[Federal Register Volume 89, Number 105 (Thursday, May 30, 2024)]
[Rules and Regulations]
[Pages 47028-47064]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-10855]



[[Page 47027]]

Vol. 89

Thursday,

No. 105

May 30, 2024

Part III





Federal Trade Commission





-----------------------------------------------------------------------





16 CFR Part 318





Health Breach Notification Rule; Final Rule

  Federal Register / Vol. 89 , No. 105 / Thursday, May 30, 2024 / Rules 
and Regulations  

[[Page 47028]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318

RIN 3084-AB56


Health Breach Notification Rule

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
amending the Commission's Health Breach Notification Rule (the ``HBN 
Rule'' or the ``Rule''). The HBN Rule requires vendors of personal 
health records (``PHRs'') and related entities that are not covered by 
the Health Insurance Portability and Accountability Act (``HIPAA'') to 
notify individuals, the FTC, and, in some cases, the media of a breach 
of unsecured personally identifiable health data.

DATES: The amendments are effective July 29, 2024.

ADDRESSES: Relevant portions of the record of this proceeding, 
including this document, are available at https://www.ftc.gov and 
https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Ryan Mehm, (202) 326-2918, 
[email protected], and Ronnie Solomon, (202) 326-2098, [email protected], 
Bureau of Consumer Protection, Federal Trade Commission.

SUPPLEMENTARY INFORMATION: The amendments: (1) clarify the Rule's 
scope, including its coverage of developers of many health applications 
(``apps''); (2) clarify what it means for a vendor of personal health 
records to draw PHR identifiable health information from multiple 
sources; (3) revise the definition of breach of security to clarify 
that a breach of security includes data security breaches and 
unauthorized disclosures; (4) revise the definition of PHR related 
entity; (5) modernize the method of notice; (6) expand the content of 
the notice; (7) alter the Rule's timing requirement for notifying the 
FTC of a breach of security; and (8) improve the Rule's readability by 
clarifying cross-references and adding statutory citations, 
consolidating notice and timing requirements, articulating the 
penalties for non-compliance, and incorporating a small number of non-
substantive changes.

I. Background

    Congress enacted the American Recovery and Reinvestment Act of 2009 
(``Recovery Act'' or ``the Act''),\1\ in part to advance the use of 
health information technology and, at the same time, strengthen privacy 
and security protections for health information. Recognizing that 
certain entities that hold or interact with consumers' personal health 
records were not subject to the privacy and security requirements of 
HIPAA,\2\ Congress created requirements for such entities to notify 
individuals, the Commission, and, in some cases, the media of the 
breach of unsecured identifiable health information from those records.
---------------------------------------------------------------------------

    \1\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-5, 
123 Stat. 115 (2009).
    \2\ Health Ins. Portability and Accountability Act, Public Law 
104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------

    Specifically, section 13407 of the Recovery Act created certain 
protections for ``personal health records'' or ``PHRs,'' \3\ electronic 
records of PHR identifiable health information on an individual that 
can be drawn from multiple sources and that are managed, shared, and 
controlled by or primarily for the individual.\4\ Congress recognized 
that vendors of personal health records and PHR related entities (i.e., 
companies that offer products and services through PHR websites or 
access information in or send information to personal health records) 
were collecting consumers' health information but were not subject to 
the privacy and security requirements of HIPAA. Accordingly, the 
Recovery Act directed the FTC to issue a rule requiring these non-HIPAA 
covered entities, and their third party service providers, to provide 
notification of any breach of unsecured PHR identifiable health 
information. The Commission issued its Rule implementing these 
provisions in 2009.\5\ FTC enforcement of the Rule began on February 
22, 2010.
---------------------------------------------------------------------------

    \3\ 42 U.S.C. 17937.
    \4\ 42 U.S.C. 17921(11).
    \5\ 74 FR 42962 (Aug. 25, 2009) (``2009 Final Rule'').
---------------------------------------------------------------------------

    The Rule the Commission issued in 2009 (``2009 Rule'') requires 
vendors of personal health records and PHR related entities to provide: 
(1) notice to consumers whose unsecured PHR identifiable health 
information has been breached; (2) notice to the Commission; and (3) 
notice to prominent media outlets \6\ serving a State or jurisdiction, 
in cases where 500 or more residents are confirmed or reasonably 
believed to have been affected by a breach.\7\ The Rule also requires 
third party service providers (i.e., those companies that provide 
services such as billing, data storage, attribution, or analytics) to 
vendors of personal health records and PHR related entities to provide 
notification to such vendors and entities following the discovery of a 
breach.\8\
---------------------------------------------------------------------------

    \6\ The Recovery Act does not limit this notice to particular 
types of media. Thus, an entity can satisfy the requirement to 
notify ``prominent media outlets'' by, for example, disseminating 
press releases to a number of media outlets, including internet 
media in appropriate circumstances, where most of the residents of 
the relevant State or jurisdiction get their news. This will be a 
fact-specific inquiry that will depend on what media outlets are 
``prominent'' in the relevant jurisdiction. 74 FR 42974.
    \7\ 16 CFR 318.3, 318.5.
    \8\ Id. Sec.  318.3(b).
---------------------------------------------------------------------------

    The 2009 Rule requires notice to individuals ``without unreasonable 
delay and in no case later than 60 calendar days'' after discovery of a 
data breach.\9\ If the breach affects 500 or more individuals, notice 
to the FTC must be provided ``as soon as possible and in no case later 
than ten business days'' after discovery of the breach.\10\ The FTC 
makes available a standard form for companies to use to notify the 
Commission of a breach,\11\ and posts a list of breaches involving 500 
or more individuals on its website.\12\
---------------------------------------------------------------------------

    \9\ Id. Sec.  318.4(a).
    \10\ Id. Sec.  318.5(c).
    \11\ Fed. Trade Comm'n, Notice of Breach of Health Information, 
https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf.
    \12\ Fed. Trade Comm'n, Notices Received by the FTC Pursuant to 
the Health Breach Notification Rule, https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf (last 
visited Dec. 2, 2022).
---------------------------------------------------------------------------

    The 2009 Rule applies only to breaches of ``unsecured'' health 
information, which the Rule defines as health information that is not 
secured through technologies or methodologies specified by the 
Department of Health and Human Services (``HHS''). The Rule does not 
apply to businesses or organizations covered by HIPAA.\13\ HIPAA-
covered entities and their ``business associates'' must instead comply 
with HHS's breach notification rule.\14\
---------------------------------------------------------------------------

    \13\ Per HHS guidance, electronic health information is 
``secured'' if it has been encrypted according to certain 
specifications set forth by HHS, or if the media on which electronic 
health information has been stored or recorded is destroyed 
according to HHS specifications. See 74 FR 19006; see also U.S. 
Dep't of Health & Human Servs., Guidance to Render Unsecured 
Protected Health Information Unusable, Unreadable, or Indecipherable 
to Unauthorized Individuals (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html. PHR 
identifiable health information would be considered ``secured'' if 
such information is disclosed by, for example, a vendor of personal 
health records, to a PHR related entity or a third party service 
provider, in an encrypted format meeting HHS specifications, and the 
PHR related entity or third party service provider stores the data 
in an encrypted format that meets HHS specifications and also stores 
the encryption and/or decryption tools on a device or at a location 
separate from the data.
    \14\ 45 CFR 164.400 through 164.414.

---------------------------------------------------------------------------

[[Page 47029]]

    Since the Rule's issuance, apps and other direct-to-consumer health 
technologies, such as fitness trackers and wearable blood pressure 
monitors, have become commonplace.\15\ Further, as an outgrowth of the 
COVID-19 pandemic, consumer use of such health-related technologies has 
increased significantly.\16\
---------------------------------------------------------------------------

    \15\ See, e.g., Kokou Adzo, App Development in Healthcare: 12 
Exciting Facts, TechnoChops (Jan. 3, 2023), https://www.technochops.com/programming/4329/app-development-in-healthcare/; 
Emily Olsen, Digital health apps balloon to more than 350,000 
available on the market, according to IQVIA report, MobiHealthNews 
(Aug. 4, 2021), https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report; 
Elad Natanson, Healthcare Apps: A Boon, Today and Tomorrow, Forbes 
(July 21, 2020), https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9.
    \16\ See id. See also Lis Evenstad, Covid-19 has led to a 25% 
increase in health app downloads, research shows, ComputerWeekly.com 
(Jan. 12, 2021), https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows (finding that COVID-19 has led to a 25% increase in health app 
downloads); Jasmine Pennic, U.S. Telemedicine App Downloads Spikes 
During COVID-19 Pandemic, HIT Consultant (Sept. 8, 2020), https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/ (``US telemedicine app downloads see 
dramatic increases during the COVID-19 pandemic, with some seeing an 
8,270% rise YoY.'').
---------------------------------------------------------------------------

    In May 2020, the Commission announced its regular, ten-year review 
of the Rule and requested public comment about potential Rule 
changes.\17\ The Commission requested comment on, among other things, 
whether changes should be made to the Rule in light of technological 
changes, such as the proliferation of apps and similar technologies. 
The Commission received 26 public comments.\18\
---------------------------------------------------------------------------

    \17\ 85 FR 31085 (May 22, 2020).
    \18\ Comments are available at https://www.regulations.gov/docket/FTC-2020-0045/comments.
---------------------------------------------------------------------------

    Many of the commenters in 2020 encouraged the Commission to clarify 
that the Rule applies to apps and similar technologies.\19\ In fact, no 
commenter opposed this type of clarification regarding the Rule's 
coverage of health apps. Several commenters pointed out examples of 
health apps that have abused users' privacy, such as by disclosing 
sensitive health information without consent.\20\ Several commenters 
noted the urgency of this issue, as consumers have further embraced 
digital health technologies during the COVID-19 pandemic.\21\ 
Commenters argued the Commission should take additional steps to 
protect unsecured PHR identifiable health information that is not 
covered by HIPAA, both to prevent harm to consumers \22\ and to level 
the competitive playing field among companies dealing with the same 
health information.\23\ To that end, commenters not only urged the 
Commission to revise the Rule, but also to increase its enforcement 
efforts.\24\
---------------------------------------------------------------------------

    \19\ E.g., Am. Health Info. Mgmt. Ass'n (``AHIMA'') at 2; Kaiser 
Permanente at 3; Allscripts at 3; Am. Acad. of Ophthalmology at 2; 
All. for Nursing Informatics (``ANI'') at 2; Am. Med. Ass'n 
(``AMA'') at 4; Am. Coll. of Surgeons at 6; Physicians' Elec. Health 
Rec. Coal. (``PEHRC'') at 4 (``Apps that collect health information, 
regardless of whether or not they connect to an EHR, must be 
regulated by the FTC Health Breach Notification Rule to ensure the 
safety and security of personal health information.''); Am.'s Health 
Ins. Plans (``AHIP'') and Blue Cross Blue Shield Ass'n (``BCBS'') at 
2; The App Ass'n's Connected Health Initiative (``CHI'') at 3.
    \20\ Kaiser Permanente at 7; The Light Collective at 2; Am. 
Acad. of Ophthalmology at 2; PEHRC at 2-3.
    \21\ Lisa McKeen at 2-3; Kaiser Permanente at 7-8; AMA at 3; 
Off. of the Att'y Gen. for the State of Cal. (``OAG-CA'') at 3-4; 
Healthcare Info. and Mgmt. Sys. Soc'y (``HIMSS'') and Personal 
Connected Health All. (``PCH Alliance'') at 4-5.
    \22\ Georgia Morgan; Am. Acad. of Ophthalmology at 2-3 (arguing 
that consumers do not know all the ways their data is being used by 
third parties, and the downstream consequences of data being used in 
this way may ultimately erode a patient's privacy and willingness to 
disclose information to his or her physician); Coll. of Healthcare 
Info. Mgmt. Exec.'s (``CHIME'') at 3 (arguing that apps' privacy 
practices impact the patient-provider relationship because providers 
do not know what technologies are sufficiently trustworthy for their 
patients); AMA at 2-3 (expressing concern that patients share less 
health data with health care providers, perhaps because of 
``spillover from privacy and security breaches'').
    \23\ Kaiser Permanente at 2, 4; Workgroup for Elec. Data 
Interchange (``WEDI'') at 2; AHIP and BCBS at 3 (``[HIPAA] covered 
entities, such as health plans, that use or disclose protected 
health information should not be subject to stricter notification 
requirements than those imposed on vendors of personal health 
records or other such entities. Otherwise, the Federal government 
will be providing market advantages to particular industry segments 
with the effect of dampening competition and harming consumers.'').
    \24\ Kaiser Permanente at 4; Fred Trotter at 1; Casey Quinlan at 
1; CARIN Alliance at 2. At the time of this document's publication, 
the Commission has brought two enforcement actions under the Rule; 
the first against digital health company GoodRx Holdings, Inc., and 
the second against an ovulation-tracking mobile app marketed under 
the name ``Premom'' and developed by Easy Healthcare, Inc. United 
States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D. Cal. Feb. 17, 
2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; United States v. Easy Healthcare Corp., 
No. 1:23-cv-3107 (N.D. Ill. June 22, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------

A. The Commission's 2021 Policy Statement

    On September 15, 2021, the Commission issued a Policy Statement 
providing guidance on the scope of the Rule. The Policy Statement 
clarified that the Rule covers most health apps and similar 
technologies that are not covered by HIPAA.\25\ The Rule defines a 
``personal health record'' as ``an electronic record of PHR 
identifiable health information on an individual that can be drawn from 
multiple sources and that is managed, shared, and controlled by or 
primarily for the individual.'' \26\ As the Commission explained in the 
Policy Statement, many makers and purveyors of health apps and other 
connected devices are vendors of personal health records covered by the 
Rule because their products are electronic records of PHR identifiable 
health information.
---------------------------------------------------------------------------

    \25\ Statement of the Commission on Breaches by Health Apps and 
Other Connected Devices, Fed. Trade Comm'n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (``Policy Statement'').
    \26\ 16 CFR 318.2.
---------------------------------------------------------------------------

    The Commission explained that PHR identifiable health information 
includes individually identifiable health information created or 
received by a health care provider,\27\ and that ``health care 
providers'' include any entities that ``furnish[ ] health care services 
or supplies.'' \28\ Because these health app purveyors furnish health 
care services to their users through the mobile applications they 
provide, the information held in the app is PHR identifiable health 
information, and therefore many health app purveyors likely qualify as 
vendors of personal health records.\29\
---------------------------------------------------------------------------

    \27\ Id. Sec.  318.2, incorporating in part the definition from 
section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
    \28\ Id. Sec.  318.2; 42 U.S.C. 1320d(6), d(3).
    \29\ See Policy Statement at 1.
---------------------------------------------------------------------------

    The Policy Statement further explained that the statute directing 
the FTC to promulgate the Rule requires that a ``personal health 
record'' be an electronic record that can be drawn from multiple 
sources.\30\ Accordingly, health apps and similar technologies likely 
qualify as personal health records covered by the Rule if they are 
capable of drawing information from multiple sources. The Commission 
further clarified that health apps and other products experience a 
``breach of security'' under the Rule when they disclose users' 
sensitive health information without authorization; \31\ a breach is 
``not limited to cybersecurity intrusions or nefarious behavior.'' \32\
---------------------------------------------------------------------------

    \30\ The Policy Statement provided this example: ``[I]f a blood 
sugar monitoring app draws health information only from one source 
(e.g., a consumer's inputted blood sugar levels), but also takes 
non-health information from another source (e.g., dates from your 
phone's calendar), it is covered under the Rule.'' Id. at 2.
    \31\ 16 CFR 318.2.
    \32\ Policy Statement at 2. In the Statement of Basis and 
Purpose to the 2009 Final Rule published in the Federal Register 
(``2009 Rule Commentary''), the Commission, in addressing questions 
about how the extent of individual authorization should be 
determined, stated data sharing to enhance consumers' experience 
with a PHR is authorized only if such use is consistent with the 
entity's disclosures and individuals' reasonable expectations. For 
anything beyond such uses, the Commission expects vendors of 
personal health records and PHR related entities to limit the 
sharing of consumers' information, unless the consumers exercise 
``meaningful choice'' in allowing sharing. The Commission believes 
burying disclosures in lengthy privacy policies does not satisfy the 
standard of ``meaningful choice.'' 74 FR 42967.

---------------------------------------------------------------------------

[[Page 47030]]

B. Enforcement History

    In 2023, the Commission brought its first enforcement actions under 
the Rule against vendors of personal health records. In February 2023, 
the Commission brought an enforcement action alleging a violation of 
the Rule against GoodRx Holdings, Inc. (``GoodRx''), a digital health 
company that sells health-related products and services directly to 
consumers, including prescription medication discount products and 
telehealth services through its website and mobile applications.\33\
---------------------------------------------------------------------------

    \33\ United States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D. 
Cal. Feb. 17, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc.
---------------------------------------------------------------------------

    In its complaint, the Commission alleged that between 2017 and 
2020, GoodRx, as a vendor of personal health records, disclosed more 
than 500 consumers' unsecured PHR identifiable health information to 
third party advertising platforms like Facebook and Google, without the 
authorization of those consumers. As charged in the complaint, these 
disclosures violated explicit privacy promises the company made to its 
users about its data sharing practices (including about its sharing of 
PHR identifiable health information). The Commission alleged GoodRx 
broke these promises and disclosed its users' prescription medications 
and personal health conditions, personal contact information, and 
unique advertising and persistent identifiers. The Commission charged 
GoodRx with violating the Rule by failing to provide the required 
notifications, as prescribed by the Rule, to (1) individuals whose 
unsecured PHR identifiable health information was acquired by an 
unauthorized person, (2) the Federal Trade Commission, and (3) media 
outlets. 16 CFR 318.3 through 318.6. The Commission entered into a 
settlement that imposed injunctive relief and required GoodRx to pay a 
$1.5 million civil penalty for its alleged violation of the Rule.\34\
---------------------------------------------------------------------------

    \34\ In addition, the Commission alleged GoodRx's data sharing 
practices were deceptive and unfair, in violation of section 5 of 
the FTC Act.
---------------------------------------------------------------------------

    Similarly, on May 17, 2023, the Commission brought its second 
enforcement action under the Rule against Easy Healthcare Corporation 
(``Easy Healthcare''), a company that publishes an ovulation and period 
tracking mobile application called Premom, which allows its users to 
input and track various types of health and other sensitive data. 
Similar to the conduct alleged against GoodRx, Easy Healthcare 
disclosed PHR identifiable health information to third party companies 
such as Google and AppsFlyer, contrary to its privacy promises, and did 
not comply with the Rule's notification requirements. The Commission 
entered into a settlement that imposed injunctive relief and required 
Easy Healthcare to pay a $100,000 civil penalty for its alleged 
violation of the Rule.\35\
---------------------------------------------------------------------------

    \35\ United States v. Easy Healthcare Corporation, No. 1:23-cv-
3107 (N.D. Ill. June 22, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------

C. Notice of Proposed Rulemaking

    Having considered the public comments on the regulatory review 
notification and its Policy Statement, on June 9, 2023, the Commission 
issued a notice of proposed rulemaking (``NPRM'') \36\ proposing to 
revise the Rule, 16 CFR part 318, in seven ways:
---------------------------------------------------------------------------

    \36\ 88 FR 37819 (``2023 NPRM'').
---------------------------------------------------------------------------

     First, the Commission proposed to revise several 
definitions in order to clarify the Rule and better explain its 
application to health apps and similar technologies not covered by 
HIPAA. Consistent with this objective, the NPRM modified the definition 
of ``PHR identifiable health information'' and added two new 
definitions (``health care provider'' and ``health care services or 
supplies''). These proposed changes were consistent with a number of 
public comments supporting the Rule's coverage of these technologies.
     Second, the Commission proposed to revise the definition 
of ``breach of security'' to clarify that a breach of security includes 
an unauthorized acquisition of PHR identifiable health information in a 
personal health record that occurs as a result of a data security 
breach or an unauthorized disclosure.
     Third, the Commission proposed to revise the definition of 
``PHR related entity'' in two ways. Consistent with its proposal to 
clarify that the Rule applies to health apps, the Commission first 
proposed clarifying the definition of ``PHR related entity'' to make 
clear that the Rule covers entities that offer products and services 
through the online services, including mobile applications, of vendors 
of personal health records. In addition, the Commission proposed 
revising the definition of ``PHR related entity'' to provide that 
entities that access or send unsecured PHR identifiable health 
information to a personal health record--rather than entities that 
access or send any information to a personal health record--are PHR 
related entities.
     Fourth, the Commission proposed to clarify what it means 
for a personal health record to draw PHR identifiable health 
information from multiple sources.
     Fifth, in response to public comments expressing concern 
that mailed notice is costly and not consistent with how consumers 
interact with online technologies like health apps, the Commission 
proposed to revise the Rule to authorize electronic notice in 
additional circumstances. Specifically, the proposed Rule adjusted the 
language in the ``method of notice section'' and added a new definition 
of the term ``electronic mail.'' The proposed Rule also required that 
any notice delivered by electronic mail be ``clear and conspicuous,'' a 
newly defined term, which aligns closely with the definition of ``clear 
and conspicuous'' codified in the FTC's Financial Privacy Rule.\37\
---------------------------------------------------------------------------

    \37\ 16 CFR 313.3(b). The FTC's Financial Privacy Rule requires 
financial institutions to provide particular notices and to comply 
with certain limitations on disclosure of nonpublic personal 
information. Using a comprehensive definition of ``clear and 
conspicuous'' based on the Financial Privacy Rule definition aims to 
ensure consistency across the Commission's privacy-related rules.
---------------------------------------------------------------------------

     Sixth, the Commission proposed to expand the required 
content of the notice to individuals, to require that consumers whose 
unsecured PHR identifiable health information has been breached receive 
additional important information, including information regarding the 
potential for harm from the breach and protections that the notifying 
entity is making available to affected consumers. In addition, the 
proposed Rule included exemplar notices, which entities subject to the 
Rule could use to notify consumers in terms that are easy to 
understand.
     Seventh, in response to public comments, the Commission 
proposed to make a number of changes to improve the Rule's readability. 
Specifically, the Commission proposed to include explanatory 
parentheticals for internal cross-references, add statutory citations 
in relevant places, consolidate notice and timing requirements in 
single sections, respectively, of the Rule, and add a new section that 
plainly states the penalties for non-compliance.
    The NPRM also included a section discussing several alternatives 
the

[[Page 47031]]

Commission considered but did not propose. Although the Commission did 
not put forth any proposed modifications on those issues, the 
Commission nonetheless sought public comment on them.
    The Commission received approximately 120 comments in response to 
the NPRM from a wide spectrum of stakeholders, including consumers, 
consumer groups, trade associations, think tanks, policy organizations, 
private sector entities, and members of Congress.\38\ As discussed in 
detail below, commenters addressed the seven topics on which the 
Commission proposed changes, responded to particular points on which 
the Commission requested comment, offered additional comment on 
alternatives that the Commission considered but did not propose, and 
provided comment on other topics. The majority of commenters expressed 
support for the Commission's proposed changes.
---------------------------------------------------------------------------

    \38\ Comments are available at https://www.regulations.gov/document/FTC-2023-0037-0001/comment.
---------------------------------------------------------------------------

    The Commission believes the amendments are consistent with the 
language and intent of the Recovery Act, address the concerns raised by 
the public comments in response to the NPRM, and will ensure the Rule 
remains current in the face of changing business practices and 
technological developments.

