantage comes under increased scrutiny.
- PHOTO GALLERY | Mangione supporters demonstrate outside Hollidaysburg courthouse, urge change in health insurance system
- Thousands to lose health insurance at major Mass. hospital systems as of Jan. 1
- Hospital association points to insurers for ongoing financial woes post-COVID
- Mangione faces federal charges in New York after extradition from Blair County
More Health/Employee Benefits NewsLife Insurance News