[Federal Register Volume 85, Number 100 (Friday, May 22, 2020)]
[Proposed Rules]
[Pages 31085-31087]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-10263]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318


Health Breach Notification

AGENCY: Federal Trade Commission.

ACTION: Regulatory review; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') 
requests public comment on its Health Breach Notification Rule (the 
``HBN Rule'' or the ``Rule''). The Commission is soliciting comment as 
part of the FTC's systematic review of all current Commission 
regulations and guides.

DATES: Written comments must be received on or before August 20, 2020.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``Health Breach Notification Rule, 16 CFR part 
318, Project No. P205405,'' on your comment and file your comment 
online at https://www.regulations.gov by following the instructions on 
the web-based form. If you prefer to file your comment on paper, mail 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Elisa Jillson (202-326-3001), Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, 
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 
20580.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Commission typically reviews its rules every ten years to 
ensure that the rules have kept up with changes in the marketplace, 
technology, and business models.\1\ The Commission issued the HBN Rule 
in 2009, and companies were subject to enforcement beginning in 2010. 
The Commission now requests comment on the HBN Rule, including the 
costs and benefits of the Rule, and whether particular sections should 
be retained, eliminated, or modified. All interested persons are hereby 
given notice of the opportunity to submit written data, views, and 
arguments concerning the Rule.
---------------------------------------------------------------------------

    \1\ See current ten-year schedule for review of FTC rules and 
guides at 85 FR 20889 (Apr. 15, 2020).
---------------------------------------------------------------------------

    The HBN Rule, issued pursuant to section 13407 of the American 
Recovery and Reinvestment Act of 2009 (``Recovery Act'' or ``the 
Act''),\2\ became effective on August 25, 2009,\3\ and companies were 
subject to FTC enforcement beginning on February 22, 2010. Section 
13407 of the Recovery Act created certain protections for ``personal 
health records'' or ``PHRs,'' electronic records of identifiable health 
information that can be drawn from multiple sources and that are 
managed, shared, and controlled by or primarily for the individual. 
Specifically, the Recovery Act recognized that vendors of personal 
health records and PHR related entities (i.e., companies that offer 
products and services through PHR websites or access information in or 
send information to PHRs) were collecting consumers' health information 
but were not subject to the privacy and security requirements of the 
Health Insurance Portability and Accountability Act (``HIPAA'').\4\ The 
Recovery Act directed the FTC to issue a rule requiring these entities, 
and their third-party service providers, to provide notification of any 
breach of unsecured individually identifiable health information. 
Accordingly, the HBN Rule requires vendors of PHRs and PHR related 
entities to provide: (1) Notice to consumers whose unsecured 
individually identifiable health information has been breached; (2) 
notice to the media, in many cases; and (3) notice to the Commission. 
The Rule also requires third party service providers (i.e., those 
companies that provide services such as billing or data storage) to 
vendors of PHRs and PHR related entities to provide notification to 
such vendors and entities following the discovery of a breach.
---------------------------------------------------------------------------

    \2\ Public Law 111-5, 123 Stat. 115 (2009).
    \3\ 74 FR 42962 (Aug. 25, 2009).
    \4\ Health Insurance Portability & Accountability Act, Public 
Law 104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------

    The Rule requires notice ``without unreasonable delay and in no 
case later than 60 calendar days'' after discovery of a data breach. If 
the breach affects 500 or more individuals, notice to the FTC must be 
provided ``as soon as possible and in no case later than ten business 
days'' after discovery of the breach. The FTC makes available a 
standard form for companies to use to notify the Commission of a 
breach.\5\ The FTC posts a list of breaches involving 500 or more 
individuals on its website.\6\ This list only includes two breaches, 
because the Commission has predominantly received notices about 
breaches affecting fewer than 500 individuals.
---------------------------------------------------------------------------

    \5\ Notice of Breach of Health Information, https://www.ftc.gov/system/files/documents/plain-language/2017_5_2_breach_notification_form.pdf.
    \6\ Breach Notices Received by the FTC, https://www.ftc.gov/system/files/documents/plain-language/draft_breach_notices_received_by_ftc_2015.pdf.
---------------------------------------------------------------------------