II. Analysis of the Final Rule

    The following discussion analyzes the amendments to the Rule.

A. Clarification of Entities Covered

1. The Commission's Proposal To Clarify the Entities Covered
    The Commission proposed changes to several definitions in Sec.  
318.2 to clarify the Rule's application to health apps and similar 
technologies not covered by HIPAA. First, the proposed Rule revised the 
definition of ``PHR identifiable health information'' to remove a 
cross-reference and instead import language from section 1171(6) of the 
Social Security Act, 42 U.S.C. 1320d(6), which is also referenced 
directly in section 13407 of the Recovery Act. The proposed Rule 
defined ``PHR identifiable health information'' as information (1) that 
is provided by or on behalf of the individual; (2) that identifies the 
individual or with respect to which there is a reasonable basis to 
believe that the information can be used to identify the individual; 
(3) relates to the past, present, or future physical or mental health 
or condition of an individual, the provision of health care to an 
individual, or the past, present, or future payment for the provision 
of health care to an individual; and (4) is created or received by a 
health care provider, health plan (as defined in 42 U.S.C. 1320d(5)), 
employer, or health care clearinghouse (as defined in 42 U.S.C. 
1320d(2)).
    The Commission explained that this proposed definition covers 
traditional health information (such as diagnoses or medications), 
health information derived from consumers' interactions with apps and 
other online services (such as health information generated from 
tracking technologies employed on websites or mobile applications or 
from customized records of website or mobile application interactions), 
as well as emergent health data (such as health information inferred 
from non-health-related data points, such as location and recent 
purchases). The Commission sought comment as to whether any further 
amendment of the definition was needed to clarify the scope of data 
covered.
    Second, the NPRM proposed to define the term ``health care 
provider'' that appears in the proposed definition of ``PHR 
identifiable health information'' (``is created or received by a health 
care provider''). The Commission proposed to define this term in a 
manner similar to the definition of ``health care provider'' found in 
42 U.S.C. 1320d(3) (and referenced in 42 U.S.C. 1320d(6), which is 
directly referenced in section 13407 of the Recovery Act), to mean a 
provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of 
medical or other health services (as defined in 42 U.S.C. 1395x(s)), or 
any other entity furnishing health care services or supplies. The 
Commission observed that this proposed definition, which is consistent 
with the statutory scheme, differs from, but does not contradict, the 
definitions or interpretations adopted by HHS. The Commission sought 
comment on defining this term more broadly than the term is used in 
other contexts.
    Third, the NPRM proposed to define ``health care services or 
supplies'' (the final term in the definition of ``health care 
provider'') to include any online service, such as a website, mobile 
application, or internet-connected device that provides mechanisms to 
track diseases, health conditions, diagnoses or diagnostic testing, 
treatment, medications, vital signs, symptoms, bodily functions, 
fitness, fertility, sexual health, sleep, mental health, genetic 
information, diet, or that provides other health-related services or 
tools. The Commission explained that this change clarified that the 
Rule applies generally to online services, including websites, apps, 
and internet-connected devices that provide health care services or 
supplies, and clarified that the Rule covers online services related 
not only to medical issues (by including in the definition terms such 
as ``diseases, diagnoses, treatment, medications'') but also wellness 
issues (by including in the definition terms such as ``fitness, sleep, 
and diet'').
    The Commission explained that these proposed changes to the 
definitions clarified that developers of health apps and similar 
technologies providing ``health care services or supplies'' qualify as 
``health care providers,'' such that any individually identifiable 
health information these products collect or use would constitute ``PHR 
identifiable health information'' covered by the Rule. The Commission 
explained that these proposed changes further clarified that a mobile 
health application can be a ``personal health record'' covered by the 
Rule and the developers of such applications can be ``vendors of 
personal health records.''
2. Public Comments Regarding the Commission's Proposal To Clarify the 
Entities Covered
    The Commission received numerous comments on the application of the 
Rule to health apps and similar technologies. A substantial number of 
commenters supported the Rule's application to health apps and similar 
technologies not covered by HIPAA as necessary in light of the 
explosion of health apps and the associated dangers to the privacy and 
security of consumers' health information.\39\ Notably, support for the

[[Page 47032]]

Commission's proposals came from a variety of commenters--industry 
associations,\40\ businesses,\41\ members of Congress,\42\ consumer or 
patient advocacy groups,\43\ individual consumers,\44\ and anonymous 
sources.\45\ Many commenters argued that safeguards for non-HIPAA 
covered health data are essential,\46\ particularly because consumers 
generally are not aware of varying legal protections for health 
data.\47\ Indeed, according to some commenters, requiring notification 
to consumers of the breach of health information not protected by HIPAA 
is precisely what Congress intended by authorizing the FTC to issue 
this Rule; the Commission's proposed changes are, therefore, consistent 
with the goals of the Recovery Act.\48\ Some commenters argued that 
Federal privacy legislation is needed to protect non-HIPAA covered 
health data, but, in the interim, the Commission should strengthen its 
Rule to protect consumer health data to the extent possible.\49\ Other 
commenters urged the Commission to take even broader measures in this 
Rule, such as imposing breach prevention measures,\50\ banning health-
based surveillance technologies or targeted advertising,\51\ banning 
selling or sharing of health data not necessary to provide patient care 
or mandating data retention limits and deletion,\52\ or requiring 
adherence to standardized terms of service with strong privacy 
protections.\53\
---------------------------------------------------------------------------

    \39\ See generally, Am. Acad. of Fam. Physicians (``AAFP''); 
AHIP; AHIMA; Ass'n of Health Info. Outsourcing Serv.'s (``AHIOS''); 
AMA; Am. Med. Informatics Ass'n (``AMIA''); ANI; Anonymous 1; 
Anonymous 2; Anonymous 3; Anonymous 4; Anonymous 9; Anonymous 10; 
Anonymous 11 ; Anonymous 14; Am. Osteopathic Ass'n (``AOA''); Ella 
Balasa; Beth Barnett; Lauren Batchelor; Bipartisan Pol'y Ctr. 
(``BPC''); Alan Brewington; Ctr. for Democracy & Tech. (``CDT''); 
Ctr. for Digit. Democracy (``CDD''); Confidentiality Coal.; Consumer 
Rep.'s; Elec. Frontier Found. (``EFF''); Elec. Priv. Info. Ctr. 
(``EPIC''); Dave K.; Members of the House of Representatives; MRO 
Corp. (``MRO''); Omada Health; Pharmed Out; Planned Parenthood 
Federation of Amer. (``Planned Parenthood''); CB Sanders; Robb 
Streicher; SYNGAP1 Foundation and SYNGAP1 Foundation 2; Devin 
Thompson; Janice Tufte; Michael Turner; U.S. Public Interest 
Research Group (``U.S. PIRG''); UL Sol.'s; Grace Vinton; WEDI; Anli 
Zhou. Some commenters elaborated on the nature of the risks to 
consumers' health data and on the importance to consumers. Two 
commenters, for example, described research they had performed 
regarding mental health and/or reproductive health apps' disclosure 
of consumers' health data to third parties. Mozilla at 3-4; Consumer 
Reports at 2. Another commenter, a public interest group and 
advocacy organization, attached a petition containing 9,659 
signatures asking for strong rules to protect digital health 
privacy. US PIRG at 5-230.
    \40\ E.g., AAFP, AHIMA, AHIOS, AMA, AMIA, AOA; Network Advert. 
Initiative (``NAI'').
    \41\ E.g., Mozilla; MRO; Omada Health; UL Sol.'s.
    \42\ See Members of the House of Representatives (six members of 
Congress expressing support for the proposed changes).
    \43\ E.g., CDD; CDT; EFF; U.S. PIRG.
    \44\ Ella Balasa; Beth Barnett; Lauren Batchelor; Alan 
Brewington; Sean Castillo; Dave K.; CB Sanders; Robb Streicher; 
Devin Thompson; Janice Tufte; Michael Turner; Grace Vinton; Anli 
Zhou.
    \45\ Anonymous 1; Anonymous 2; Anonymous 3; Anonymous 4; 
Anonymous 5; Anonymous 6; Anonymous 9; Anonymous 10; Anonymous 11; 
Anonymous 14.
    \46\ See, e.g., AAFP at 1-2; AHIMA at 2; AHIOS at 2; Anonymous 5 
at 1; AOA at 1; Am. Speech-Language-Hearing Ass'n (``ASHA'') at 1; 
Am. Psychiatric Ass'n (``APA'') at 1; CDT at 3-4; CHIME at 2; EFF at 
1; Generation Patient at 1; HIMSS at 2; HIMSS Elec. Health Rec. 
Ass'n (``HIMSS EHR Ass'n'') at 1; MRO at 1-2; Omada Health at 2; 
PharmedOut at 1; Planned Parenthood at 2-3; Michael Turner at 1; 
WEDI at 1-4.
    \47\ AHIMA at 2; Anonymous 5 at 1; ASHA at 1; EFF at 1; WEDI at 
2. One commenter, a software company that assists digital health 
companies with legal compliance, argued that three factors, in 
particular, support greater protection for digital health data: (1) 
consumers mistakenly believe HIPAA covers all health data; (2) there 
is a culture within some digital health companies that favors rapid 
adoption of products to secure venture capital even when compliance 
infrastructure is lacking; and (3) digital health products deal with 
sensitive data and inherently present a greater privacy risk given 
their heavy reliance on data and data exchange compared to 
traditional medicine. Tranquil Data at 1.
    \48\ Confidentiality Coal. at 2; Consumer Rep.'s at 4.
    \49\ See, e.g., AAFP at 2. One commenter, an industry coalition 
focused on health IT and health care information exchange, 
emphasized a significant privacy problem adjacent to the Rule: 
whether HIPAA covered entities should warn patients about the 
privacy risks associated with health apps and what the Federal 
government can do to apply equal privacy protections to health data, 
notwithstanding HIPAA's limitations. See WEDI at 3. One commenter 
supported the proposed changes but argued the Commission should work 
with Congress to update antiquated terms like ``personal health 
record.'' HIMSS at 3.
    \50\ Ella Balasa at 2; PharmedOut at 1.
    \51\ Light Collective at 5.
    \52\ EFF at 2.
    \53\ Texas Med. Ass'n (``TMA'') at 1-2.
---------------------------------------------------------------------------

    Although many commenters expressed support for the proposed 
changes, several business coalitions, industry associations and 
individual firms opposed the changes, which, they argued, are 
inconsistent with Congress's intent in the Recovery Act to address a 
narrow subset of ``personal health records'' and therefore exceed the 
FTC's statutory authority.\54\ According to some comments, Congress 
should address any privacy issues that exceed the narrow scope of the 
Recovery Act. These commenters also contend that if the Commission 
believes there has been a violation of section 5, then the Commission 
needs to engage in an FTC Act section 18 rulemaking.\55\ One commenter 
argued further that consumers have different privacy expectations for 
an electronic health record offered by their physician versus a fitness 
app (for example) that they download themselves, and the Commission's 
Rule should respect those differing expectations.\56\
---------------------------------------------------------------------------

    \54\ See, e.g., Ass'n of Nat'l Advertisers, Inc. (``ANA'') at 4-
5; Comput. & Commc'n's Indus. Ass'n (``CCIA'') at 2-3; Chamber of 
Com. (``Chamber'') at 1-3; CHI at 2; Consumer Tech. Ass'n (``CTA'') 
at 2; Lab'y Access and Benefits Coal. (``LAB'') at 1; Priv. for Am. 
at 1-2; TechNet at 2.
    \55\ Priv. for Am. at 2-3; Chamber at 6-7; Health Innovation 
All. (``HIA'') at 1. See also Advanced Med. Tech. Ass'n 
(``AdvaMed'') at 1 (recommending the Commission adopt a privacy 
framework pursuant to the advanced notice of proposed rulemaking 
(R111004) regarding commercial surveillance and data security (87 FR 
51273, Aug. 22, 2022)).
    \56\ CCIA at 4.
---------------------------------------------------------------------------

    Some commenters opposed to the changes also argued that the revised 
definitions would reduce choice and access in the marketplace,\57\ 
stifle innovation,\58\ or create disincentives for advertising \59\ 
because (1) firms would risk initiating breaches by sharing user data 
with their partners and (2) in accepting data from health apps, 
partners such as advertising and analytics firms would risk being 
covered by the Rule.\60\ According to some commenters, placing such 
strictures on the advertising and service provider ecosystem would 
raise prices (by, for example, undermining ad-supported services) and 
thereby harm competition.\61\ One commenter argued that while robust 
protections for consumer health data are needed, the Rule should not be 
a vehicle for such protections, because it will result in over-
notification of consumers (who have largely learned to disregard breach 
notices) and be a barrier to legislative change on privacy and data 
security issues more generally.\62\ Another commenter argued against a 
breach notification rule altogether, asserting that the Commission 
should instead focus on requiring robust data security practices to 
prevent breaches in the first instance.\63\
---------------------------------------------------------------------------

    \57\ Am. Telemedicine Ass'n (``ATA Action'') at 1.
    \58\ TechNet at 1-2; CTA at 5.
    \59\ ANA at 3.
    \60\ Priv. for Am. at 3.
    \61\ E.g., ANA at 3; Priv. for Am. at 1, 3-4.
    \62\ World Priv F. (``WPF'') at 4.
    \63\ HIA at 2.
---------------------------------------------------------------------------

    Some commenters specifically addressed the proposed changes to the 
definitions of ``PHR identifiable health information'' and the new 
definitions of ``health care provider'' and ``health care services or 
supplies.'' First, a number of comments addressed the scope of ``PHR 
identifiable health information.'' Some commenters urged greater 
breadth, arguing, for example, that the definition of ``PHR 
identifiable health information'' should be expanded to include other 
types of data, such as data about an individual--not just data provided 
by or on behalf of an individual.\64\ Other commenters urged the 
Commission to state expressly that its definition encompasses 
particular types of information, such as unique persistent identifiers 
\65\ or information about sexual health \66\ or substance use or 
treatment.\67\ By contrast, some commenters urged the Commission to 
narrow the definition or otherwise clarify its limits, by, for example, 
exempting data relating to clinical research or trials \68\ or data 
that has been de-identified.\69\
---------------------------------------------------------------------------

    \64\ Consumer Rep.'s at 3.
    \65\ Id.
    \66\ BPC at 1-2; Planned Parenthood at 5.
    \67\ Legal Action Ctr. & Opioid Pol'y Inst. at 1-2.
    \68\ Soc'y for Clinical Rsch. Sites (``SCRS'') at 1.
    \69\ Future of Priv. F. (``FPF'') at 3.
---------------------------------------------------------------------------

    Relatedly, some commenters urged the Commission to create a 
definition of or standard for ``identifiable data,'' ``de-
identification'' or ``de-identified

[[Page 47033]]

data,'' \70\ such as by adopting HHS's de-identification standard,\71\ 
or by stating that information is identifiable if it is ``reasonably 
linkable to an identified or identifiable individual.'' \72\ Commenters 
argued that clarifying what constitutes ``identifiable'' data is 
necessary both because of the increasing ability for de-identified data 
to be re-identified \73\ and because the market needs clarity to enable 
uninhibited flow of de-identified health data for research, public 
health, and commercial activities.\74\ Indeed, according to one 
commenter, failure to clarify the standard could complicate or chill 
public health research and other innovation.\75\ One commenter argued 
that an objective standard of ``reasonable linkability'' is better than 
what the commenter described as the Rule's knowledge-based standard 
(i.e., whether the company has a reasonable basis to believe it can be 
used to identify an individual).\76\ One commenter urged the Commission 
to issue a new notice of proposed rulemaking on the issue of de-
identification alone.\77\
---------------------------------------------------------------------------

    \70\ SCRS at 2; Chamber at 7; EPIC at 7-9; FPF at 3-4, LAB at 2; 
MRO at 4; Network for Pub. Health L. and Texas A&M Univ. 
(``Network'') at 3.
    \71\ LAB at 2; Network at 3; SCRS at 2.
    \72\ FPF at 3.
    \73\ SCRS at 2.
    \74\ FPF at 3; Network at 3-4.
    \75\ Network at 3.
    \76\ FPF at 3.
    \77\ Chamber at 7.
---------------------------------------------------------------------------

    Second, many commenters specifically addressed the Commission's 
proposed new definition of ``health care provider.'' One commenter 
applauded the Commission's revised definition of ``health care 
provider,'' arguing that taking a crabbed view of that or related terms 
would lead to further fragmentation of health data, which is already 
fragmented by HIPAA's limited purview.\78\ Another commenter noted the 
Commission's definition of ``health care provider'' is simply a logical 
outgrowth of how consumers interact with health apps: consumers look to 
health apps to provide health-related services--the quintessential 
function of a health care provider.\79\
---------------------------------------------------------------------------

    \78\ CDT at 11.
    \79\ Confidentiality Coal. at 3-4.
---------------------------------------------------------------------------

    Other commenters, however, raised concerns that the proposed 
definition of ``health care provider'' is confusing in its departure 
from HIPAA's terminology or is otherwise overbroad.\80\ Some commenters 
argued this departure from the traditional meaning of the term is not 
what Congress intended.\81\ A few commenters suggested reducing the 
confusion with the traditional term by re-naming the definition. These 
commenters suggested the Commission instead use one of the following 
terms: ``non-HIPAA-regulated health care provider,'' \82\ ``PHR 
provider,'' \83\ ``Health-related vendor,'' \84\ ``HIPAA covered 
entity,'' \85\ or ``health-related service provider.'' \86\ Another 
commenter recommended eliminating the confusion by stating within the 
definition that it excludes HIPAA-covered entities and their business 
associates.\87\ Another commenter urged the Commission to affirm that 
its definition would have no impact on the term ``health care 
provider'' as used in other regulations.\88\
---------------------------------------------------------------------------

    \80\ AAFP at 2-3; AdvaMed at 3-4; AHIP at 2; AMA at 2-3; ATA 
Action at 1; CARIN Alliance at 2-3; CCIA at 3; CTA at 4, 6-9; 
Datavant at 2; Invitae Corp. (``Invitae'') at 4; NAI at 3-4; 
Software & Info. Indus. Ass'n (``SIIA'') at 1-2; TechNet at 2; TMA 
at 2-3; WPF at 7.
    \81\ ANA at 5; ATA Action at 1; Invitae at 4-5; Priv. for Am. at 
4.
    \82\ Planned Parenthood at 6.
    \83\ WPF at 7.
    \84\ AHIP at 2.
    \85\ AMA at 3.
    \86\ AHIP at 2.
    \87\ Datavant at 2.
    \88\ AAFP at 2-3.
---------------------------------------------------------------------------

    Several comments also expressed concern with the final phrase of 
the definition of ``health care provider'' (``any other entity 
furnishing health care services or supplies''), as overly broad and 
confusing. Commenters argued its breadth (and the breadth of the 
accompanying definition of ``health care services or supplies'') would 
have perverse results, turning retailers of tennis shoes, shampoo, or 
vitamins into entities covered by the Rule, which is not what Congress 
intended.\89\ Moreover, it would result not only in compliance burdens 
for companies (with the downstream effect of raising prices for 
consumers) but also in massive over-notification of consumers, who will 
become desensitized to the onslaught of notices.\90\
---------------------------------------------------------------------------

