FTC privacy protection rule expands data breach reporting

A version of this article was published in the August edition of Healthcare News.

The Federal Trade Commission (FTC) announced changes to the Health Breach Notification Rule (HBNR) in April 2024 that broadly apply to digital health, health apps, and the like, and expands the rule to apply to vendors of public health information and related entities in addition to covered healthcare entities under HIPAA. The intent of rule is to protect individuals using health data apps and devices and it expands what covered entities must tell consumers if there’s been a breach of their data. These changes will go into effect on July 29, 2024, following its publishing in the Federal register on May 30, 2024.

Protecting patient privacy is garnering much regulatory attention after the Change healthcare and HealthEquity data breach incidents. The emergence of digital health records, telemedicine, and wearable health technology, makes safeguarding patient information a significant challenge.

Understanding the FTC’s role in healthcare privacy protection, its regulatory powers, and how the new HBNR changes impact breach response protocols can help affected organizations prepare to meet the new reporting requirements effectively.

The FTC’s role

The FTC was established in 1914 with a mandate to protect consumers and promote competition. Over the years, its role has expanded to include the oversight of privacy and data security practices across various industries.