    Importantly, the Rule does not apply to health information secured 
through technologies specified by the Department of Health and Human 
Services (``HHS'') and it does not apply to businesses or organizations 
covered by HIPAA. HIPAA-covered entities and

[[Page 31086]]

their ``business associates'' must instead comply with HHS's breach 
notification rule.\7\ The FTC has not had occasion to enforce its Rule 
because, as the PHR market has developed over the past decade, most PHR 
vendors, related entities, and service providers have been HIPAA-
covered entities or ``business associates'' subject to HHS's rule.\8\ 
However, as consumers turn towards direct-to-consumer technologies for 
health information and services (such as mobile health applications, 
virtual assistants, and platforms' health tools), more companies may be 
covered by the FTC's Rule.
---------------------------------------------------------------------------

    \7\ HIPAA Breach Notification Rule, 45 CFR 164.400-414, 
available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
    \8\ Id.
---------------------------------------------------------------------------

II. Rule Review

    The Commission periodically reviews all of its rules and guides. 
These reviews seek information about the costs and benefits of the 
Commission's rules and guides and their regulatory and economic impact. 
The information obtained assists the Commission in identifying those 
rules and guides that warrant modification. Therefore, the Commission 
solicits comments on, among other things, the economic impact and 
benefits of the Rule; possible conflict between the Rule and state, 
local, or other federal laws or regulations; and the effect on the Rule 
of any technological, economic, or other industry changes.

III. Questions Regarding the HBN Rule

    The Commission invites members of the public to comment on any 
issues or concerns they believe are relevant or appropriate to the 
Commission's review of the HBN Rule, and to submit written data, views, 
facts, and arguments addressing the Rule. All comments should be filed 
as prescribed in the ADDRESSES section of this document, and must be 
received by August 20, 2020. If your comment proposes any modifications 
to the Rule, please also address whether your proposed modification may 
conflict with the statutory provisions of the Recovery Act and, if so, 
whether you propose seeking legislative changes to the Recovery Act. 
The Commission is particularly interested in comments addressing the 
following questions:

A. General Issues

    1. Is there a continuing need for specific provisions of the Rule? 
Why or why not?
    2. What benefits has the Rule provided to consumers? What evidence 
supports the asserted benefits?
    3. What modifications, if any, should be made to the Rule to 
increase the benefits to consumers?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the costs the Rule imposes 
on businesses, including small businesses?
    4. What significant costs, if any, has the Rule imposed on 
consumers? What evidence supports the asserted costs?
    5. What modifications, if any, should be made to the Rule to reduce 
any costs imposed on consumers?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits provided by 
the Rule?
    6. What benefits, if any, has the Rule provided to businesses, 
including small businesses? What evidence supports the asserted 
benefits?
    7. What modifications, if any, should be made to the Rule to 
increase its benefits to businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the costs the Rule imposes 
on businesses, including small businesses?
    c. How would these modifications affect the benefits to consumers?
    8. What significant costs, if any, including costs of compliance, 
has the Rule imposed on businesses, including small businesses? What 
evidence supports the asserted costs?
    9. What modifications, if any, should be made to the Rule to reduce 
the costs imposed on businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits the Rule 
provides to consumers?
    10. What evidence is available concerning the degree of industry 
compliance with the Rule?
    11. What modifications, if any, should be made to the Rule to 
account for changes in relevant technology, economic conditions, or 
laws? For example, as the healthcare industry adopts standardized 
application programming interfaces (``APIs'') to help individuals to 
access their electronic health information with smartphones and other 
mobile devices (as required by rules implementing the 21st Century 
Cures Act \9\), will the number of entities subject to the Commission's 
HBN Rule increase?
---------------------------------------------------------------------------

    \9\ 45 CFR parts 170 and 171.
---------------------------------------------------------------------------

    a. What evidence supports the proposed modifications?
    12. Are there modifications or changes the Commission should make 
to the Rule to address any developments in health care products or 
services related to COVID-19?
    13. Does the Rule overlap or conflict with other federal, state, or 
local laws or regulations? If so, how?
    a. What evidence supports the asserted conflicts?
    b. With reference to the asserted conflicts, should the Rule be 
modified? If so, why, and how? If not, why not?