    \89\ ANA at 7-8; CCIA at 4; CHI at 3-4; CTA at 7-8; SIIA at 2.
    \90\ ANA at 3; SIIA at 1.
---------------------------------------------------------------------------

    Several commenters urged the Commission to address this problem by 
dropping the phrase ``any other entity furnishing health care services 
or supplies'' entirely--or at least excising the word ``supplies''--
from the definition of ``health care provider.'' \91\ One commenter 
recommended replacing the phrase with a different phrase: ``any other 
person or organization who furnishes, bills, or is paid for health care 
in the normal course of business.'' \92\ Another commenter recommended 
expressly excluding retailers.\93\ Commenters requested further 
clarification of certain terms within the definition of ``health care 
provider,'' including the terms ``furnishing'' \94\ and ``health 
care.'' \95\ And another commenter argued a better approach would be to 
jettison the definitions of ``health care provider'' and ``health care 
services and supplies'' entirely and instead apply the Rule to any 
entity that ``promotes its offering as addressing, improving, tracking 
or informing matters about a consumer's health.'' \96\
---------------------------------------------------------------------------

    \91\ AdvaMed at 4; CHI at 4; CTA at 9; TechNet at 2.
    \92\ AdvaMed at 4.
    \93\ CTA at 8-9.
    \94\ EPIC at 2.
    \95\ AdvaMed at 3 (urging the Commission to define ``health 
care'' and ``health care provider'' as in 45 CFR 160.103).
    \96\ WPF at 10.
---------------------------------------------------------------------------

    Third, some commenters addressed the proposed definition of 
``health care services or supplies.'' \97\ Several commenters requested 
more clarity as to what constitutes an ``online service,'' \98\ as 
nearly all commercial activities have some online presence.\99\ Several 
commenters recommended deleting the final phrase of the definition 
(``or that provides other health-related services or tools'') to limit 
the definition's breadth.\100\ Conversely, some commenters urged the 
Commission to reinforce its breadth, by expressly stating that ``health 
care services or supplies'' include services related to ``wellness'' 
\101\ or to specific health conditions, such as substance abuse 
disorder diagnosis, treatment, medication, recurrence of use 
(``relapse'') and recovery.\102\
---------------------------------------------------------------------------

    \97\ AdvaMed at 3; AAFP at 3; AHIP at 3; Priv. for Am. at 6-7.
    \98\ MRO at 2; WPF at 7-8.
    \99\ WPF at 8.
    \100\ NAI at 4.
    \101\ EPIC at 4.
    \102\ Legal Action Ctr. & Opioid Pol'y Inst. at 3.
---------------------------------------------------------------------------

3. The Commission Adopts the Proposed Changes To Clarify the Entities 
Covered
    After considering the comments received, the Commission adopts the 
proposed changes to the Rule (with only non-substantive, organizational 
improvements noted below) to clarify that the Rule applies to mobile 
health applications and similar technologies. The Commission agrees 
with the substantial number of comments, from many different types of 
entities and individuals, who argued that such clarification is 
necessary in light of changing technology (i.e., the mass adoption of 
health apps) and the privacy and data security risks to consumer health 
data collected by that technology. The Commission also agrees with

[[Page 47034]]

commenters who argued that the proposed changes to the Rule are 
consistent with the Recovery Act, which was intended to bolster breach 
notifications for consumer health data that falls outside HIPAA. 
Although the Commission agrees with commenters who argue that consumer 
health data should enjoy substantial and unfragmented privacy 
protections, this Rule addresses breach notification, not omnibus 
privacy protections. While this rulemaking does not address omnibus 
privacy protections, the Commission observes that companies collecting 
or holding consumers' sensitive health data should engage in many of 
the practices commenters described, such as imposing data retention 
limits, enabling deletion options, and preventing breaches through 
robust privacy and data security practices.\103\
---------------------------------------------------------------------------

    \103\ In the 2009 Final Rule, the Commission similarly 
underscored the importance of maintaining protections for health 
information, stating: ``In addition, as noted in the NPRM, the 
Commission expects entities that collect and store unsecured PHR 
identifiable health information to maintain reasonable security 
measures, including breach detection measures, which should assist 
them in discovering breaches in a timely manner.'' 74 FR 42971 n.93 
(2009).
---------------------------------------------------------------------------

    The Commission is not persuaded that applying the Rule to health 
apps and similar technologies will have deleterious consequences for 
individual firms or competition or result in over-notification of 
consumers. Importantly, the only obligation the Rule imposes is to 
notify the Commission, consumers, and, in some cases, the media of a 
breach of unsecured PHR identifiable health information. As noted in 
the NPRM, many State laws already impose similar, or significantly 
broader, data breach obligations.\104\ Moreover, firms can avoid 
notification costs entirely by avoiding breaches--by reducing the 
amount of unsecured PHR identifiable health information they access and 
maintain (which can be achieved by securing PHR identifiable health 
information), by de-identifying health information, and by implementing 
other privacy and data security measures appropriate to the sensitivity 
of the data. Congress intended for consumers to learn of breaches of 
their unsecured PHR identifiable health information that fall outside 
HIPAA; the changes to the Rule help ensure consumers will receive the 
notification Congress intended.
---------------------------------------------------------------------------

    \104\ 88 FR 37832 n.103.
---------------------------------------------------------------------------

    The Commission carefully considered the arguments commenters raised 
that the definitional changes depart from the language or spirit of the 
Recovery Act. The Commission does not agree. The definitions hew 
closely to the language of the Recovery Act and to the definitions 
directly referenced by the Recovery Act in section 1171(6) of the 
Social Security Act, 42 U.S.C. 1320d(6). As many commenters noted, 
while health apps did not exist when Congress passed the Recovery Act, 
they function in a similar manner to the personal health records that 
existed at the time.
    For these reasons, the Commission is adopting the proposed 
definitions, with minor clarifications. First, the Commission has 
retained the definition of ``PHR identifiable health information'' as 
set out in the NPRM, with non-substantive organizational changes noted 
below. In response to comments that the definition of ``PHR 
identifiable health information'' should be broader, the Commission 
notes the definition, which closely follows the statutory language, 
already encompasses most of the categories of data that commenters 
identified. For example, unique, persistent identifiers (such as unique 
device and mobile advertising identifiers), when combined with health 
information, constitute ``PHR identifiable health information,'' if 
these identifiers can be used to identify or re-identify an individual. 
Moreover, ``PHR identifiable health information'' encompasses 
information about sexual health and substance abuse disorders, because 
the information ``relates to the past, present, or future physical or 
mental health or condition of an individual, the provision of health 
care to an individual, or the past, present, or future payment for the 
provision of health care to an individual.'' The Recovery Act states 
PHR identifiable health information is information provided ``by or on 
behalf of the individual,'' so the Commission declines to change this 
phrase to ``about,'' as one commenter suggested.\105\ The Commission 
notes, however, that information provided ``by or on behalf of the 
individual'' will encompass much information ``about'' an individual, 
as the consumer is the original source of most data; many inferences 
``about'' the individual originate from information provided ``by or on 
behalf of the individual.''
---------------------------------------------------------------------------

    \105\ Consumer Rep.'s at 4.
---------------------------------------------------------------------------

    The Commission does not agree with commenters who sought to narrow 
the definition of PHR identifiable health information out of concern 
for the Rule's overall breadth. The Commission notes that liability 
under the Rule does not arise from a single definition. While data used 
for public health research, for example, may, in some instances, meet 
the definition of ``PHR identifiable health information,'' the firm 
using that data is subject to the Rule only if other conditions are met 
(i.e., the firm is an entity covered by the Rule).
    The Commission declines to create a new definition of ``de-
identified data'' or another similar term, because the definition of 
de-identification is already embedded in the second part of the 
definition of PHR identifiable health information (``that identifies 
the individual or with respect to which there is a reasonable basis to 
believe that the information can be used to identify the individual''). 
Where there is no ``reasonable basis to believe that the information 
can be used to identify the individual,'' the information is not 
identifiable; rather, it is de-identified. If data has been de-
identified according to standards set forth by HHS, then there is not a 
``reasonable basis to believe that the information can be used to 
identify the individual,'' as the definition of PHR identifiable health 
information requires. Because the Commission's standard is consistent 
with HHS's, the Commission's Rule poses no impediment to health-related 
research or other flows of de-identified data. The Commission does not 
view the existing language as a subjective standard that turns on a 
company's knowledge, as one commenter suggested; by requiring a 
``reasonable basis to believe'' that the information is not 
identifiable, the Rule creates an objective standard. Whether such 
reasonable basis exists will depend on whether the data can reasonably 
be linked to an individual consumer. There is no need for a 
supplemental notice of proposed rulemaking on this issue, as the 
Commission is not changing this aspect of the Rule, which closely 
follows the statute.\106\
---------------------------------------------------------------------------

    \106\ 42 U.S.C. 17937(f)(2).
---------------------------------------------------------------------------

    Second, the Commission is modifying the proposed definition of 
``health care provider'' to ``covered health care provider'' to 
distinguish that term from interpretations of the term ``health care 
provider'' in other contexts, which may be more limited in scope. As 
commenters requested, the Commission affirms its definition of 
``covered health care provider'' is unique to the Rule; it does not 
bear on the meaning of ``health care provider'' as used in other 
regulations enforced by other government agencies. The Commission 
adopts this change merely to dispel confusion in terminology; the 
Commission is not making any substantive change from the definition as 
proposed. The Commission does not need to state expressly, either in 
this definition or elsewhere, that the Rule's notification requirements 
do not apply to HIPAA-covered entities and their business associates, 
as Sec.  318.1 of the

[[Page 47035]]

Rule already includes this proviso. The Commission declines to remove 
the phrase ``any other entity furnishing health care services or 
supplies'' from the definition of ``health care provider,'' because 
this phrase is nearly identical to the language that appears in 42 
U.S.C. 1320d(3), which is referenced in the definition of individually 
identifiable health information in 42 U.S.C. 1320d(6), which is in turn 
referenced in the definition of PHR identifiable health information in 
section 13407(f)(2) of the Recovery Act, 42 U.S.C. 17937.\107\ The 
Commission declines to define the terms ``furnish'' and ``health care'' 
as the Commission believes the plain meaning of the term ``furnish'' 
(to supply someone with something) is already clear and adding a 
definition of ``health care'' is unnecessary in light of the definition 
of ``covered health care provider'' and ``health care services and 
supplies.'' Differences from HHS's regulations pursuant to HIPAA are 
appropriate, as the Recovery Act differs from HIPAA, and the Recovery 
Act's mandate is specifically to cover entities not covered by HIPAA.
---------------------------------------------------------------------------

    \107\ The definition of ``covered health care provider'' in 
Sec.  318.2 substitutes ``entity'' for ``person''--i.e., ``any other 
entity furnishing health care services or supplies''--because the 
rest of the Rule speaks in terms of ``entities,'' but the definition 
in Sec.  318.2 is otherwise identical to the statutory definition in 
42 U.S.C. 1320d(3).
---------------------------------------------------------------------------

    Third, the Commission is adopting the proposed definition of 
``health care services or supplies,'' with one minor modification: the 
Commission has substituted the word ``means'' for ``includes'' to avoid 
implying greater breadth than the Commission intends. The Commission 
adopts this change merely to dispel confusion about undue breadth; the 
Commission does not intend any substantive change from the definition 
proposed. The Commission otherwise affirms the proposed definition 
without change. The Commission believes the term ``online service'' in 
the definition of ``health care services or supplies'' is sufficiently 
clear because of the examples of ``online services'' given within the 
definition itself: website, mobile application, or internet-connected 
device. Providing an exhaustive list of what constitutes an online 
service would prevent the definition from being sufficiently flexible 
to account for future innovation in types of online services. The 
Commission also retains the catch-all ``or that provides other health-
related services or tools'' for the same reason: to ensure the Rule's 
language can accommodate future changes in technology. There is no 
undue breadth, because that phrase's meaning is in the context of the 
preceding phrase (``provides mechanisms to track diseases, health 
conditions, diagnoses or diagnostic testing, treatment, medications, 
vital signs, symptoms, bodily functions, fitness, fertility, sexual 
health, sleep, mental health, genetic information, diet'').
    In response to some commenters' concerns that the proposed Rule's 
definition of ``health care provider'' and ``health care services or 
supplies'' would impermissibly cause the Rule to cover retailers of 
general-purpose items like tennis shoes, shampoo, or vitamins, the 
Commission disagrees this would necessarily be the case. A threshold 
inquiry under the Rule is whether an entity is a ``vendor of personal 
health records,'' which the Recovery Act defines as ``an entity . . . 
that offers or maintains a personal health record.'' \108\ The Recovery 
Act usage of the term ``vendor of'' in connection with ``personal 
health records'' underscores that entities that are not in the business 
of offering or maintaining (e.g., selling, marketing, providing, or 
promoting) a health-related product or service are not covered--in 
other words, they are not ``vendors'' of personal health records. Thus, 
to be a vendor of personal health records under the Rule, an app, 
website, or online service must provide an offering that relates more 
than tangentially to health.\109\
---------------------------------------------------------------------------

    \108\ 42 U.S.C. 17921(18); see also 42 U.S.C. 17937.
    \109\ At least one commenter urged a somewhat similar 
interpretation, contending that a relevant inquiry in determining 
whether a service offers a personal health record is ``the terms 
under which a product or service is offered to consumers. If an 
entity promotes its offering as addressing, improving, tracking, or 
informing matters about a consumer's health, then that entity's 
offering would be subject to the rule. Thus, any product or services 
that tracks or addresses physical activity, blood pressure, heart 
rate, digestion, strength, genetics, sleep, weight, allergies, pain, 
and similar characteristics would be subject to a PHR rule.'' See 
WPF at 10.
---------------------------------------------------------------------------

    The Commission notes a general retailer (one that sells food 
products, children's toys, garden supplies, healthcare products (such 
as pregnancy tests), or apparel (such as maternity clothes)) offering 
consumers an app to purchase and access purchases of these products--by 
itself--would not make the retailer a vendor of personal health 
records. In this scenario, purchase information relating to certain 
items--such as a pregnancy test or maternity clothes from a retailer--
may reveal information about that person's health. While this purchase 
information may be PHR identifiable health information, the retailer in 
this scenario is not a vendor of personal health records because the 
app is only tangentially related to health. The Commission notes, 
however, there may be scenarios where a general-purpose retailer 
described above may become a vendor of personal health records under 
the Rule, such as where the retailer offers an app with features or 
functionalities that are sold, marketed, or promoted as more than 
tangentially relating to health.
    In addition, the Commission reiterates a personal health record 
must be an electronic record of PHR identifiable health information on 
an individual, must have the technical capacity to draw information 
from multiple sources, and must be managed, shared, and controlled by 
or primarily for the individual. The Commission also notes that 
purchases of items at a brick and mortar retailer where there is no 
app, website, or online service to access or track that purchase 
information electronically is not a personal health record, because 
there is no electronic record at issue. Contrary to the assertions of 
some commenters, these definitions do not result in undue breadth, 
because they do not function in isolation. The Commission provides the 
following examples to illustrate the interplay of these definitions 
with the definition of ``personal health record'':
     Example 1: Health advice app or website A, which is not 
covered by HIPAA, provides information to consumers about various 
medical conditions. Its function is purely informational; it does not 
provide any mechanism through which the consumer may track or record 
information. Health advice app or website A is not a personal health 
record, because it is not an electronic record of PHR identifiable 
health information on an individual.
     Example 2: Health advice app or website B, which is not 
covered by HIPAA, provides information to consumers about various 
medical conditions and provides a symptom tracker, available to 
consumers who log into the site with a username and password, in which 
consumers may input symptoms and receive potential diagnoses. Health 
advice app or website B is an electronic record of PHR identifiable 
health information on an individual, because its information is 
provided by the individual, it identifies the individual (via username 
and password), it relates to the individual's health conditions (the 
symptoms), and is received by a health care provider (i.e., the entity 
providing the site itself, as that entity is furnishing the health care 
service of an online service that provides mechanisms to track 
symptoms). However, health advice app or website B is not a personal 
health

[[Page 47036]]

record to the extent the site does not have the technical capacity to 
draw information from multiple sources (i.e., if the consumer is its 
only source of information).
     Example 3: Health advice website C, which is not covered 
by HIPAA, functions in the same way as health advice app or website B, 
except that it collects geolocation data via an application programming 
interface (``API''). For the reasons stated in Example 2, it is an 
electronic record of PHR identifiable health information on an 
individual. It also has the technical capacity to draw information from 
multiple sources (consumer inputs and collection of geolocation data 
through the API. It is managed primarily for the individual (i.e., to 
provide the individual health advice). Therefore, health advice app or 
website C is a personal health record.
     Example 4: Health advice app or website D, which is not 
covered by HIPAA, functions in the same way as health advice app or 
website B, except that it also draws information from a data broker and 
connects that information to some of its individual users to provide 
them with more accurate diagnostic suggestions. For the reasons stated 
in Example 2, it is an electronic record of PHR identifiable health 
information on an individual. It also has the technical capacity to 
draw information from multiple sources (the consumer and the data 
broker) and is managed by or primarily for the individual. Therefore, 
health advice app or website D is a personal health record.
    Whether a health app or other electronic record constitutes a 
personal health record (and is therefore subject to the Rule) is a 
fact-intensive inquiry whose outcome depends not only on the nature of 
the information contained in that record, but also on numerous other 
factors, such as its ``technical capacity,'' its source(s) of 
information, and its relationship to the individual.
    Finally, the Commission notes a non-substantive, organizational 
change relating to the definition of ``PHR identifiable health 
information.'' In the 2023 NPRM, the Commission proposed revising ``PHR 
identifiable health information'' by importing language from section 
1171(6) of the Social Security Act, 42 U.S.C. 1320d(6), which is 
referenced directly in section 13407 of the Recovery Act. To hew more 
closely to the organization of the Recovery Act, and to preserve the 
word ``includes'' in the phrase ``includes information that is provided 
by or on behalf of the individual,'' the Commission revised slightly 
the order of the elements in the definition of ``PHR identifiable 
health information.''

