By: Christopher A. Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, Ma.
A Health Law Defense and Compliance Firm

As technology continues to weave deeper into the fabric of healthcare, the Federal Trade Commission (FTC) has taken a decisive step to protect consumer data with the recent expansion of the Health Breach Notification Rule (HBNR). This pivotal update extends the rule’s reach beyond traditional health records to encompass health apps and similar technologies, addressing the evolving landscape where digital health data proliferates.

Expanded Definitions and Scope
In the past, definitions within the HBNR were more constrained, primarily covering entities directly within the healthcare sector. However, with the final rule that came into effect in April 2024, the FTC has broadened these definitions to ensure comprehensive coverage. This includes updates to what constitutes ‘Personal health records (PHR) identifiable information,’ now clarifying that unique identifiers used in conjunction with health data can trigger PHR applicability. This change makes the rule applicable to a multitude of health apps and technologies not previously covered.

Moreover, the term ‘covered health care provider’ has been redefined to include not just traditional healthcare providers but also operators of websites, apps, and devices that manage health-related data. This definition ensures that entities providing services that tangentially relate to health are now under the umbrella of HBNR, reinforcing the security and privacy framework around consumer health data.

Understanding ‘Breach of Security’
One of the most critical updates in the final rule is the redefinition of what constitutes a ‘breach of security.’ Now, the FTC considers not only unauthorized third-party disclosures but also internal misuses of data as breaches. This includes situations where data is collected for a legitimate purpose but later used for an unauthorized secondary purpose. It’s a significant shift that aims to address complex scenarios where data might be exploited beyond the consumer’s initial consent.

Implications for Health Apps and Tech Companies
The implications of these changes are profound for developers and operators of health-related apps and technologies. They will need to scrutinize their data handling and security policies to ensure compliance with the updated HBNR. The rule mandates that vendors of PHR and related entities must now also notify their third-party service providers about the data they handle, ensuring all parties involved in data processing are aware of their obligations under the HBNR.

Strengthening Consumer Trust
Ultimately, the FTC’s updated rule aims to fortify consumer trust in digital health technologies. By ensuring that health apps and related technologies uphold stringent data protection standards, the FTC is not just responding to the current needs of digital health consumers but also anticipating future challenges in health data security.

Navigating Compliance
For entities affected by these changes, understanding and navigating the new compliance landscape will be crucial. At Parrella Health Law, we specialize in helping healthcare providers and tech companies understand their legal obligations and implement the necessary practices to comply with evolving regulations. If you have questions about how these changes might affect your operations or need assistance with compliance strategies, don’t hesitate to reach out. For further inquiries, you can contact us at Parrella Health Law at 857.328.0382 or email me at cparrella@parrellahealthlaw.com. We’re here to help you navigate these changes with confidence, ensuring that your practices not only comply with the law but also protect the interests and rights of your consumers.

Christopher Parrella, ESQ, CPC, CHC, CPCO, is the founding partner of Parrella Health Law in Boston, Mass. The firm focuses exclusively on healthcare defense and compliance matters. Chris also travels the country on behalf of a wide range of healthcare organizations, lecturing on a variety of health care enforcement and compliance topics. Chris is one of a handful of health care attorney’s that are also Certified Professional Coders (CPC) and is a member of the AAPC’s National Legal Advisory Board and Ethics Committee.  He is also a Certified Professional Compliance Officer (CPCO) and Certified in Health Care Compliance (CHC.)