B. Specific Issues

    1. What evidence exists that the Rule has resulted in under-
notification, over-notification, or an efficient level of notification?
    2. Section 318.1 provides that the Rule does not apply to HIPAA-
covered entities or to any other entity to the extent that it engages 
in activities as a business associate of a HIPAA-covered entity. Has 
this limitation helped to harmonize the Commission's HBN Rule with 
HHS's rule? Why or why not?
    3. Do the definitions set forth in Sec.  [thinsp]318.2 of the Rule 
accomplish the Recovery Act's goal of advancing the use of health 
information technology while strengthening the privacy and security 
protections for health information?
    4. Are the definitions in Sec.  [thinsp]318.2 clear and 
appropriate? If not, how can they be improved, consistent with the 
Act's requirements?
    5. Should the definition of ``PHR identifiable health information'' 
in Sec.  [thinsp]318.2(d) be modified in light of technological 
advances in methods of de-identification and re-identification? If so, 
how, consistent with the Act's requirements?
    6. Should the definitions of ``PHR related entity'' in Sec.  
[thinsp]318.2(f), ``Third party service provider'' in Sec.  
[thinsp]318.2(h), or ``Vendor of personal health records'' in 
Section[thinsp]318.2(j) be modified in light of changing technological 
and economic conditions, such as the proliferation of mobile health 
applications (``apps''), virtual assistants offering health services, 
and platforms' health tools? If so, how, consistent with the Act's 
requirements?
    7. Section 318.4 sets out the timing requirements for notification. 
Are these requirements clear and appropriate? If not, how can they be 
improved, consistent with the Act's requirements?
    8. Section 318.5 sets out the requirements for the method of notice 
of a breach. Are these requirements clear

[[Page 31087]]

and appropriate? Do technological changes, such as the increased use of 
in-app messaging, text messages, and platform messaging, warrant any 
changes to this section, consistent with the Act's requirements?
    9. Section 318.6 sets out the requirements for the content of 
notice of a breach. Are these requirements clear and appropriate? If 
not, how can they be improved, consistent with the Act's requirements?
    10. What are the implications (if any) for enforcement of the Rule 
raised by direct-to-consumer technologies and services such as mobile 
health apps, virtual assistants, and platforms' health tools?

IV. Instructions for Submitting Comments

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before August 20, 2020. 
Please write ``Health Breach Notification Rule, 16 CFR part 318, 
Project No. P205405'' on the comment. Because of the public health 
emergency in response to the COVID-19 outbreak and the agency's 
heightened security screening, postal mail addressed to the Commission 
will be subject to delay. We strongly encourage you to submit your 
comment online through the https://www.regulations.gov website. To 
ensure the Commission considers your online comment, please follow the 
instructions on the web-based form provided by regulations.gov. Your 
comment, including your name and your state, will be placed on the 
public record of this proceeding, including the https://www.regulations.gov website.
    If you file your comment on paper, please write ``Health Breach 
Notification Rule, 16 CFR part 318, Project No. P205405'' on your 
comment and on the envelope, and mail your comment to the following 
address: Federal Trade Commission, Office of the Secretary, 600 
Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, 
or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024.
    Because your comment will be placed on the public record, you are 
solely responsible for making sure that your comment does not include 
any sensitive or confidential information. In particular, your comment 
should not include any sensitive personal information, such as your or 
anyone else's Social Security number; date of birth; driver's license 
number or other state identification number, or foreign country 
equivalent; passport number; financial account number; or credit or 
debit card number. You are also solely responsible for making sure that 
your comment does not include any sensitive health information, such as 
medical records or other individually identifiable health information. 
In addition, your comment should not include any ``trade secret or any 
commercial or financial information which . . . . is privileged or 
confidential''--as provided by section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in 
particular competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. Your comment will be kept confidential only if the 
General Counsel grants your request in accordance with the law and the 
public interest. Once your comment has been posted publicly at 
www.regulations.gov, we cannot redact or remove your comment unless you 
submit a confidentiality request that meets the requirements for such 
treatment under FTC Rule 4.9(c), and the General Counsel grants that 
request.
    Visit the Commission website at https://www.ftc.gov to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before August 20, 2020. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-10263 Filed 5-21-20; 8:45 am]
 BILLING CODE 6750-01-P