B. Clarification of What It Means for a Personal Health Record To Draw 
Information From Multiple Sources

1. The Commission's Proposal Regarding What It Means for a Personal 
Health Record To Draw Information From Multiple Sources
    The Commission proposed amending the definition of the term 
``personal health record'' to clarify what it means for a personal 
health record to draw information from multiple sources. Under the 2009 
Rule, a personal health record is defined as an electronic record of 
PHR identifiable health information that can be drawn from multiple 
sources and that is managed, shared, and controlled by or primarily for 
the individual. Under the Commission's proposed definition, a 
``personal health record'' would be defined as an electronic record of 
PHR identifiable health information on an individual that has the 
technical capacity to draw information from multiple sources and that 
is managed, shared, and controlled by or primarily for the individual.
    Changing the phrase ``that can be drawn from multiple sources'' to 
``has the technical capacity to draw information from multiple 
sources'' serves several purposes. First, it clarifies a product is a 
personal health record if it can draw information from multiple 
sources, even if the consumer elects to limit information to a single 
source only, in a particular instance. For example, a depression 
management app that accepts consumer inputs of mental health states and 
has the technical capacity to sync with a wearable sleep monitor is a 
personal health record, even if some customers choose not to sync a 
sleep monitor with the app. Thus, whether an app qualifies as a 
personal health record would not depend on the prevalence of consumers' 
use of a particular app feature, like sleep monitor-syncing. Instead, 
the analysis of the Rule's application would be straightforward: either 
the app has the technical means (e.g., the application programming 
interface or API) to draw information from multiple sources, or it does 
not. Next, adding the phrase ``technical capacity to draw information'' 
clarifies a product is a personal health record if it can draw any 
information from multiple sources, even if it only draws health 
information from one source. This change further clarifies the 
Commission's interpretation of the Recovery Act, as explained in the 
Policy Statement.\110\
---------------------------------------------------------------------------

    \110\ Policy Statement at 2.
---------------------------------------------------------------------------

    The Commission sought public comment as to whether this revised 
language sufficiently clarifies the Rule's application to developers 
and purveyors of products that have the technical capacity to draw 
information from more than one source. The Commission invited comment 
on its interpretation that an app is a personal health record because 
it has the technical capacity to draw information from multiple 
sources, even if particular users of the app choose not to enable the 
syncing features. The Commission also requested comment about whether 
an app (or other product) should be considered a personal health record 
even if it only draws health information from one place (in addition to 
non-health information drawn elsewhere); or only draws identifiable 
health information from one place (in addition to non-identifiable 
health information drawn elsewhere). The Commission further requested 
comment about whether the Commission's bright-line rule (apps with the 
``technical capacity to draw information'' are covered) should be 
adjusted to take into account consumer use, such as where no consumers 
(or only a de minimis number) use a feature, and about the likelihood 
of such scenarios. For example, the Commission offered an example of an 
app that might have the technical capacity to draw information from 
multiple sources, but its API is entirely or mostly unused, either 
because it remains a Beta feature, has not been publicized, or is not 
popular.
2. Public Comments Regarding What It Means for a Personal Health Record 
To Draw Information From Multiple Sources
    Many commenters supported the Commission's proposal amending the 
definition of a ``personal health record.'' \111\ Commenters noted, for 
instance, this change would help to ensure that many services that 
collect PHR identifiable health information are covered by the 
Commission's Rule,\112\ and would help to promote greater privacy and 
security for health information,\113\ while still ``hewing to

[[Page 47037]]

the limitations of the statute.'' \114\ Some commenters noted without 
this change, developers of personal health records (such as app 
developers) might have incentives to design their products in ways that 
would intentionally skirt the Rule's requirements (such as by 
restricting a consumer's ability to import data from other 
sources).\115\ Others noted the importance of the Rule covering apps 
with the technical capacity to draw information from multiple sources 
even where such capacity is not used by the consumer.\116\
---------------------------------------------------------------------------

    \111\ Ella Balasa at 1; TMA at 4 (arguing that ``PHRs include 
applications with the technical capacity to draw information from 
multiple sources, regardless of the patient's preference to activate 
the technical capability.''); Consumer Rep.'s at 6; AAFP at 3; AHIMA 
at 4-5; AMA at 4; CHIME at 4; CDT at 13; AOA at 3.
    \112\ AHIMA at 4-5.
    \113\ AAFP at 3.
    \114\ Consumer Reports at 5-6.
    \115\ AHIP at 2-3; CDT at 13 (arguing that changes remove 
``incentives for companies to technically design products and 
services to not trigger the HBNR to avoid any need to provide 
consumer notice.'').
    \116\ AHIOS at 4; CARIN Alliance at 4.
---------------------------------------------------------------------------

    Other commenters opposed this proposal.\117\ Some argued the 
proposed clarification regarding what drawing information from multiple 
sources means runs counter to Congress's statutory intent,\118\ because 
virtually every app has some sort of integration (e.g., for analytics) 
through which it draws information other than from the consumer.\119\ 
One commenter asserted the change would broaden the scope of the Rule 
to the point that it would sweep in online services that should not be 
thought of as a personal health record (such as email apps),\120\ or 
otherwise create confusing standards for app developers or reduce 
innovation.\121\ In addition, commenters expressed concern this change 
would sweep in apps or online services that have the technical capacity 
to draw from multiple sources during the development or testing phase 
of the product, or would sweep in products with unused, unavailable, or 
unpublicized APIs or integrations that count as a source.\122\ One 
commenter expressed concern about lack of clarity, such as in scenarios 
where a user is required to pay for an upgrade to access a feature or 
integration that draws information from another source.\123\ Some 
commenters also expressed concern that apps and online services that 
are subject to HIPAA (i.e., HIPAA-covered entities or business 
associates) should be carved out of the definition of a personal health 
record.\124\ Other commenters expressed broader concern with the 
definition of ``personal health record,'' urging the Commission to, for 
example, abandon the purportedly outdated term in favor of a more 
modern one.\125\ For instance, some commenters urged that the 
Commission abandon or tweak the requirement that the personal health 
record be ``managed, shared, and controlled by or primarily for the 
individual.'' \126\
---------------------------------------------------------------------------

    \117\ NAI at 6 (urging that the Commission make clear that a 
personal health record is one that ``not only has the technical 
capacity to draw PHR identifiable health information from multiple 
sources, but that it also has the functionality and actually does 
incorporate data from multiple sources.''); ANA at 7; ACLA at 1-2.
    \118\ NAI at 6.
    \119\ Chamber at 4-5; Priv. for Am. at 5-6; NAI at 6.
    \120\ CCIA at 6.
    \121\ CTA at 11; AdvaMed at 5; CHI at 5.
    \122\ CHI at 5 (asking the Commission to clarify that an ``app 
having the ability to draw from multiple sources with some changes 
to the app's coding/APIs is not within this definition's 
threshold.''); ACLA at 1 (arguing ``[i]f a feature is unused by 
individuals `because it remains a Beta feature,' then in fact it 
does not have the `technical capacity' to draw an individual's 
information from other sources, unless and until its functionality 
has been enabled by the vendor. The mere possibility that an 
application vendor might sometime in the future enable that 
functionality should not bring the electronic record within the 
scope of the definition of `personal health record.' '') (emphasis 
in original); CTA at 11 (arguing Rule should instead have bright-
line test that assesses whether the app actually draws health 
information from multiple sources); AdvaMed at 5 (arguing the 
Commission should decline to adopt multiple sources changes because 
it could cause confusion and potentially sweep in apps or services 
with features that have not been made available to consumers, such 
as APIs connected to the PHR that have not been publicized).
    \123\ WPF at 9.
    \124\ Omada at 5; Datavant at 3.
    \125\ HIMSS at 3 (urging the Commission to work with Congress to 
craft a definition more consonant with technological realities).
    \126\ AHIOS at 4; MRO at 4.
---------------------------------------------------------------------------

    Another commenter expressed concern the proposed change could sweep 
in services that draw any information from multiple sources, regardless 
of whether that information is identifiable health information.\127\
---------------------------------------------------------------------------

    \127\ NAI at 6.
---------------------------------------------------------------------------

3. The Commission Adopts the Proposed Changes Clarifying What It Means 
for a Personal Health Record To Draw Information From Multiple Sources
    After considering the comments received, the Commission adopts the 
proposed amendment without change. This amendment will help clarify the 
types of entities covered by the Rule. The definition does not create 
undue breadth or deviate from Congressional intent; rather, the changes 
are consistent with the language of the Recovery Act, and only serve to 
give meaning to the phrase ``can be drawn'' in the Recovery Act in a 
way that is consistent with the current state of technology. They are 
also necessary to keep pace with technological change, which has 
enabled firms to offer consumers mobile electronic records of their 
health information that contain numerous integrations. To illustrate 
the intended meaning of the proposed revisions to the term ``personal 
health record,'' the Commission reiterates examples from the 2023 NPRM 
of two non-HIPAA covered diet and fitness apps available for consumer 
download in an app store. Under the amended Rule, each is a personal 
health record.
     Example 1: Diet and fitness app Y allows users to sync 
their app with third-party wearable fitness trackers. Diet and fitness 
app Y has the technical capacity to draw identifiable health 
information both from the user (e.g., name, weight, height, age) and 
the fitness tracker (e.g., user's name, miles run, heart rate), even if 
some users elect not to connect the fitness tracker.
     Example 2: Diet and fitness app Y has the ability to pull 
information from the user's phone calendar via the calendar API to 
suggest personalized healthy eating options. Diet and fitness app Y has 
the technical capacity to draw identifiable health information from the 
user (e.g., name, weight, height, age) and non-health information 
(e.g., calendar entry info, location, and time zone) from the user's 
calendar.
    As these examples make clear, and in response to one commenter's 
concern that the changes would sweep in services that do not draw any 
health information,\128\ the Commission notes the Rule still requires 
drawing PHR identifiable health information from at least one source to 
count as a personal health record.
---------------------------------------------------------------------------

    \128\ NAI at 6.
---------------------------------------------------------------------------

    The Commission declines to make other requested changes to the 
definition of personal health record. First, the Commission declines to 
include an express exemption for HIPAA-covered entities within the 
definition of personal health record because Sec.  318.1 of the Rule 
already specifically exempts businesses or organizations covered by 
HIPAA.\129\ Second, the Commission declines to exempt apps and services 
where there are available but unused or unpublicized APIs or 
integrations. Similarly, the Commission declines to exempt apps and 
services from the definition just because they are drawing information 
from multiple sources while undergoing product or beta testing and are 
not yet in their final form.\130\ The Commission notes a product 
feature or integration that exists

[[Page 47038]]

and that is able to draw PHR identifiable health information counts as 
a source under the Rule. Exempting such instances would be contrary to 
the purpose of the Rule and would impermissibly limit notification of 
breaches just because a product feature is not widely disseminated, 
used, or in its final form. The Commission notes under the Rule, a 
covered entity that experienced a breach of security of unsecured PHR 
identifiable health information triggering the Rule would not be exempt 
because the breach occurred in the context of such scenarios.
---------------------------------------------------------------------------

    \129\ See, e.g., 16 CFR 318.1(a) (Rule ``does not apply to 
HIPAA-covered entities, or to any other entity to the extent that it 
engages in activities as a business associate of a HIPAA-covered 
entity.''); see also 16 CFR 318.2 (exempting business associates and 
HIPAA-covered entities from the Rule's definitions of ``PHR related 
entity'' and ``vendor of personal health records.'').
    \130\ ACLA at 1-2; CTA at 11; AdvaMed at 5.
---------------------------------------------------------------------------

    Further, and importantly, the Rule is triggered only by breaches of 
unsecured PHR identifiable health information and does not apply to 
information that is protected or ``secured'' through the use of a 
technology or methodology specified by the Secretary of Health and 
Human Services in the guidance issued under section 13402(h)(2) of the 
American Reinvestment and Recovery Act of 2009, 42 U.S.C. 
17932(h)(2).\131\ The Rule, therefore, creates appropriate incentives 
for product testing with de-identified data or that secures information 
through certain specifications, such as through specified encryption 
methods.
---------------------------------------------------------------------------

    \131\ Per HHS guidance, electronic health information is 
``secured'' if it has been encrypted according to certain 
specifications set forth by HHS, or if the media on which electronic 
health information has been stored or recorded is destroyed 
according to HHS specifications. See 74 FR 19006; see also U.S. 
Dep't of Health & Human Servs., Guidance to Render Unsecured 
Protected Health Information Unusable, Unreadable, or Indecipherable 
to Unauthorized Individuals (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html. PHR 
identifiable health information would be considered ``secured'' if 
such information is disclosed by, for example, a vendor of personal 
health records, to a PHR related entity or a third party service 
provider, in an encrypted format meeting HHS specifications, and the 
PHR related entity or third party service provider stores the data 
in an encrypted format that meets HHS specifications and also stores 
the encryption and/or decryption tools on a device or at a location 
separate from the data.
---------------------------------------------------------------------------

    Third, the Commission declines, as one commenter requested,\132\ to 
expressly exempt scenarios where a change is required to an app's 
coding to draw information from another source. The Commission notes, 
however, it does not intend to cover instances where an app can draw 
from multiple sources only through changes to the design or underlying 
software code and where the app developer does not implement those 
changes.
---------------------------------------------------------------------------

    \132\ CHI at 5 (asking the Commission to clarify that an ``app 
having the ability to draw from multiple sources with some changes 
to the app's coding/APIs is not within this definition's 
threshold.'').
---------------------------------------------------------------------------

    In addition, the Commission declines to remove from the definition 
of personal health record the requirement that it be ``managed, shared, 
and controlled by or primarily for the individual.'' This language 
mirrors the Recovery Act's statutory definition of personal health 
record.\133\ Further, this language provides a boundary to the 
definition. Even if a website or app has the technical capacity to draw 
information from multiple sources (for example, because it has 
integrations for advertising or analytics), it must still be ``managed, 
shared, and controlled by or primarily for the individual'' to be 
covered by the Rule.
---------------------------------------------------------------------------

    \133\ 42 U.S.C. 17921(11).
---------------------------------------------------------------------------

    Generally, a personal health record is an electronic record of an 
individual's health information by which the individual maintains 
access to the information and may have, for example, the ability to 
manage, track, control, or participate in his or her own health care. 
If these elements are not present, the website or app may not be 
``managed, shared, and controlled by or primarily for the individual,'' 
and would not, therefore, constitute a personal health record.

C. Clarification Regarding Types of Breaches Subject to the Rule

1. The Commission's Proposals
a. The Commission's Proposal Regarding ``Breach of Security''
    The Commission proposed a definitional change to clarify that a 
breach of security under the Rule encompasses unauthorized acquisitions 
that occur as a result of a data breach or an unauthorized disclosure. 
The Commission's proposal underscores that a breach of security is not 
limited to data exfiltration, and includes unauthorized disclosures 
(such as, but not limited to, a company's unauthorized sharing or 
selling of consumers' information to third parties that is inconsistent 
with the company's representations to consumers). The Rule previously 
defined ``breach of security'' as the acquisition of unsecured PHR 
identifiable health information of an individual in a personal health 
record without the authorization of the individual, which language 
mirrored the definition of ``breach of security'' in section 
13407(f)(1) of the Recovery Act.
    Accordingly, consistent with the Recovery Act definition, the 
Policy Statement, FTC enforcement actions under the Rule, and public 
comments received, the Commission proposed amending the definition of 
``breach of security'' in Sec.  318.2 by adding the following sentence 
to the end of the existing definition: ``[a] breach of security 
includes an unauthorized acquisition of unsecured PHR identifiable 
health information in a personal health record that occurs as a result 
of a data breach or an unauthorized disclosure.'' The change was 
intended to make clear to the marketplace that a breach includes an 
unauthorized acquisition of identifiable health information that occurs 
as a result of a data breach or an unauthorized disclosure, such as a 
voluntary disclosure made by the PHR vendor or PHR related entity where 
such disclosure was not authorized by the consumer.
    The NPRM, like the 2009 Rule, continued to include a rebuttable 
presumption for unauthorized access to an individual's data; it stated 
when there is unauthorized access to data, unauthorized acquisition 
will be presumed unless the entity that experienced the breach ``has 
reliable evidence showing that there has not been, or could not 
reasonably have been, unauthorized acquisition of such information.''
b. The Commission's Related Proposal To Not Define the Term 
``Authorization'' in the Rule
    In the 2023 NPRM, the Commission stated it had considered defining 
the term ``authorization,'' which appears in Sec.  318.2's definition 
of ``breach of security,'' but did not propose any such change in the 
NPRM.
    The Commission considered defining ``authorization'' to mean the 
affirmative express consent of the individual and then defining 
``affirmative express consent'' consistent with State laws that define 
consent, such as the California Consumer Privacy Rights Act, Cal. Civ. 
Code 1798.140(h).\134\ Such changes would have ensured notification is 
required anytime there is acquisition of

[[Page 47039]]

unsecured PHR identifiable health information without the individual's 
affirmative express consent for that acquisition--such as when an app 
discloses unsecured PHR identifiable health information to another 
company, having obtained nominal ``consent'' from the individual by 
using a small, greyed-out, pre-selected checkbox following a page of 
dense legalese.
---------------------------------------------------------------------------

    \134\ As noted in the 2023 NPRM, the Commission considered 
defining ``affirmative express consent'' as any freely given, 
specific, informed, and unambiguous indication of an individual's 
wishes demonstrating agreement by the individual, such as by a clear 
affirmative action, following a clear and conspicuous disclosure to 
the individual, apart from any ``privacy policy,'' ``terms of 
service,'' ``terms of use,'' or other similar document, of all 
information material to the provision of consent. Acceptance of a 
general or broad terms of use or similar document that contains 
descriptions of agreement by the individual along with other, 
unrelated information, does not constitute affirmative express 
consent. Hovering over, muting, pausing, or closing a given piece of 
content does not constitute affirmative consent. Likewise, agreement 
obtained through use of user interface designed or manipulated with 
the substantial effect of subverting or impairing user autonomy, 
decision-making, or choice, does not constitute affirmative express 
consent. See 88 FR 37830 n.78.
---------------------------------------------------------------------------

    The Commission did not, however, propose to define 
``authorization'' because (1) the 2009 Rule Commentary already provided 
guidance on the types of disclosures the Commission considers to be 
``unauthorized''; \135\ (2) recent Commission orders, such as the 
Commission's enforcement actions against GoodRx and Easy 
Healthcare,\136\ also make clear that the use of ``dark patterns,'' 
which have the effect of manipulating or deceiving consumers, including 
through use of user interfaces designed with the substantial effect of 
subverting or impairing user autonomy and decision-making, do not 
satisfy the standard of ``meaningful choice''; and (3) Commission 
settlements establish important guidelines involving authorization (the 
Commission's recent settlement with GoodRx, alleging violations of the 
Rule, highlights that disclosures of PHR identifiable health 
information inconsistent with a company's privacy promises constitute 
an unauthorized disclosure).
---------------------------------------------------------------------------

    \135\ See, e.g., 74 FR 42967.
    \136\ United States v. GoodRx Holdings, Inc., No. 23-cv-460 
(N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; United States v. Easy 
Healthcare Corp., No. 1:23-cv-3107 (N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------

    The Commission sought public comment about:
     Whether the commentary above and FTC enforcement actions 
under the Rule provide sufficient guidance to put companies on notice 
about their obligations for obtaining consumer authorization for 
disclosures, or whether defining the term ``authorization'' would 
better inform companies of their compliance obligations.
     To the extent that including such definitions would be 
appropriate, the definitions of ``authorization'' and ``affirmative 
express consent,'' as described above, and the extent to which such 
definitions are consistent with the language and purpose of the 
Recovery Act.
     What constitutes an acceptable method of authorization, 
particularly when unauthorized sharing is occurring.\137\
---------------------------------------------------------------------------

    \137\ For example, the Commission sought comment about when a 
vendor of personal health records or a PHR-related entity is sharing 
information covered by the Rule, is it acceptable for that entity to 
obtain the individual's authorization to share that information when 
an individual clicks ``agree'' or ``accept'' in connection with a 
pre-checked box disclosing such sharing? Is it sufficient if an 
individual agrees to terms and conditions disclosing such sharing 
but that individual is not required to review the terms and 
conditions? Or is it sufficient if an individual uses a health app 
that discloses in its privacy policy that such sharing occurs, but 
the app knows via technical means that the individual never 
interacts with the privacy policy? See 88 FR 37832.
---------------------------------------------------------------------------

     Whether there are certain types of sharing for which 
authorization by consumers is implied because such sharing is expected 
and/or necessary to provide a service to consumers.
2. Public Comments
a. Public Comments Regarding ``Breach of Security''
    Many commenters supported the Commission's proposed amendment to 
the definition of ``breach of security.'' \138\ One commenter noted the 
change is consistent with the broad definition of ``breach of 
security'' in the Recovery Act, which refers explicitly to the 
acquisition of PHR identifiable health information without the 
authorization of an individual (rather than the authorization of an 
entity holding the data, as is the case where a breach involves data 
theft or exfiltration).\139\ Commenters also noted the amendment would 
ensure notice, accountability, and regulatory oversight, regardless of 
the underlying cause of the unauthorized acquisition.\140\ Commenters 
noted that breaches encompass more than just cybersecurity 
intrusions.\141\ Commenters also argued that a company's voluntary 
unauthorized disclosure can be just as damaging as data theft.\142\ For 
instance, a commenter noted that unauthorized disclosures of health 
information may cause embarrassment, perpetuate stigma about patients' 
conditions, deter patients from seeking care, interfere in the patient-
physician relationship, or impact patients' employment.\143\ Moreover, 
voluntary, unauthorized disclosures increase the risk of additional 
unauthorized acquisition and sharing of this information among bad 
actors.\144\
---------------------------------------------------------------------------

    \138\ See, e.g., TMA at 3; U.S. PIRG at 2-3; AAFP at 3; AHIMA at 
3; AMA at 3-4; AMIA at 3; AOA at 2-3; AHIOS at 3; CDT at 11-12; 
CHIME at 4; EPIC at 5-6.
    \139\ Consumer Rep.'s at 4.
    \140\ CDT at 11-12; U.S. PIRG at 2-3.
    \141\ AMA at 4; CDT at 11-12; EPIC at 5.
    \142\ AAFP at 3; CDT at 11-12.
    \143\ AOA at 2.
    \144\ AHIMA at 3.
---------------------------------------------------------------------------

    Some commenters supported expanding or changing the definition 
further. Specifically, some commenters urged the Commission to amend 
the definition to encompass (1) exceeding authorized access or use of 
PHR identifiable health information, such as where a company collects 
data for one purpose, but later uses or discloses that data for a 
second, undisclosed purpose; \145\ or (2) the collection or retention 
of PHR identifiable health information beyond what is necessary to 
provide the associated service to an individual consumer.\146\ One 
commenter asked the Commission to clarify that the Rule would be 
triggered by unauthorized use of or access to information derived from 
PHR identifiable health information, and to define the phrase 
acquisition.\147\
---------------------------------------------------------------------------

    \145\ FPF at 12-15.
    \146\ EPIC at 5-7; U.S. PIRG at 2-3.
    \147\ Mozilla at 6-7.
---------------------------------------------------------------------------

    Some commenters, however, urged the Commission to not amend the 
definition at all. These commenters expressed concern the amendment 
would cause the Rule to exceed what Congress intended in the Recovery 
Act and transform the Rule into an opt-in notice and consent privacy 
regime.\148\ Commenters argued further the proposed changes would cause 
consumer notice fatigue,\149\ consumer panic,\150\ or over-reporting by 
companies.\151\ One commenter urged the Commission to limit the 
definition of ``acquisition'' to actual acquisition, and exclude 
instances of access or disclosure where the information was not 
actually acquired by a third party.\152\ Commenters argued the proposed 
definition would be burdensome and force companies to limit certain 
beneficial disclosures to certain third parties, such as disclosures to 
support internal operations, detect security vulnerabilities or fraud, 
for law enforcement, and other purposes.\153\
---------------------------------------------------------------------------

    \148\ Chamber at 6; Priv. for Am. at 2-5; ANA at 6-7.
    \149\ SIIA at 3; CTA at 13-14.
    \150\ CCIA at 4-5, 7 (arguing that requiring notification for 
unauthorized disclosures could cause consumers to worry in the 
absence of harm, such as where it is ``typical'' to disclose such 
information.)
    \151\ CTA at 13-14.
    \152\ Id. at 14-16.
    \153\ TechNet at 3; Chamber at 7; CCIA at 5-6.
---------------------------------------------------------------------------

    Some commenters also urged that the Commission adopt carve-outs so 
that certain conduct would not be deemed breaches of security under the 
Rule. Commenters requested exemptions consistent with or found in HIPAA 
or

[[Page 47040]]

under State breach notification laws, such as exemptions for 
disclosures to certain types of entities or for certain purposes, or 
where there is inadvertent or unintentional access, use, or 
disclosure.\154\ Commenters also proposed safe harbors for companies 
that implement recognized security or privacy safeguards; \155\ and one 
commenter proposed safe harbors that would apply where data is shared 
with ``affiliated businesses,'' where there is inadvertent but ``good-
faith'' access by a company employee, where a company makes good faith 
efforts to inform consumers of disclosures to third parties, and where 
companies take steps to contractually limit downstream uses of the 
data.\156\ Other commenters expressed support for exempting disclosures 
of PHR identifiable health information to public health authorities for 
public health purposes, noting the amended definition could discourage 
such disclosures.\157\
---------------------------------------------------------------------------

    \154\ CHI at 4 (stating the FTC ``should explicitly except the 
same situations from disclosure that are excepted from HIPAA 
disclosures, and/or try to align exceptions with those found in 
State privacy statutes.''); CTA at 16; HIA at 2; TechNet at 3 
(arguing the Rule should adopt exemptions that encompass ``actions 
taken to prevent and detect security incidents, to comply with a 
civil, criminal, or regulatory inquiry or investigation, to 
cooperate with law enforcement agencies concerning conduct or 
activity that the data controller reasonably and in good faith 
believes may be illegal, to perform internal operations consistent 
with a consumer's expectations, and to provide a product or service 
that a consumer requested.''); CCIA at 5-6 (arguing the Rule should 
exempt disclosures relating to a host of purposes, including: 
preventing and detecting security incidents and fraud, complying 
with legal process, cooperating with law enforcement, performing 
internal operations consistent with consumer expectations, providing 
a service requested by the consumer, protecting ``the vital 
interests of the consumer,'' or processing data relating to public 
health); Chamber at 7 (arguing if the Commission does amend the 
definition of breach of security, it ``should provide exceptions for 
legitimate and societally beneficial uses of data that other privacy 
laws have for failure to honor opt-in including but not limited to 
network security, prevention and detection of fraud, protection of 
health, network maintenance, and service/product improvement.''); 
LAB at 2.
    \155\ DirectTrust at 1-2.
    \156\ ATA Action at 2.
    \157\ Network for Pub. Health L. and Texas A&M Univ. at 1-2.
---------------------------------------------------------------------------

b. Public Comments Regarding Defining ``Authorization''
    Commenters were divided as to whether the Commission should define 
``authorization.'' Some commenters supported defining ``authorization'' 
to provide greater guidance to companies, to promote transparency, and 
to discourage buried or inconspicuous disclosures relating to health 
information, or approaches to consent that are not meaningful because 
they are confusing or coercive.\158\ To further regulatory consistency, 
some commenters supported adding a definition of ``authorization'' that 
is consistent with how that term is defined in other health-related 
laws, such as under HIPAA \159\ or State health privacy laws that 
define consent or authorization (such as the California Consumer 
Privacy Rights Act \160\ or the Washington My Health, My Data 
Act).\161\
---------------------------------------------------------------------------

    \158\ AHIP at 4; Light Collective at 4; MRO at 2-3; Mozilla at 
4; CARIN Alliance at 10; Consumer Rep.'s at 9; see also PharmedOut 
at 3 (arguing that defining ``authorization'' is crucial but urging 
the Commission go further and place substantive restrictions on what 
companies can do with consumer health data.).
    \159\ AdvaMed at 7 (arguing that any definition of 
``authorization'' or ``affirmative express consent'' should take 
into account the necessity for medical technologies and medical 
technology companies to be able to operate and communicate under 
standards consistent with those governing HIPAA covered entities and 
others in the health care ecosystem. These standards permit certain 
uses and disclosures of individually identifiable health information 
without express consent where necessary for the provision of timely 
and effective health care); MRO at 3; AHIMA at 7-8.
    \160\ AHIOS at 3.
    \161\ Consumer Rep.'s at 9.
---------------------------------------------------------------------------

    By contrast, some commenters opposed defining the term--or opposed 
a requirement under the Rule that entities be required to get 
authorization before disclosing PHR identifiable health 
information.\162\ Commenters argued that Congress had not granted the 
Commission the authority to define ``authorization'' in the Recovery 
Act,\163\ or that doing so would import a substantive consent 
requirement that is outside the scope of the Rule, converting a breach 
notice Rule into an opt-in privacy regime.\164\ Other commenters noted 
that requiring a specifically defined authorization would create an 
inflexible standard that would not evolve with changes in 
technology.\165\ Other commenters opposed a requirement that consumers 
should be required to review terms before agreeing to use a service, 
contending that this would not increase consumer understanding of 
terms.\166\
---------------------------------------------------------------------------

    \162\ HIA at 2 (arguing that ``[r]outine disclosures of data 
should be allowed in certain contexts without additional need for 
authorizations''); CTA at 16-17; AdvaMed at 7-8; ACLA at 6; 
Confidentiality Coal. at 4-5.
    \163\ Confidentiality Coal. at 4-5.
    \164\ CTA at 16-17 (arguing that the Rule does not allow the 
Commission to impose ``substantive consent requirements'' that would 
be burdensome and ``likely not administrable for many companies.'').
    \165\ SIIA at 4.
    \166\ CHI at 7.
---------------------------------------------------------------------------

    Some commenters endorsed other approaches that would exempt from 
any requirement of affirmative express consent certain types of 
disclosures of PHR identifiable health information, such as to service 
providers, data processors, and entities that assist with combatting 
fraud and promoting safety.\167\ Some commenters urged a disclosure be 
deemed authorized if the disclosure is consistent with a company's 
privacy notices or policies or where applicable State privacy laws 
require affirmative consent or provide for the right to opt-out, 
without the need to define affirmative express consent under the 
Rule.\168\ One commenter argued that authorization should be met when a 
consumer agrees to opt-in to certain data sharing, such as by clicking 
a box proximate to a disclosure of material terms.\169\
---------------------------------------------------------------------------

    \167\ FPF at 10 (arguing that ``an organization may share 
information with a service provider operating on their behalf to 
provide storage; may share information to protect the safety or 
vital interests of an individual or react to a public health 
emergency; or to protect themselves against security incidents and 
fraud. In each of these situations, data protection laws typically 
invoke a variety of non-consent measures, including data 
minimization, transparency, notice to the end-user or the regulator, 
and opportunities to object.''); Chamber at 7.
    \168\ Confidentiality Coal. at 4-5; SIIA at 4; CHI at 7.
    \169\ CTA at 17.
---------------------------------------------------------------------------

3. The Commission Adopts the Proposed Changes to the Definition of 
``Breach of Security''
    After carefully considering the public comments, the Commission 
adopts the proposed amendment without change. The final rule definition 
is consistent with the statutory definition in the Recovery Act, the 
Policy Statement,\170\ and recent Commission enforcement actions under 
the Rule. The Commission notes the statutory definition in the Recovery 
Act is sufficiently broad to cover both cybersecurity intrusions as 
well as a company's intentional but unauthorized disclosures of 
consumers' PHR identifiable health information to third party 
companies. In addition, the Commission finds persuasive the comment 
noting the Recovery Act's definition of ``breach of security'' refers 
to the acquisition PHR identifiable health information without the 
authorization of an individual, rather than the authorization of the 
entity holding the data.\171\ The definition is

[[Page 47041]]

also consistent with public comments received by the Commission in 2020 
(when the Commission announced its regular, ten-year review of the Rule 
and requested public comments about potential Rule changes \172\), 
which urged the Commission to clarify what constitutes an unauthorized 
acquisition under the Rule.\173\ Importantly, the amendment to the 
definition of ``breach of security'' in Sec.  318.2 does not depart 
from the 2009 Rule Commentary or the Commission's enforcement policy 
under the Rule. Instead, it further underscores the 2009 Rule 
Commentary and subsequent Commission enforcement actions that 
unauthorized disclosures (i.e., sharing inconsistent with consumer 
expectations) can be a ``breach of security'' that triggers the 
Rule.\174\
---------------------------------------------------------------------------

    \170\ The Commission's Policy Statement makes clear that 
``[i]ncidents of unauthorized access, including sharing of covered 
information without an individual's authorization, triggers 
notification obligations under the Rule,'' and that a breach ``is 
not limited to cybersecurity intrusions or nefarious behavior.'' 
Policy Statement at 2.
    \171\ Consumer Rep.'s at 5 (noting ``the Recovery Act frames 
breaches of security in relation to individuals, rather than to 
vendors of personal health records or PHR related entities,'' and 
defines breach of security as ``acquisition of such information 
without the authorization of the individual.'')
    \172\ 85 FR 31085 (May 22, 2020).
    \173\ See Public Comments in response to May 2020 Request for 
Public Comments in connection with regular, ten-year review of Rule: 
AMA at 5-6 (``The FTC should define `unauthorized access' as 
presumed when entities fail to disclose to individuals how they 
access, use, process, and disclose their data and for how long data 
are retained. Specifically, an entity should disclose to individuals 
exactly what data elements it is collecting and the purpose for 
their collection''; ``[T]he FTC should define `unauthorized access' 
as presumed when an entity fails to disclose to an individual the 
specific secondary recipients of the individual's data.''); AMIA at 
2 (recommending the FTC ``[e]xpand on the concept of `unauthorized 
access' under the definition of `Breach of security,' to be presumed 
when a PHR or PHR related entity fails to adequately disclose to 
individuals how user data is accessed, processed, used, reused, and 
disclosed.''); OAG-CA at 5-6 (urging the FTC to include 
``impermissible acquisition, access, use, disclosure'' under the 
definition of breach.). These comments can be found at https://www.regulations.gov/docket/FTC-2020-0045.
    \174\ The 2009 Rule Commentary noted other examples illustrating 
that unauthorized sharing or transferring of information constitutes 
a breach of security, including that the unauthorized downloading or 
transfer of information by an employee can constitute a breach of 
security; that inadvertent access by an unauthorized employee 
reading or sharing information triggers the Rule's notification 
obligations; and notes that given the highly personal nature of 
health information, ``the Commission believes that consumers would 
want to know if such information was read or shared without 
authorization.'' See 74 FR 42966-67.
---------------------------------------------------------------------------

    The Commission declines to adopt any specific exemptions or safe 
harbors to the definition of breach of security. Unlike the section of 
the Recovery Act that governs breach notifications under HIPAA,\175\ 
Congress did not provide for any specific, enumerated exemptions for 
breaches under the Commission's Rule. Moreover, the Commission's Rule 
provides for a rebuttable presumption for certain types of access: when 
there is unauthorized access to data, unauthorized acquisition will be 
presumed unless the entity that experienced the breach ``has reliable 
evidence showing that there has not been, or could not reasonably have 
been, unauthorized acquisition of such information.'' That is, 
companies can rebut the presumption of acquisition in instances of 
unauthorized access by providing reliable evidence disproving 
acquisition. The Commission has previously offered guidance on what 
counts as unauthorized access and reiterates that guidance here.\176\
---------------------------------------------------------------------------

    \175\ 42 U.S.C. 17921; see also U.S. Dep't of Health & Human 
Servs., Breach Notification (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html. Under the 
Recovery Act's definition of ``breach of security'' for the Rule 
governing HIPAA-covered entities and business associates, the 
statute explicitly provides for three exceptions: (1) unintentional 
acquisition, access, or use of protected health information by a 
workforce member or person acting under the authority of a covered 
entity or business associate, if such acquisition, access, or use 
was made in good faith and within the scope of authority; (2) the 
inadvertent disclosure of protected health information by a person 
authorized to access protected health information at a covered 
entity or business associate to another person authorized to access 
protected health information at the covered entity or business 
associate, or organized health care arrangement in which the covered 
entity participates; and (3) if the covered entity or business 
associate has a good faith belief that the unauthorized person to 
whom the impermissible disclosure was made, would not have been able 
to retain the information. See 45 CFR 164.400 through 164.414. In 
the first two cases, the information cannot be further used or 
disclosed in a manner not permitted by the Privacy Rule. These 
exceptions are not found in the provisions of the Recovery Act 
authorizing the FTC's Health Breach Notification Rule; this makes 
sense, given there is no analogous Privacy Rule, Security Rule, or 
required Business Associate agreements outside the HIPAA sphere 
governing entities covered by the FTC's Health Breach Notification 
Rule.
    \176\ The Rule continues to provide that, when there is 
unauthorized access to data, unauthorized acquisition will be 
presumed unless the entity that experienced the breach ``has 
reliable evidence showing that there has not been, or could not 
reasonably have been, unauthorized acquisition of such 
information.'' As noted in the 2009 Rule Commentary, the presumption 
was intended to address the difficulty of determining whether access 
to data (i.e., the opportunity to view the data) did or did not lead 
to acquisition (i.e., the actual viewing or reading of the data). In 
these situations, the Commission stated that the entity that 
experienced the breach is in the best position to determine whether 
unauthorized acquisition has taken place. In describing the 
rebuttable presumption, the Commission provided several examples. It 
noted that no breach of security has occurred if an unauthorized 
employee inadvertently accesses an individual's PHR and logs off 
without reading, using, or disclosing anything. If the unauthorized 
employee read the data and/or shared it, however, he or she 
``acquired'' the information, thus triggering the notification 
obligation in the Rule. Similarly, the Commission provided an 
example of a lost laptop: If an entity's employee loses a laptop in 
a public place, the information would be accessible to unauthorized 
persons, giving rise to a presumption that unauthorized acquisition 
has occurred. The entity can rebut this presumption by showing, for 
example, that the laptop was recovered, and that forensic analysis 
revealed that files were never opened, altered, transferred, or 
otherwise compromised. See 74 FR 42966.
---------------------------------------------------------------------------

4. The Commission Affirms Its Proposal Not To Define ``Authorization''
    After carefully considering the public comments, the Commission 
declines to define ``authorization,'' as that term appears in Sec.  
318.2's definition of ``breach of security.'' The Commission finds 
persuasive the public comments suggesting that imposing an affirmative 
express consent requirement would not be appropriate or warranted in 
all cases.
    The Commission believes whether a disclosure is authorized under 
the Rule is a fact-specific inquiry that will depend on the context of 
the interactions between the consumer and the company; the nature, 
recipients, and purposes of those disclosures; the company's 
representations to consumers; and other applicable laws. The Commission 
reiterates the 2009 Rule Commentary, which states a use of data is 
``authorized'' only where it is consistent with a company's disclosures 
and consumers' reasonable expectations and where there is meaningful 
choice in consenting to sharing--buried disclosures do not 
suffice.\177\
---------------------------------------------------------------------------

    \177\ The 2009 Rule Commentary states: ``[g]iven the highly 
personal nature of health information, the Commission believes that 
consumers would want to know if such information was read or shared 
without authorization.'' It further states that data sharing to 
enhance consumers' experience with a PHR is authorized only ``as 
long as such use is consistent with the entity's disclosures and 
individuals' reasonable expectations'' and that ``[b]eyond such 
uses, the Commission expects that vendors of personal health records 
and PHR related entities would limit the sharing of consumers' 
information, unless the consumers exercise meaningful choice in 
consenting to such sharing. Buried disclosures in lengthy privacy 
policies do not satisfy the standard of `meaningful choice.' '' 74 
FR 42967.
---------------------------------------------------------------------------

    The Commission's recent enforcement actions alleging violations of 
the Rule against GoodRx and Easy Healthcare further highlight that 
disclosures of PHR identifiable health information inconsistent with a 
company's privacy promises constitute an unauthorized disclosure. These 
recent Commission orders also make clear that the use of ``dark 
patterns,'' which have the effect of manipulating or deceiving 
consumers, including through use of user interfaces designed with the 
substantial effect of subverting or impairing user autonomy and 
decision-making, undercut an entity's assertion that consumers 
exercised ``meaningful choice.''
    In response to public comments seeking more guidance on what 
constitutes an unauthorized disclosure under the Rule,\178\ the 
Commission

[[Page 47042]]

offers the following, non-exhaustive examples relating to 
authorization:
---------------------------------------------------------------------------

    \178\ TechNet at 4; Tranquil Data at 4.
---------------------------------------------------------------------------

     Example 1--Unauthorized Disclosure (Affirmative 
Misrepresentation): A medication app offers a personal health record 
(not covered by HIPAA) which allows users to track information about 
their prescription medication history, such as prescription names, 
dosages, pharmacy and refill information, and the user's health 
conditions. The app voluntarily discloses PHR identifiable health 
information to third party companies for advertising and advertising-
related analytics, in violation of the app's privacy representations to 
its users. The third parties that receive the PHR identifiable health 
information are able to use the information for their own business 
purposes, such as to improve the third party's own products and 
services, to infer information about consumers, or to compile profiles 
about consumers to use for targeted advertising. These disclosures are 
not authorized under the Rule because they are inconsistent with 
consumer expectations--the disclosures violate the app's privacy 
representations, and consumers would also not expect their PHR 
identifiable health information (which they input into the app to track 
their medications and health conditions) would be disclosed to, and 
used by, third party companies that use the data for their own economic 
benefit.
     By contrast, disclosures of PHR identifiable health 
information by the app in Example 1 would be authorized if made to 
service providers in the following circumstances: (1) the service 
providers assist with functions that are necessary to the operation and 
functioning of the medication app, or with services the consumer 
requested; (2) the service providers are contractually prohibited from 
using, sharing, or disclosing the PHR identifiable health information 
for any purpose beyond providing services to the medication app; and 
(3) the medication app's privacy notice clearly and conspicuously 
discloses the specific purposes for which it shares users' PHR 
identifiable health information with these service providers. Such 
authorized disclosures could include those to cloud storage providers 
that host user data in the health record in a secure fashion; payment 
processors who process user payments to the app; vendors that 
facilitate refill reminders or other communications from the app 
developer that directly relate to the provision of the personal health 
record or services the consumer requested; analytics providers that 
assist with tracking analytics relating to the app's functionality; 
\179\ or companies that help to detect, prevent, or mitigate fraud or 
security vulnerabilities. Such disclosures are authorized because they 
are consistent with consumer expectations. Importantly, this sharing is 
disclosed to consumers in a clear and conspicuous manner, and is 
essential, and limited to, sharing the PHR identifiable health 
information with service providers solely to provide users with a safe 
and reliable personal health record experience.
---------------------------------------------------------------------------

    \179\ This would include an analytics provider whose services 
are essential to the proper functioning of the app and not tied to 
marketing or advertising--this includes analytics tools to assist 
with crash reporting or to assess usage patterns (such as the 
frequency of use of certain features).
---------------------------------------------------------------------------

     Example 2--Unauthorized Disclosure (Deceptive Omission). 
The medication app from Example 1 shares PHR identifiable health 
information with a third party for purposes of targeting consumers with 
ads. The app does not disclose the sharing and also fails to obtain 
affirmative express consent from users whose information it shares. The 
third party company can use the PHR identifiable health information to 
market and advertise--on behalf of the medication app, on behalf of 
other companies, or on behalf of itself. It can also use the 
information to improve its own products and services. Such disclosures 
are not authorized because they are not consistent with consumer 
expectations (i.e., without disclosure and without affirmative express 
consent, consumers would not expect that their PHR identifiable health 
information would be shared, sold, or otherwise exploited for a purpose 
other than providing the user with a personal health record, and are 
neither essential nor limited to sharing the PHR identifiable health 
information solely to provide users with a safe and reliable personal 
health record experience). This conclusion is also consistent with 
Commission enforcement actions relating to the sharing of health 
information (e.g., GoodRx and Easy Healthcare), and those relating to 
the sharing of other types of sensitive information.\180\
---------------------------------------------------------------------------

    \180\ Fed. Trade Comm'n et al. v. Vizio, Inc. et al., No. 17-cv-
00758 (D.N.J. 2017), https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc.
---------------------------------------------------------------------------

     Example 3--Authorized Disclosure (Public Health 
Reporting): A COVID-19 contact tracing app not covered by HIPAA allows 
users to self-report their COVID-19 diagnosis, and to notify the user's 
contacts of their diagnosis, or others with whom the individual may 
have come into physical contact. PHR identifiable health information 
about the individual's COVID-19 diagnosis is transmitted to public 
health authorities for public health-related purposes, such as public 
health reporting and analysis or to track areas where the virus is 
spreading the most rapidly. The contact tracing app discloses to users 
clearly and conspicuously the specific purposes for which it shares 
their PHR identifiable health information with public health 
authorities. These disclosures are authorized, and consistent with 
consumer expectations, because they are consistent with the company's 
relationship with the consumer (a PHR that allows a user to report 
their COVID-19 diagnosis in order to notify others) and are also 
appropriately disclosed.
    Examples 1 and 3 provide guidance about scenarios in which limited 
disclosures of PHR identifiable health information are permitted 
without opt-in consent because it is necessary to provide a personal 
health record to a consumer, is consistent with consumer expectations, 
the sharing is disclosed to consumers, and (in the case of Example 1) 
the sharing is subject to protections like service provider agreements 
that limit the use of the data only for the purpose of providing that 
service to the consumer. Examples 1 and 3 are also consistent with 
HIPAA and State health privacy laws.\181\ For instance, HIPAA permits 
disclosures for treatment, payment, and operations without patient 
authorization.
---------------------------------------------------------------------------

    \181\ For example, Washington State's My Health, My Data Act 
permits sharing consumer health data to the ``extent necessary to 
provide a product or service that the consumer to whom such consumer 
health data relates has requested from such regulated entity or 
small business.'' See Revised Code of Washington (RCW) 19.373.030 
(1)(b)(ii).
---------------------------------------------------------------------------

    The Commission notes ``breach of security'' could cover more than 
just an unauthorized disclosure to a third party. For example, 
depending on the facts and scope of the authorizations, such as in the 
company's promises and disclosures to consumers, a ``breach of 
security'' could include unauthorized uses. There may be a ``breach of 
security'' where an entity exceeds authorized access to use PHR 
identifiable health information, such as where it obtains the data for 
one legitimate purpose, but later uses that data for a secondary 
purpose that was not originally authorized by the individual.
    Finally, the Commission notes unauthorized access or use of derived 
PHR identifiable health information may also constitute a breach of 
security. The Commission noted in its 2023 NPRM that PHR identifiable 
health information includes ``health

[[Page 47043]]

information derived from consumers' interactions with apps and other 
online services (such as health information generated from tracking 
technologies employed on websites or mobile applications or from 
customized records of website or mobile application interactions), as 
well as emergent health data (such as health information inferred from 
non-health-related data points, such as location and recent 
purchases).'' \182\
---------------------------------------------------------------------------

    \182\ 88 FR 37823.
---------------------------------------------------------------------------

D. Clarification of What Constitutes a ``PHR Related Entity''

1. The Commission's Proposal Regarding ``PHR Related Entity''
    The NPRM proposed to revise the definition of ``PHR related 
entity'' in two ways. Consistent with its clarification that the Rule 
applies to health apps, the Commission proposed amending the definition 
of ``PHR related entity'' to make clear the Rule covers entities that 
offer products and services through the online services, including 
mobile applications, of vendors of personal health records. In 
addition, the Commission proposed revising the definition of ``PHR 
related entity'' to provide that entities that access or send unsecured 
PHR identifiable health information to a personal health record--rather 
than entities that access or send any information to a personal health 
record--are PHR related entities.
    The Commission explained the first change (to cover online 
services) was necessary as websites are no longer the only means 
through which consumers access health information online. The 
Commission explained the second change--narrowing the scope of ``PHR 
related entities'' to entities that access or send unsecured PHR 
identifiable health information--was intended to eliminate potential 
confusion about the Rule's breadth and promote compliance by narrowing 
the scope of entities that qualify as PHR related entities.\183\ The 
Commission identified remote blood pressure cuffs, connected blood 
glucose monitors, and fitness trackers as examples of internet-
connected devices that could qualify as a PHR related entity when 
individuals sync them with a personal health record (e.g., a health 
app).\184\ The Commission explained, however, that a grocery delivery 
service that sends information about food purchases to a diet and 
fitness app would not be a PHR related entity if it does not access 
unsecured PHR identifiable health information in a personal health 
record or send unsecured PHR identifiable health information to a 
personal health record.
---------------------------------------------------------------------------

    \183\ The proposed definition stated that a PHR related entity 
is an entity, other than a HIPAA-covered entity or an entity to the 
extent that it engages in activities as a business associate of a 
HIPAA-covered entity, that (1) offers products or services through 
the website, including any online service, of a vendor of personal 
health records; (2) offers products or services through the 
websites, including any online services, of HIPAA-covered entities 
that offer individuals personal health records; or (3) accesses 
unsecured PHR identifiable health information in a personal health 
record or sends unsecured PHR identifiable health information to a 
personal health record. Although the Rule is only triggered when 
there is a breach of security involving unsecured PHR identifiable 
health information, the Commission explained it believed there is a 
benefit to revising the third prong of PHR related entity to make 
clear that only entities that access or send unsecured PHR 
identifiable health information to a personal health record--rather 
than entities that access or send any information to a personal 
health record--are PHR related entities. Otherwise, many entities 
could be a PHR related entity under the definition's third prong and 
such entities would then, in the event of a breach, need to analyze 
whether they experienced a reportable breach under the Rule. If an 
entity, per the proposed revision, does not qualify as a PHR related 
entity in the first place, there would be no need to consider 
whether it experienced a reportable breach. 88 FR 37825 n.54.
    \184\ The Commission explained, for example, the maker of a 
wearable fitness tracker may be both a vendor of personal health 
records (to the extent that its tracker interfaces with its own app, 
which also accepts consumer inputs) and a PHR related entity (to the 
extent that it sends information to another company's health app). 
The Commission noted that regardless of whether the maker of the 
fitness tracker is a vendor of personal health records or a PHR 
related entity, its notice obligations are the same: it must notify 
individuals, the FTC, and in some case, the media, of a breach. 16 
CFR 318.3(a), 318.5(b). 88 FR 37825 n.55.
---------------------------------------------------------------------------

    The proposed Rule also revised Sec.  318.3(b) by adding language 
establishing that a third party service provider is not rendered a PHR 
related entity when it accesses unsecured PHR identifiable health 
information in the course of providing services. The Commission 
explained it did not intend for any entity (such as a firm performing 
attribution and analytics services for a health app) to be considered 
both a PHR related entity (to the extent it accesses unsecured PHR 
identifiable health information in a personal health record) and a 
third party service provider, which could create competing notice 
obligations and confuse consumers with notice from an unfamiliar 
company. The Commission explained it considers such firms to be third 
party service providers that must notify the health app developers for 
whom they provide services, who in turn would notify affected 
individuals.
    The Commission explained that distinguishing between third party 
service providers and PHR related entities would create incentives for 
responsible data stewardship and for de-identification because a firm 
would only become an entity covered by the Rule in relation to 
unsecured PHR identifiable health information. To the extent that firms 
must deal with unsecured PHR identifiable health information, PHR 
vendors would have incentives to select and retain service providers 
capable of treating data responsibly (e.g., by not engaging in any 
onward disclosures of data that could result in a reportable breach) 
and incentives to oversee their service providers to ensure ongoing 
responsible data stewardship (which would avoid a breach).
    The Commission observed in most cases, third party service 
providers are likely to be non-consumer facing. The Commission noted 
examples of PHR related entities would include, as noted above, makers 
of fitness trackers and health monitors when consumers sync their 
devices with a mobile health app. The Commission noted further examples 
of third party service providers would include entities that provide 
support or administrative functions to vendors of personal health 
records and PHR related entities.
2. Public Comments Regarding ``PHR Related Entity''
    The Commission received numerous public comments about the changes 
to the definition of PHR related entity. Most commenters supported the 
Commission's approach.\185\ One commenter, an industry association for 
advertisers, noted that addition of the term ``unsecured'' in the 
definition of ``PHR related entity'' created a limitation on the 
definition's scope that counterbalances the breadth of including ``any 
online service'' in the definition.\186\ Moreover, this commenter 
noted, the addition of ``unsecured'' creates appropriate incentives for 
firms to secure PHR identifiable health information and to choose 
partners who will be good data stewards.\187\ This commenter noted that 
limiting the definition to ``unsecured'' PHR identifiable health 
information was consistent with the original intent of the Rule, to 
cover only the most sensitive types of data not covered by HIPAA.\188\
---------------------------------------------------------------------------

    \185\ ANI at 1; AAFP at 3; AHIMA at 3; AHIOS at 4; AOA at 3; 
CARIN Alliance at 3; CDT at 12; CHIME at 3; Confidentiality Coal. at 
6; Consumer Rep.'s at 6; CHI at 5; DirectTrust at 4; EFF at 2; EPIC 
at 7.
    \186\ NAI at 4-5.
    \187\ Id. at 5.
    \188\ Id. at 4.
---------------------------------------------------------------------------

    A few commenters proposed changes to the definition of ``third 
party service provider'' to further distinguish the term from ``PHR 
related entity.'' One commenter recommended defining ``third party 
service provider'' as an

[[Page 47044]]

entity that only processes data.\189\ This commenter argued the 
Commission could then impose liability on service providers for further 
use, sale, disclosure for incompatible purposes.\190\ Another commenter 
recommended aligning the definition of ``third party service provider'' 
with the definition of ``business associate'' under HIPAA.\191\
---------------------------------------------------------------------------

    \189\ FPF at 10.
    \190\ Id.
    \191\ AdvaMed at 8.
---------------------------------------------------------------------------

    Some commenters raised concerns that the Commission's approach did 
not provide sufficient clarity for companies trying to understand their 
obligations as either a third party service provider or PHR related 
entity.\192\ Some commenters requested more examples of types of firms 
falling within each definition (e.g., examples clearly establishing the 
status of health data brokers, health marketing firms, search engines, 
email providers, cloud storage providers) \193\--to facilitate 
compliance,\194\ avoid overlapping notice requirements \195\ and to 
prevent a loophole through which firms may attempt to avoid obtaining 
consumers' authorization for data disclosures and to avoid providing 
breach notifications.\196\ One commenter urged the Commission to exempt 
from the definition of ``PHR related entity'' any firm that complies 
with the privacy and data security requirements of HIPAA.\197\
---------------------------------------------------------------------------

    \192\ SIIA at 3; CARIN Alliance at 4.
    \193\ AHIMA at 3-4; AMIA at 3-4; CHI at 5; Direct Trust at 1; 
Light Collective at 4-5.
    \194\ SCRS at 1.
    \195\ NAI at 5.
    \196\ MRO at 3.
    \197\ AdvaMed at 5.
---------------------------------------------------------------------------

    In response to the Commission's request for comment on whether an 
analytics firm would be a third party service provider, many commenters 
responded that an analytics firm should fall within that definition 
\198\ for the reasons the Commission articulated: It would be confusing 
to consumers to receive a notice from a back-end service provider 
rather than the firm with whom the consumer has the relationship, and 
categorizing analytics firms (and firms that provide other services) as 
service providers will create incentives for PHR vendors and PHR 
related entities to choose their service providers with care. A few 
commenters, however, expressed concern about covering advertising, 
analytics, and cloud firms--and health information service providers 
(``HISPs'') more generally--as they are unable to determine whether the 
data they receive contains unsecured PHR identifiable health 
information; only the vendor of the PHR knows what their data 
transmissions contain.\199\ One commenter urged the Commission to 
address the data recipient's unawareness of the content of the data by 
creating a safe harbor that exempts advertising, analytics and cloud 
providers that contractually limit their customers, vendors, or 
partners from sharing health information with them.\200\
---------------------------------------------------------------------------

    \198\ NAI at 5; TMA at 3; Consumer Rep.'s at 11.
    \199\ CCIA at 7-8; CTA at 9-10; SIIA at 3; Direct Trust at 5.
    \200\ CTA at 13.
---------------------------------------------------------------------------

3. The Commission Adopts the Proposed Changes to ``PHR Related Entity''
    After considering the comments received, the Commission adopts the 
proposed changes regarding ``PHR related entity'' without further 
change. The Commission affirms that (1) PHR related entities include 
entities offering products and services not only through the websites 
of vendors of personal health records, but also through any online 
service, including mobile applications; (2) PHR related entities 
encompass only entities that access or send unsecured PHR identifiable 
health information to a personal health record; and (3) while some 
third party service providers may access unsecured PHR identifiable 
health information in the course of providing services, this does not 
render the third party service provider a PHR related entity.
    In response to commenters who expressed concern that certain data 
recipients will not be able to understand their obligations under the 
Rule because they are unaware of the content of the data transmissions 
they receive, the Commission highlights Sec.  318.3(b), which states: 
``For purposes of ensuring implementation of this requirement, vendors 
of personal health records and PHR related entities shall notify third 
party service providers of their status as vendors of personal health 
records or PHR related entities subject to this Part.'' This 
requirement puts data recipients on notice about the potential content 
of the data transmissions they receive.
    Firms may also facilitate compliance by stipulating by contract 
whether transmissions of data will contain unsecured PHR identifiable 
health information. Both the sender and recipient of the data can 
monitor for compliance with those contractual agreements through the 
use of automated tools, internal auditing, external auditing, or other 
mechanisms, as appropriate to the size and sophistication of the firms 
and the sensitivity of the data. For example, a large advertising 
platform that has routinely received unsecured PHR identifiable health 
information, notwithstanding partners' promises not to send this 
information, may have different obligations to monitor the data it 
receives than small firms that do not engage in high-risk activities 
where the contract precludes sending such data and there is no history 
of such transmissions.
    The Commission believes this approach--notice to service providers 
pursuant to Sec.  318.3(b) coupled with contracts and oversight--is 
more appropriate than creating a safe harbor in the Rule that exempts 
firms that enter into contracts, as there is evidence from FTC cases 
that firms do not always abide by contractual obligations to safeguard 
data.\201\
---------------------------------------------------------------------------

    \201\ Compl. at ] 21, In the Matter of Flo Health, Inc., FTC 
File No. 1923133 (Jan. 13, 2021), https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc; Compl. at ] 14(d), 
In the Matter of UPromise, Inc., FTC File No. 1023116 (Mar. 27, 
2012), https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc; Cf. Compl. at ] 40, U.S. v. Easy 
Healthcare Corporation, No. 1:23-cv-3107 (N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v (alleging that the defendant's 
disclosures of consumers' health information violated the policies 
of platforms to which it had agreed).
---------------------------------------------------------------------------

    The Commission declines to change the definition of ``third party 
service provider'' to distinguish it further from a ``PHR related 
entity,'' for two reasons. First, the Commission notes the current 
definitions of ``third party service provider'' and ``PHR related 
entity'' align closely with the language prescribed by section 13407 
and section 13424(b)(1)(A) of the Recovery Act. Jettisoning the current 
language entirely, as some commenters suggested, would not be 
consistent with the Recovery Act's requirements. Second, the Commission 
believes the current language, in conjunction with the examples 
provided below, will provide sufficient guidance to the market as to 
which types of firms fit within each definition.
    In response to comments that requested examples of the types of 
firms that fall into the category of ``third party service provider'' 
or ``PHR related entity,'' the Commission provides the following 
examples. The Commission believes these examples, in conjunction with 
the language in Sec.  318.3(b), will provide sufficient clarity about 
the obligations of third party service providers and PHR related 
entities to promote compliance, avoid overlapping notice, and prevent 
loopholes.

[[Page 47045]]

     Example 1: Four separate firms provide data security, 
cloud computing, advertising and analytics services to a health app (a 
personal health record), as specified by their service provider 
contracts, for the health app vendor's benefit. To perform the services 
specified in their respective contracts, the firms access unsecured PHR 
identifiable health information. The firms are ``third party service 
providers'' of the vendor of the personal health record (the maker of 
the health app) because they provide services to a vendor of a personal 
health record (the maker of the health app) in connection with the 
offering or maintenance of the app, and they access unsecured PHR 
identifiable health information as a result of these services. In the 
event of a breach, they should abide by their obligations as third 
party service providers.
     Example 2: An analytics firm provides analytics services 
to a health app (a personal health record). The analytics firm and 
health app vendor do not have a customized service provider contract, 
although the health app vendor agrees to the analytics firm's standard 
terms of service. The analytics firm accesses unsecured PHR 
identifiable health information (device identifier and whether the 
consumer has paid for therapy). The analytics firm uses that data both 
to provide analytics services to the health app and for its own 
benefit, for research and development and product improvement. The 
analytics firm is a third party service provider to the extent that it 
provides analytics services to the health app for the health app's 
benefit because it is then providing services to a vendor of a PHR in 
connection with the offering of the PHR and accessing unsecured PHR 
identifiable health information as a result of such services. However, 
the analytics firm is a PHR related entity, rather than a third party 
service provider, to the extent that it offers its services through the 
health app for its own purposes (i.e., for research and development and 
product improvement) rather than to provide the services. In the event 
of a breach, the analytics firm must fulfill its notification 
obligations under the Rule according to which function it was 
performing in connection with the breach. If the functions are 
indistinguishable, then, pursuant to Sec.  318.3(b), the Commission 
will consider the firm a third party service provider for policy 
reasons: a firm that functions, at least in part, as a service provider 
may not be consumer-facing, such that the consumer may be surprised by 
a breach notification from that entity. As a policy matter, it is 
better for the consumer to receive notice from the health app with whom 
the consumer directly interacts.
     Example 3: A health tracking website (a personal health 
record) integrates a search bar branded with its maker's logo, which 
enables its maker (a search engine firm) to offer its services through 
the website. The search engine firm is a PHR related entity because it 
offers its services through the website, which is a personal health 
record. The search bar branded with its maker's logo is consumer-
facing, so the consumer would not be surprised to receive a notice from 
that company if it experiences a reportable breach. By contrast, if the 
health tracking website had contracted with the search engine firm to 
provide back-end search services to the website (rather than offering 
its own branded product or service through the website), and the search 
engine firm had accessed unsecured PHR identifiable health information 
as a result of such services, it would be a third party service 
provider. In the event of a breach, it should abide by its obligations 
as a third party service provider.
     Example 4: Digital readings from a fitness tracker offered 
by Company A can be integrated into a sleep app offered by Company B 
(in which the consumer may input other health information). Company A 
is a PHR related entity to the extent that it offers its fitness 
tracker product through an online service (Company B's sleep app), and 
to the extent that it sends unsecured PHR identifiable health 
information (fitness tracker readings) to a personal health record (the 
sleep app).

E. Facilitating Greater Opportunity for Electronic Notice

1. The Commission's Proposal Regarding Electronic Notice
    The Commission proposed to authorize expanded use of email and 
other electronic means of providing clear and effective notice of a 
breach to consumers. In furtherance of this objective, the Commission 
proposed to update Sec.  318.5 to specify that vendors of personal 
health records or PHR related entities that discover a breach of 
security must provide written notice at the last known contact 
information of the individual. Such written notice may be sent by 
electronic mail, if an individual has specified electronic mail as the 
primary contact method, or by first-class mail. The Commission proposed 
defining ``electronic mail'' in Sec.  318.2 to mean email in 
combination with one or more of the following: text message, within-
application messaging, or electronic banner. The Commission further 
specified that any notification delivered via electronic mail should be 
clear and conspicuous, and the proposed Rule defined ``clear and 
conspicuous.'' To assist entities that are required to provide notice 
to individuals under the Rule, the Commission developed a model notice 
for entities to use to notify individuals.\202\
---------------------------------------------------------------------------

    \202\ This model notice was attached as appendix A to the NPRM. 
88 FR 37837.
---------------------------------------------------------------------------

2. Public Comments Regarding Electronic Notice
    Nearly every comment submitted on this proposed change supported 
the Commission's efforts to update the Rule to allow for greater 
electronic notice.\203\ One commenter noted electronic notices increase 
the likelihood that individuals will receive the notice, may reduce the 
time it takes for individuals to receive notice, and reduce the burden 
on entities providing notice.\204\ Many commenters also supported the 
Commission's efforts to provide notice via more than one channel 
through the new definition of ``electronic mail.'' \205\
---------------------------------------------------------------------------

    \203\ AHIP at 5; AAFP at 3; AHIMA at 5; AHIOS at 3; Anonymous 3 
at 1; Anonymous 10 at 1; Beth Barnett; CARIN Alliance at 7; CHI at 
5-6; CHIME at 4; Consumer Reports at 8-9; CTA at 21; EPIC at 10; 
HIMSS at 4; George Mathew at 1; MRO at 3; NAI at 7; Dharini 
Padmanabhan at 1; Nancy Piwowar at 1. One commenter also stated 
while there are clear advantages to allowing increased use of 
electronic notification of data breaches, this notification method 
could also increase the likelihood that breaches escape public 
scrutiny. Identity Theft Res. Ctr. (``ITRC'') at 2.
    \204\ AdvaMed at 5.
    \205\ AAFP at 3; AHIMA at 5; Anonymous 3 at 1; CARIN Alliance at 
7; CHIME at 4; CCIA at 7; EPIC at 10; NAI at 7.
---------------------------------------------------------------------------

    However, not all commenters agreed with the Commission's proposal 
and some commenters offered other suggestions. Some objected to 
defining ``electronic mail'' to mean anything more than ``email,'' 
stating that electronic mail is commonly understood to mean email and 
nothing else.\206\ A few commenters noted that defining multiple forms 
of electronic notice could result in entities collecting more 
information than necessary (and consumers having to provide more 
information than needed) in order to comply with the Rule.\207\ Others 
preferred a single notice, arguing that multiple forms of notice is 
burdensome

[[Page 47046]]

and could result in over-notification, confusion, and notice fatigue 
among consumers.\208\ One commenter stated the Commission should revise 
the definition of ``electronic mail'' to mean ``one or more of the 
following that is reasonable and appropriate based on the relationship 
between the individual and the relevant vendor of personal health 
records or PHR related entity: email, text message, within-application 
messaging, or electronic banner.'' \209\ Another commenter encouraged 
the FTC to clarify the in-app messaging method must include push 
notifications in the event of a breach so consumers are made aware of a 
breach as soon as possible.\210\ One commenter urged the Commission to 
specify in Sec.  318.5(i) that a banner notice in the affected app or a 
website home page notice must be posted for a period of 90 days.\211\ 
Another commenter noted that the different mechanisms listed in the 
proposed rule are not equivalent--this commenter noted that some are 
push notifications that a consumer is likely to see without directly 
interacting with the application, website, or device and some require 
consumer interaction with the application, website, or device in order 
to see the notification.\212\ This commenter recommended that the 
requirement be selection of one push notification but that additional 
options like in-app notifications and website banners be supported as 
additional, secondary notice options.\213\ One commenter stated the FTC 
may want to consider adding a provision allowing an individual to 
request a copy of the notice in other accessible formats, such as for 
hearing- or vision-impaired people, or in a non-English language.\214\ 
Another commenter argued the Commission should take into consideration 
TCPA and CAN-SPAM compliance regarding the delivery of electronic 
notification. Another commenter stated the Commission's proposal to 
require two contact methods imposes a higher requirement than HIPAA and 
State breach notification laws.\215\
---------------------------------------------------------------------------

    \206\ ACLA at 5; Mass. Health Data Forum (``MHDF'') at 9.
    \207\ Consumer Rep.'s at 7-8; CTA at 22. Consumer Reports 
further suggested the Commission clarify that substitute notice may 
be effectuated under the Rule via text message, in-app messaging, or 
electronic banners for consumers that do not wish to share a mailing 
or email address. Consumer Rep.'s at 8.
    \208\ AdvaMed at 6; ACLA at 5; AHIP at 5; CTA at 21-22;
    \209\ AdvaMed at 6.
    \210\ AHIMA at 5.
    \211\ TechNet at 5.
    \212\ MHDF at 10.
    \213\ Id.
    \214\ AHIP at 5.
    \215\ CHI at 6.
---------------------------------------------------------------------------

    Many commenters endorsed the Commission's proposal that any 
notification delivered via electronic mail should be ``clear and 
conspicuous,'' a newly defined term in the Rule.\216\ One commenter 
stated that consistent with FTC's desire for entities to provide a 
clear and conspicuous notice, the Commission should consider requiring 
an email subject line that starts with ``Breach of Your Health 
Information'' so that attention is appropriately drawn to the 
importance of the message content.\217\ One commenter disagreed with 
the new definition, arguing that the definition is unnecessary and 
confusing, and urged the Commission to insert the ``clear and 
conspicuous'' definition directly into Sec.  318.5 of the Rule.\218\
---------------------------------------------------------------------------

    \216\ AMA at 5; CHIME at 5; EPIC at 9.
    \217\ TMA at 4.
    \218\ NAI at 7.
---------------------------------------------------------------------------

    Regarding the model notice, nearly all who commented on this topic 
urged the Commission to make the model notice voluntary.\219\ One 
commenter suggested that using the model should be a safe harbor that 
shields entities from enforcement.\220\
---------------------------------------------------------------------------

    \219\ AdvaMed at 6; AHIP at 6; AMA at 6; CCIA at 7; CHI at 6; 
Consumer Rep.'s at 8-9; NAI at 7-8. One commenter stated that making 
the model notice mandatory can lead to industry consistency and it 
may be easier for consumers to understand the message and the 
contents if they are familiar with a uniform, standardized notice. 
AHIMA at 5. While the Commission generally agrees that uniform, 
consistent notices assist with consumer comprehension, the 
Commission declines to make the model notice compulsory because the 
facts and circumstances of each breach will vary. Plus, Sec.  318.6 
sets forth certain required elements of the content of the notice, 
so the presence of these elements in all breach notices achieves 
some degree of consistency across notices.
    \220\ AHIP at 6.
---------------------------------------------------------------------------

3. The Commission Adopts the Proposed Changes Regarding Electronic 
Notice
    The Commission adopts without change the modifications regarding 
Sec.  318.5 involving electronic notice and adopts without change the 
definition of ``electronic mail'' in Sec.  318.2. The Commission 
declines to make the other changes commenters requested. First, the 
Commission believes it is critical, especially given how consumers are 
accessing information today, to modernize the methods of notice to 
facilitate greater opportunities for electronic notice. The Commission 
believes the changes to Sec.  318.5 and the new definition of 
``electronic mail'' \221\ in Sec.  318.2 accomplish this objective.
---------------------------------------------------------------------------

    \221\ The Commission disagrees with the commenters who urged the 
Commission to avoid defining ``electronic mail'' to mean anything 
more than ``email.'' ACLA at 5; MHDF at 9. The definition in Sec.  
318.2 is clear and unambiguous. Plus, section 13402(e)(1) of the 
Recovery Act requires that notification be provided via ``written 
notification by first-class mail'' or ``electronic mail.'' 
Accordingly, the Commission must use ``electronic mail.''
---------------------------------------------------------------------------

    In response to concerns raised about the two-part electronic 
notice, the Commission agrees with commenters who stated it increases 
the likelihood that individuals will encounter such notices.\222\ The 
Commission does not agree that it is burdensome for entities to comply 
with this requirement. For example, an entity who complies with the 
notice requirement by notifying consumers via email plus posting a 
website notice likely would not need to expend significant additional 
time and resources by issuing the second part of the notice (i.e., the 
website notice), and any ``cost'' of posting such a notice is 
outweighed by the benefit to consumers of learning of a breach 
involving their health information. The Commission also is not 
persuaded that consumers who, for example, receive an email about a 
breach coupled with an in-app notice about the same breach will be 
confused. The Commission believes consumers will understand that such 
notices relate to the same incident, especially given the Rule's 
requirement that the notices be ``clear and conspicuous.'' The 
Commission also does not find it problematic that the Rule requires 
notice effectuated via ``electronic mail'' to occur via two methods 
while other breach notice laws require one method. The Commission also 
notes while these amendments are intended to facilitate greater 
electronic notice, the Rule still permits notice via first-class mail. 
Accordingly, the contention that this Rule requires two methods of 
electronic notice is incorrect.
---------------------------------------------------------------------------

    \222\ AAFP at 3-4 (noting AAFP appreciates ``the proposed 
structure of providing notice in two different electronic formats to 
increase the likelihood individuals will see them''); CHIME at 5 
(``CHIME is supportive of the FTC's approach to revise the ``method 
of notice section'' and to structure the breach notification in two 
parts in order to increase the likelihood that consumers encounter 
the notice.''); EPIC at 10 (``By requiring email and an in-app or 
website notice option, the expanded definition enables entities to 
have the best chance at notifying consumers regardless of whether 
they reliably check their email or continue to use the entity's app 
or website.''). The Commission also disagrees with the commenter who 
recommended that the Commission abandon the two-part notice and 
create a new definition of ``electronic mail'' where, for example, 
only a website notice alone would satisfy the notice requirement if 
such a notice was ``reasonable and appropriate.'' AdvaMed at 6. The 
Commission disagrees with this approach and declines to adopt it.
---------------------------------------------------------------------------

    The Commission also declines, in response to public comments,\223\ 
to mandate how notifications are effectuated when sent via ``electronic 
mail,'' as the Commission believes it is important to not be overly 
prescriptive given rapidly changing technologies.

[[Page 47047]]

The Commission emphasizes though, as described below, that the notice 
must satisfy the Rule's definition of ``clear and conspicuous.''
---------------------------------------------------------------------------

    \223\ See supra notes 210-213.
---------------------------------------------------------------------------

    Nor does the Commission believe, as some commenters argued, the 
two-part electronic notification will result in additional collections 
of information by notifying entities. The Commission agrees with 
commenters who stated entities are generally already collecting the 
information needed for notice via ``electronic mail'' and a data 
minimization issue does not exist.\224\
---------------------------------------------------------------------------

    \224\ CARIN Alliance at 6; EPIC at 10.
---------------------------------------------------------------------------

    In response to the commenter who suggested the FTC consider adding 
a provision allowing an individual to request a copy of the notice in 
other accessible formats, such as for hearing- or vision-impaired 
people, or in non-English languages,\225\ the Commission previously 
addressed a similar comment in the 2009 Rule Commentary. There, the 
Commission noted that section 13402(e)(l) of the Recovery Act requires 
that notification be provided via ``written notification by first-class 
mail'' or ``electronic mail.'' The Commission emphasized then, as we do 
today, that the Rule does not preclude notifications in accessible 
formats. The Commission supports their use in appropriate 
circumstances, in addition to the forms of notice prescribed by the 
Rule.\226\
---------------------------------------------------------------------------

    \225\ See supra note 214.
    \226\ 74 FR 42972.
---------------------------------------------------------------------------

    The Commission also adopts without modification the definition of 
``clear and conspicuous.'' The Commission agrees with the commenter who 
indicated it is imperative that a breach notice be reasonably 
understandable and call attention to the significance of the 
information that is included in the notice.\227\ The Commission 
believes its definition of ``clear and conspicuous'' will assist in 
achieving this objective. The Commission declines, however, to mandate 
specific language for the email subject line to satisfy the Rule's 
``clear and conspicuous'' requirement, as one commenter had 
suggested.\228\ The Commission emphasizes, however, that the clear and 
conspicuous requirement would require a notifying entity to use an 
email subject line that draws the reader's attention to the email 
notice. The Commission also declines to adopt the suggestion that the 
definition of ``clear and conspicuous'' be incorporated directly into 
Sec.  318.5. The Commission believes the entities seeking information 
on what ``clear and conspicuous'' means will find it clearer to consult 
the definition in Sec.  318.2.
---------------------------------------------------------------------------

    \227\ AMA at 5.
    \228\ See supra note 217.
---------------------------------------------------------------------------

    Turning to the model notice,\229\ as the Commission noted in the 
NPRM, the model was intended for entities to use, in their discretion, 
to notify individuals, and the Commission adopts the same position 
here.\230\ The model is voluntary and while the Commission believes it 
represents a best practice, using the model is not required to achieve 
compliance with the Rule.
---------------------------------------------------------------------------

    \229\ The model notice is found in appendix A.
    \230\ 88 FR 37827.
---------------------------------------------------------------------------

    The Commission declines to adopt the position that use of the model 
notice provides a safe harbor, although the Commission would take into 
consideration in an enforcement action an entity who follows the model 
notice. Further, the Commission notes an entity who follows the model 
notice can nevertheless violate the Rule in other ways. For example, an 
entity could follow the model notice but fail to provide timely notice. 
In such instances, providing a safe harbor because the entity utilized 
the model notice would be inappropriate.

F. Revisions to the Required Content of Notice

1. The Commission's Proposal Regarding Content of Notice
    The Commission proposed five changes to the content of the notice. 
First, in Sec.  318.6(a), as part of relaying what happened regarding 
the breach, the Commission proposed the notice to individuals also 
include a brief description of the potential harm that may result from 
the breach, such as medical or other identity theft. Second, the 
Commission proposed to amend the requirements for the notice under 
Sec.  318.6(a) to include the full name, website, and contact 
information (such as a public email address or phone number) of any 
third parties that acquired unsecured PHR identifiable health 
information as a result of a breach of security, if this information is 
known to the vendor of personal health records or PHR related entity 
(such as where the breach resulted from disclosures of users' sensitive 
health information without authorization). Third, the Commission 
proposed modifications to Sec.  318.6(b), which requires that the 
notice include a description of the types of unsecured PHR identifiable 
health information that were involved in the breach. The Commission 
proposed this exemplar list be expanded to include additional types of 
PHR identifiable health information, such as health diagnosis or 
condition, lab results, medications, other treatment information, the 
individual's use of a health-related mobile application, and device 
identifier. Fourth, the Commission proposed revising Sec.  318.6(d) of 
the Rule to require the notice to individuals include additional 
information providing a brief description of what the entity that 
experienced the breach is doing to protect affected individuals, such 
as offering credit monitoring or other services. Fifth, the Commission 
proposed modifying Sec.  318.6(e) so the contact procedures specified 
by the notifying entity must include two or more of the following: 
toll-free telephone number; email address; website; within-application; 
or postal address.
2. Public Comments Regarding Content of Notice
a. Proposal That Notice Include Description of Potential Harm That May 
Result From a Breach
    The Commission's proposal to modify Sec.  318.6(a) to include in 
the notice to individuals a brief description of the potential harm 
that may result from a breach drew a wide range of comments. On the one 
hand, many commenters supported the Commission's proposal.\231\ For 
example, one commenter noted this proposal would help individuals 
better understand the connection between the information breached and 
the potential harm that could result from the breach of such 
information.\232\ Other commenters stated that providing the potential 
harms from a breach better equips consumers to address injuries and 
mitigate harms from it.\233\ One commenter stated including some 
potential harms would be helpful, but notifying entities should also 
include language in the notice stating that other harms may occur.\234\ 
This same commenter suggested the Commission consider selecting the 
most common types of breaches and listing some but not all of the 
potential consequences from each.\235\
---------------------------------------------------------------------------

    \231\ AAFP at 4; AMA at 6; AOA at 5; Anonymous 3; AHIOS at 3; 
CARIN Alliance at 7-8; CHIME at 3, 6; Consumer Reports at 9-10; EFF 
at 2; EPIC at 10-11; HIMSS at 3-4; ITRC at 2; Members of the House 
of Representatives at 1-2; Dharini Padmanabhan at 1.
    \232\ AMA at 6.
    \233\ Consumer Rep.'s at 9-10; EPIC at 10-11.
    \234\ MHDF at 10-11.
    \235\ Id.
---------------------------------------------------------------------------

    On the other hand, many commenters criticized this proposal.\236\ 
Some

[[Page 47048]]

commenters argued this proposal will result in notifying entities 
having to speculate about potential harms that may never occur or 
providing a list of harms that may be incomplete.\237\ Others pointed 
out that notifying individuals about potential harms could cause 
consumer anxiety, consumer confusion, and detract from actions the 
individuals should take.\238\ One commenter noted the Commission's 
proposal might lead consumers to believe the harms listed in the notice 
are the only possible harms from a breach, when in fact consumers may 
suffer other harms not disclosed in the notice.\239\ This same 
commenter also noted it is opposed to entities stating there are no 
known harms that may result from a breach solely because a notifying 
entity is unaware of any specific bad outcomes.\240\
---------------------------------------------------------------------------

    \236\ AdvaMed at 6-7; AHIP at 6; ACLA at 4-5; Confidentiality 
Coal. at 7; CTA at 23-24; MHDF at 10; NAI at 9.
    \237\ AdvaMed at 6-7; AHIP at 6; MHDF at 10; NAI at 9.
    \238\ ACLA at 4-5; AMIA at 5; NAI at 9.
    \239\ MHDF at 10.
    \240\ Id. at 10-11.
---------------------------------------------------------------------------

b. Proposal That Notice Include Full Name, Website and Contact 
Information of Third Parties That Acquired Unsecured PHR Identifiable 
Health Information
    Next, the Commission proposed to amend the requirements for the 
notice under Sec.  318.6(a) to include the full name, website, and 
contact information (such as a public email address or phone number) of 
any third parties that acquired unsecured PHR identifiable health 
information as a result of a breach of security. Although several 
commenters supported this proposal,\241\ many others pointed out it is 
problematic in certain circumstances.\242\ A few commenters noted the 
proposal is ill-suited for security breaches, such as a hacking, where 
providing consumers with the name and contact information of an actor 
who committed a security breach (e.g., a hacker) could result in 
further malicious action against the target entity.\243\ One commenter 
noted for security breaches, the malicious actor or hacker would not be 
responsive to consumers.\244\ Further, one commenter noted this 
requirement could hamper law enforcement efforts.\245\ One commenter 
also indicated this requirement could frustrate investigative efforts 
or have a chilling effect on an inadvertent recipient from reporting a 
wrongful disclosure.\246\
---------------------------------------------------------------------------

    \241\ AAFP at 4; AHIMA at 5-6; AMA at 6; AMIA at 5; AOA at 5; 
CARIN Alliance at 7; Consumer Rep.'s at 9-10; EFF at 2; EPIC at 10-
11; HIMSS at 3-4; ITRC at 2; Members of the House of Representatives 
at 1-2.
    \242\ ACLA at 4-5; AHIP at 6; CHI at 6; Confidentiality 
Coalition at 7; CTA at 24.
    \243\ ACLA at 4-5; Confidentiality Coal. at 7.
    \244\ Confidentiality Coal. at 7.
    \245\ CTA at 24.
    \246\ AHIP at 6.
---------------------------------------------------------------------------

c. Proposal That Notice Include Description of Types of Unsecured PHR 
Identifiable Health Information Involved in a Breach
    Third, the Commission proposed modifications to Sec.  318.6(b), 
which requires the notice to individuals include a description of the 
types of unsecured PHR identifiable health information that were 
involved in the breach. The Commission proposed this exemplar list be 
expanded to include additional types of PHR identifiable health 
information, such as health diagnosis or condition, lab results, 
medications, other treatment information, the individual's use of a 
health-related mobile application, and device identifier. Several 
commenters supported this proposal.\247\ One commenter noted it is 
important for consumers to receive notice of the specific types of PHR 
identifiable health information involved in a breach, given that the 
exposure of health information can lead to a wide spectrum of 
harms.\248\ Another commenter stated providing individuals with a more 
expansive list of exposed data points will also give them a more 
complete picture of the risks they face.\249\
---------------------------------------------------------------------------

    \247\ AAFP at 4; AHIMA at 6; AMA at 6; AOA at 5; CARIN Alliance 
at 7; Consumer Rep.'s at 9-10; Ella Balasa at 2; HIMSS at 3-4; ITRC 
at 2; NAI at 9.
    \248\ Light Collective at 2.
    \249\ ITRC at 2.
---------------------------------------------------------------------------

d. Proposal That Notice Include Description of What Entity Is Doing To 
Protect Affected Individuals
    Fourth, the Commission proposed revising Sec.  318.6(d) of the Rule 
to require that the notice to individuals include additional 
information providing a brief description of what the entity that 
experienced the breach is doing to protect affected individuals, such 
as offering credit monitoring or other services. This proposal 
attracted support from multiple commenters.\250\ One commenter stated 
that informing individuals about these steps is important so that they 
know what additional actions they should take to protect themselves 
from potential harm.\251\ Another similarly stated that knowing what 
the notifying entity is doing to protect affected individuals can help 
consumers who are considering making purchase decisions for fraud 
detection or credit monitoring.\252\ One commenter stated that 
requiring notifying entities to share this information will incentivize 
them to take proactive measures to mitigate harms to consumers.\253\
---------------------------------------------------------------------------

    \250\ AAFP at 4; AMA at 6; AOA at 4; CARIN Alliance at 7-8; 
HIMSS at 3-4; ITRC at 2.
    \251\ AMA at 6.
    \252\ AHIMA at 5-6.
    \253\ Consumer Rep.'s at 9-10.
---------------------------------------------------------------------------

    Some commenters, however, raised concerns about this proposal. For 
instance, one commenter believed the Rule already encompasses this 
requirement and therefore the Commission's proposal could result in 
duplicative information being provided in the notice.\254\ Another 
commenter stated the FTC needs to go further in ensuring that 
notification requirements help consumers understand what remedies are 
available when their health information is breached.\255\
---------------------------------------------------------------------------

    \254\ Confidentiality Coal. at 7.
    \255\ Light Collective at 6-7.
---------------------------------------------------------------------------

e. Proposal That Notice Include Two or More Contact Procedures
    Fifth, the Commission proposed amendments to Sec.  318.6(e) so the 
contact procedures specified by the notifying entity in its breach 
notification must include two or more of the following: toll-free 
telephone number; email address; website; within-application; or postal 
address. Many commenters expressed support for this proposal.\256\ One 
commenter noted multiple contact options ensures that victims of all 
backgrounds and technical capabilities are able to contact the 
notifying entity to learn more about how to protect themselves after a 
breach.\257\ Another commenter noted that providing multiple contact 
options encourages and facilitates communication between the individual 
and the notifying entity.\258\ One commenter, however, expressed 
concern the proposal is burdensome, the HIPAA breach notice rule 
requires only one method of contact, and HHS has not identified any 
concerns with individuals having difficulty obtaining information from 
covered entities using one contact method under HIPAA's breach notice 
rule.\259\
---------------------------------------------------------------------------

    \256\ AAFP at 4; AHIMA at 6; AHIP at 5; Anonymous 3 at 1; AOA at 
5; CARIN Alliance at 8; Consumer Rep.'s at 9-10; EPIC at 9-10; HIMSS 
at 3-4; ITRC at 2; Dharini Padmanabhan at 1.
    \257\ AHIMA at 6.
    \258\ AMA at 6.
    \259\ AdvaMed at 6-7.

---------------------------------------------------------------------------

[[Page 47049]]

3. The Commission Changes Regarding Content of Notice
a. The Commission Declines To Adopt Proposal That Notice Include 
Description of Potential Harm That May Result From a Breach
    The Commission believes, in light of the public comments, that the 
downsides of requiring in the notice a description of the potential 
harms that may result from a breach outweigh the upsides. The 
Commission is concerned about requiring a consumer notice to include 
possible harms that may never materialize. In such cases, consumers may 
experience needless anxiety and take actions that are not necessary, 
leading to consumer frustration. The Commission also is concerned this 
proposal may result in entities describing potential harms so 
generically that the description provides minimal value to consumers, 
or, alternatively, that entities will provide a laundry list of 
potential harms, making such a list meaningless to consumers. The 
Commission also agrees with one commenter who noted this proposal might 
lead consumers to believe the harms listed in the notice are the only 
possible harms from a breach, when in fact consumers may suffer other 
harms not disclosed in the notice.\260\
---------------------------------------------------------------------------

    \260\ MHDF at 10.
---------------------------------------------------------------------------

    Accordingly, the Commission declines to adopt this proposal.\261\ 
The Commission believes the remaining elements of the content of the 
notice will supply individuals with sufficient information about a 
breach, especially given the other modifications to Sec.  318.6. The 
Commission also emphasizes in certain cases where harms are concrete 
and known, notifying entities should as a best practice inform 
individuals about those harms in the notice.
---------------------------------------------------------------------------

    \261\ The Commission has updated the model notice in appendix A 
to reflect this change.
---------------------------------------------------------------------------

b. The Commission Modifies Proposal That Notice Include Full Name, 
Website, and Contact Information of Third Parties That Acquired 
Unsecured PHR Identifiable Health Information
    In light of the public comments, the Commission is modifying Sec.  
318.6(a) to require notifying entities to provide the full name or 
identity (or where providing name or identity would pose a risk to 
individuals or the entity providing notice, a description) of the third 
parties that acquired the PHR identifiable health information as a 
result of a breach of security.\262\ The Commission believes it is 
important for consumers to know who acquired their PHR identifiable 
health information as a result of a breach. At the same time, the 
Commission acknowledges in some scenarios it could be problematic to 
require notifying entities to provide the contact information of those 
who acquired PHR identifiable health information.
---------------------------------------------------------------------------

    \262\ The Commission has updated the model notice in appendix A 
to reflect this change.
---------------------------------------------------------------------------

    Accordingly, this revised provision is intended to still provide 
individuals with information about who acquired their health 
information. Under Sec.  318.6(a), notifying entities are required to 
provide the full name or identity of the third parties that acquired 
the PHR identifiable health information as a result of a breach of 
security, except where providing the full name or identity of the third 
parties would pose a risk to affected individuals or the entity 
providing notice. In cases where providing the name or identity of the 
third parties that acquired the PHR identifiable health information as 
a result of a breach of security would pose a risk to affected 
individuals or the entity providing notice (e.g., providing the name of 
hacker could subject affected individuals or the entity providing 
notice to further harm), Sec.  318.6(a) permits notifying entities to 
describe the type of third party (e.g., hacker) who acquired 
individuals' PHR identifiable health information.
c. The Commission Adopts Proposal That Notice Include Description of 
Types of Unsecured PHR Identifiable Health Information Involved in a 
Breach
    The Commission agrees with the many public comments supporting this 
proposal.\263\ The Commission concurs with the commenter who noted it 
is important for consumers to receive notice of the specific types of 
PHR identifiable health information involved in a breach,\264\ and the 
commenter who stated that providing affected individuals with a more 
expansive list of health data points implicated in a breach will help 
them better understand the risks they face.\265\ The Commission adopts 
this proposal without modification.
---------------------------------------------------------------------------

    \263\ See supra note 247.
    \264\ See supra note 248.
    \265\ See supra note 249.
---------------------------------------------------------------------------

d. The Commission Adopts Proposal That Notice Include Description of 
What Entity Is Doing To Protect Affected Individuals
    Several commenters supported the Commission proposal that the 
notice to individuals include a description of what the notifying 
entity is doing to protect affected individuals.\266\ The Commission 
concurs with the commenter who stated that informing affected 
individuals about the steps notifying entities are taking to protect 
them is important so that affected individuals know what additional 
actions they should take to protect themselves from potential 
harm.\267\ The Commission similarly agrees with the commenter who 
stated that knowing what the notifying entity is doing to protect 
affected individuals can help consumers who are considering making 
purchase decisions like fraud detection or credit monitoring.\268\ The 
Commission also agrees with the commenter who stated that requiring 
notifying entities to share information about what they are doing to 
protect affected individuals will incentivize notifying entities to 
take proactive measures to mitigate harms to consumers.\269\
---------------------------------------------------------------------------

    \266\ See supra note 250.
    \267\ See supra note 251.
    \268\ See supra note 252.
    \269\ See supra note 253.
---------------------------------------------------------------------------

    In response to the one commenter who noted the 2009 Rule already 
includes this proposed requirement,\270\ the Commission notes Sec.  
318.6(d) from the 2009 Rule requires notifying entities to include in 
the notice to individuals what the entity is doing to investigate the 
breach, to mitigate any losses, and to protect against any further 
breaches. Accordingly, under the 2009 Rule, there is no explicit 
requirement for the notifying entity to state in the individual notice 
what the entity is doing to protect affected individuals. Given this, 
the Commission does not believe individuals will receive duplicative 
information.
---------------------------------------------------------------------------

    \270\ See supra note 254.
---------------------------------------------------------------------------

    In response to the commenter who argued the Commission needs to 
help consumers understand post-breach remedies,\271\ the Commission 
believes this concern is addressed by the combination of Sec.  
318.6(c), which requires notifying entities to include in the notice 
steps individuals should take to protect themselves from potential harm 
resulting from the breach, and Sec.  318.6(d), which requires notifying 
entities to include in the notice the steps the notifying entity is 
taking to protect affected individuals following the breach.
---------------------------------------------------------------------------

    \271\ See supra note 255.
---------------------------------------------------------------------------

    The Commission adopts proposed Sec.  318.6(d) without modification.
e. The Commission Adopts Proposal That Notice Include Two or More 
Contact Procedures
    In response to the comment that providing two or more contact

[[Page 47050]]

procedures in the notice is burdensome,\272\ the Commission believes if 
this proposal results in any burden to notifying entities, such burden 
will be minimal given the ease with which compliance with this 
provision can be achieved, and outweighed by the benefits to consumers 
who will have increased options to communicate with notifying entities. 
Second, in response to the comment that the HIPAA Breach Notification 
Rule requires only one contact method,\273\ the Commission notes while 
there are many similarities between the FTC's and HHS's respective 
breach notification rules and the agencies have consulted to harmonize 
the two rules, there are differences between them, and the Commission 
believes it is important to update this provision to reflect new modes 
of communication and facilitate greater opportunities for communication 
between affected individuals and notifying entities.
---------------------------------------------------------------------------

    \272\ See supra note 259.
    \273\ Id.
---------------------------------------------------------------------------

    The Commission notes multiple commenters supported this 
proposal.\274\ Specifically, the Commission agrees with the commenter 
who stated multiple contact procedures enables greater opportunities 
for affected individuals to communicate with notifying entities.\275\ 
The Commission also agrees with the commenter who noted multiple 
contact options ensures that affected individuals from all backgrounds 
and technical capabilities are able to contact the notifying entity 
following a breach.\276\ The Commission therefore adopts proposed Sec.  
318.6(e) without modification.
---------------------------------------------------------------------------

    \274\ See supra note 256.
    \275\ See supra note 258.
    \276\ See supra note 257.
---------------------------------------------------------------------------

G. Timing of Notice to the FTC

1. The Commission's Proposal Regarding Timing of Notice
    Although the Commission did not propose any timing changes in the 
NPRM, the Commission requested comments on several issues related to 
timing, including the timing of the notification to the FTC. Regarding 
the notification timeline to the FTC, the Commission sought comment on 
whether it should extend the timeline to give entities more time to 
investigate breaches and better ascertain the number of affected 
individuals or whether an extension would simply facilitate dilatory 
action and minimize the opportunity for an important dialogue with 
Commission staff during the fact-gathering stage immediately following 
a breach.
2. Public Comments Regarding Timing of Notice
    Several commenters expressed support for extending the notification 
timeline to the FTC.\277\ Commenters provided several reasons why the 
existing requirement of notice to the FTC ``as soon as possible and in 
no case later than ten business days following the date of discovery of 
the breach'' for breaches involving 500 or more individuals should be 
amended. For example, commenters noted that ten days does not provide 
entities with sufficient time to adequately investigate incidents and 
fully understand the facts, possibly leading to notices that may be 
incomplete and require amendment or correction.\278\ Others commented 
that the existing requirement diverts key resources from investigating 
potential breaches, indicating when a breach is suspected or has been 
discovered, the target entity's focus should be responding to the 
incident, conducting a thorough investigation of what may have 
occurred, and addressing and mitigating vulnerabilities to ensure 
additional information is not compromised.\279\
---------------------------------------------------------------------------

    \277\ AdvaMed at 9; AHIP at 7; ACLA at 3-4; ATA Action at 2; 
CCIA at 8; CHI at 6; CTA at 20-21; TechNet at 5.
    \278\ AdvaMed at 9; ACLA at 3-4; AHIP at 7; TechNet at 5-6.
    \279\ ACLA at 3-4; CTA at 19-21.
---------------------------------------------------------------------------

    Several commenters urged the FTC to align the timeframe to notify 
the FTC with the timing requirement under HIPAA's Health Breach 
Notification Rule,\280\ which requires notification to the Secretary of 
HHS without unreasonable delay and in no case later than 60 calendar 
days following a breach.\281\ One commenter, irrespective of HIPAA, 
suggested the Commission give entities up to 60 days to investigate a 
breach and provide notification to the Commission.\282\ One commenter 
recommended the FTC adopt a ``risk-based'' notification approach 
whereby the agency could create a shorter notification timeline for 
high-risk incidents and a longer notification timeline or even no 
notification for low-risk incidents.\283\
---------------------------------------------------------------------------

    \280\ 45 CFR 164.400 through 414.
    \281\ AdvaMed at 9; AHIP at 7; ACLA at 3; ATA Action at 2; 
TechNet at 5-6.
    \282\ ACLA at 3-4.
    \283\ CTA at 19-21.
---------------------------------------------------------------------------

3. The Commission Adopts Changes to the Timing of Notice
    Having considered the public comments, the Commission agrees with 
commenters who recommended that the notification timeline to the FTC 
for breaches of security involving 500 or more individuals should be 
adjusted. The Commission agrees that in certain incidents, especially 
large, complex breaches, it can be challenging for entities to fully 
understand the scope of a breach in ten business days, leading to the 
possibility of incomplete breach notices.
    Accordingly, the Commission is revising Sec.  318.4(b) to read: 
``All notifications required under Sec.  318.5(c) involving the 
unsecured PHR identifiable health information of 500 or more 
individuals shall be provided contemporaneously with the notice 
required by paragraph (a) of this section.'' This change requires 
entities, for breaches involving 500 or more individuals, to notify the 
FTC consistent with the notice required by Sec.  318.4(a)--i.e., 
without unreasonable delay and in no case later than 60 calendar days 
after the discovery of a breach of security. This change also requires 
the notice to the FTC be sent at the same time as the notice to the 
individuals. This requirement thus ensures the notice to the FTC 
includes all of the information provided in the notice to the 
individual. It also avoids a scenario where individuals receive notice 
before the FTC receives notice and affected individuals contact the FTC 
about a breach for which the Commission has not been notified.
    As a result of this change, the Commission anticipates entities 
will have sufficient time to provide complete and fulsome notifications 
to the Commission. The Commission emphasizes, however, that notice to 
the FTC should occur ``without unreasonable delay,'' with 60 days 
serving as the outer limit.\284\ The Commission believes, consistent 
with public comments, this change effectively harmonizes the 
notification timeline to the FTC with the notification timeline to the 
Secretary of HHS under the HIPAA Breach Notification Rule.

[[Page 47051]]

The Commission also believes this notification timeline satisfies the 
Recovery Act requirement that notice be provided ``immediately.'' \285\ 
The Commission also notes this change does not affect in any way the 
timing of the notice to the FTC for breaches involving less than 500 
individuals.
---------------------------------------------------------------------------

    \284\ As the Commission stated in the 2009 Rule Commentary, in 
some cases, it may be an ``unreasonable delay'' to wait until the 
60th day to provide notification. For example, if a vendor of 
personal health records or PHR related entity learns of a breach, 
gathers all necessary information, and has systems in place to 
provide notification within 30 days, it would be unreasonable to 
wait until the 60th day to send the notice. Similarly, the 
Commission noted there may be circumstances where a vendor of 
personal health records discovers that its third party service 
provider has suffered a breach before the service provider notifies 
the vendor that the breach has occurred. In such circumstances, the 
vendor should begin taking steps to address the breach immediately, 
and should not wait until receiving notice from the service 
provider. 74 FR 42971 n.94 (2009).
    \285\ 42 U.S.C. 17932(e)(3). Like the Department of Health and 
Human Services previously concluded with respect to notification to 
the Secretary under the HIPAA Breach Notification Rule (74 FR 42753 
(2009)), the Commission concludes this interpretation satisfies the 
statutory requirement that notifications of larger breaches be 
provided to the FTC immediately as compared to the notifications of 
smaller breaches (i.e., those involving less than 500 individuals), 
which the statute allows to be reported annually to the FTC.
---------------------------------------------------------------------------

    Finally, a small number of commenters addressed other issues 
related to timing, such as the timeline for providing notice to 
consumers or the media. The Commission believes, for the reasons stated 
in the commentary accompanying the 2009 NPRM and the 2009 Rule 
Commentary, the current timelines are appropriate to give consumers and 
the media timely notice without overburdening notifying firms.\286\
---------------------------------------------------------------------------

    \286\ 74 FR 17918 (2009); 74 FR 42971 (2009).
---------------------------------------------------------------------------

H. Proposed Changes To Improve Rule's Readability

1. The Commission Proposed Changes To Promote Readability
    The Commission proposed several changes to improve the Rule's 
readability. Specifically, the Commission proposed to include 
explanatory parentheticals for internal cross-references, add statutory 
citations in relevant places, consolidate notice and timing 
requirements in single sections, and revise the Enforcement section to 
state more plainly the penalties for non-compliance.
2. Public Comments Regarding Readability
    Commenters supported the Commission's proposed changes to improve 
the Rule's readability and promote comprehension by including 
explanatory parentheticals and statutory citations.\287\ Commenters 
also expressed support for the proposed changes to improve the Rule's 
readability and promote compliance by consolidating into single 
sections, respectively, the Rule's breach notification and timing 
requirements.\288\ Commenters also favored the proposal to modify Sec.  
318.7 to make plain that a violation of the Rule constitutes a 
violation of a rule promulgated under section 18 of the FTC Act and is 
subject to civil penalties, stating this clarification will decrease 
the burden on the FTC in enforcement actions and prevent unintended 
barriers to enforcement.\289\
---------------------------------------------------------------------------

    \287\ AMA at 6; CARIN Alliance at 9.
    \288\ AHIMA at 7; AMA at 6-7.
    \289\ AHIMA at 7; AMA at 6-7; AHIOS at 5; MRO at 4. As part of 
its comment, AMA recommended the FTC, as Rule violations are filed, 
use actual examples as case study models for future educational 
resources. The Commission notes that its existing enforcement 
actions under the Rule already provide guidance for the marketplace 
and the FTC also has issued business guidance regarding the Rule. 
E.g., Fed. Trade Comm'n, Collecting, Using, or Sharing Consumer 
Health Information? Look to HIPAA, the FTC Act, and the Health 
Breach Notification Rule (Sept. 2023), https://www.ftc.gov/business-guidance/resources/collecting-using-or-sharing-consumer-health-information-look-hipaa-ftc-act-health-breach (last visited Jan. 11, 
2023); Fed. Trade Comm'n, Health Breach Notification Rule: The 
Basics for Business (Jan. 2022), https://www.ftc.gov/business-guidance/resources/health-breach-notification-rule-basics-business 
(last visited Jan. 11, 2024); Fed. Trade Comm'n, Complying with 
FTC's Health Breach Notification Rule (Jan. 2022), https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0 (last visited Jan. 11, 2024) One 
commenter also asserted the Commission was seeking to apply the 
NPRM's proposed changes retrospectively to breaches of security that 
were discovered on or after September 24, 2009. This commenter urged 
the Commission to modify Sec.  318.8 so that the Rule would only 
apply to breaches of security discovered at least 30 days after the 
effective date of this final rule. TechNet at 5-6. The 2023 NPRM set 
out the entire part for the convenience of commenters but did not 
propose any changes to Sec.  318.8. The Commission notes this 
effective date section was codified in 2009 when part 318 was added 
to the CFR and has been in effect since September 24, 2009. As 
explained in the 2009 Rule Commentary, ``the Commission does not 
have discretion to change the effective date of the rule because the 
Recovery Act establishes the effective date.'' See 74 FR 42976; see 
also 42 U.S.C. 17937(g)(1) (``The provisions of this section shall 
apply to breaches of security that are discovered on or after the 
date that is 30 days after the date of publication of such interim 
final regulations.''). The Commission emphasizes that this final 
rule does not apply retroactively.
---------------------------------------------------------------------------

3. The Commission Adopts Changes Regarding Readability
    In light of support from commenters and the Commission's belief 
that these proposed changes improve readability, the Commission adopts 
these changes without modification.\290\
---------------------------------------------------------------------------

    \290\ Relatedly, the Commission also is making a non-substantive 
grammatical change to Sec.  318.5(a)(2)(ii), which involves 
substitute notice. This provision currently states: ``Such a notice 
in media or web posting shall include a toll-free phone number, 
which shall remain active for at least 90 days, where an individual 
can learn whether or not the individual's unsecured PHR identifiable 
health information may be included in the breach.'' The Commission 
is revising Sec.  318.5(a)(2)(ii) so it reads: ``Such a notice in 
media or web posting shall include a toll-free phone number, which 
shall remain active for at least 90 days, where an individual can 
learn if the individual's unsecured PHR identifiable health 
information may have been included in the breach.'' The Commission 
made this grammatical change to improve the rule's readability; the 
change does not alter the provision's substantive meaning.
---------------------------------------------------------------------------

III. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA''), 44 U.S.C. chapter 35, 
requires Federal agencies to seek and obtain Office of Management and 
Budget (``OMB'') approval before undertaking a collection of 
information directed to ten or more persons.\291\ This final rule is 
modifying an existing collection of information,\292\ which OMB has 
approved through July 31, 2025 (OMB Control No. 3084-0150). As required 
by the PRA, the Commission sought OMB review of the modified 
information collection requirement at the time of the publication of 
the NPRM. OMB directed the Commission to resubmit its request at the 
time the final rule is published. Accordingly, simultaneously with the 
publication of this final rule, the Commission is resubmitting its 
clearance request to OMB. FTC staff has estimated the burdens 
associated with the amendments as set forth below.
---------------------------------------------------------------------------

    \291\ 44 U.S.C. 3502(3)(A)(i).
    \292\ See 44 U.S.C. 3502(3)(A)(i).
---------------------------------------------------------------------------

    FTC staff estimates the amendments to 16 CFR part 318 will likely 
result in more reportable breaches by covered entities to the FTC. In 
the event of a breach of security, the covered firms will be required 
to investigate and, if certain conditions are met, notify consumers, 
the Commission, and, in some cases, the media.\293\
---------------------------------------------------------------------------

    \293\ Third party service providers who experience a breach are 
required to notify the vendor of personal health records or PHR 
related entity, which in turn is then required to notify consumers. 
The Commission expects the cost of notification to third party 
service providers would be small, relative to the entities that have 
to notify consumers. As part of the NPRM, the Commission solicited 
public comment on this issue and data that may be used to quantify 
the costs to third party service providers. The Commission did not 
receive any responsive submissions pertaining to this issue.
---------------------------------------------------------------------------

    Based on industry reports, FTC staff estimates the amendments will 
cover approximately 193,000 entities, which, in the event they 
experience a breach, may be required to notify consumers, the 
Commission, and, in some cases, the media. While there are 
approximately 1.8 million apps in the Apple App Store \294\ and 2.4 
million apps in the Google Play Store,\295\ as of March 2024, it 
appears that roughly 193,000 of the apps offered in either store are 
categorized as ``Health and Fitness.'' \296\
---------------------------------------------------------------------------

    \294\ See App Store--Apple, https://www.apple.com/app-store/.
    \295\ See AppBrain: Number of Android Apps on Google Play (Mar 
2024), https://www.appbrain.com/stats/number-of-android-apps.
    \296\ See Business of Apps, ``App Data Report: App Store Stats, 
Downloads, Revenues and App Rankings,'' https://www.businessofapps.com/data/report-app-data/ (reporting 90,913 apps 
in the Apple iOS App Store and 102,402 apps in the Google Play Store 
were categorized as ``Health and Fitness''). Together, this suggests 
there are approximately 193,000 Health and Fitness apps. This figure 
is likely both under- and over-inclusive as a proxy for covered 
entities. For example, this figure does not include apps categorized 
elsewhere (i.e., outside ``Health and Fitness'') that may be PHRs. 
However, at the same time, this figure also overestimates the number 
of covered entities, since many developers make more than one app 
and may specialize in the Health and Fitness category.

---------------------------------------------------------------------------

[[Page 47052]]

    The Commission received three comments in response to the NPRM 
arguing the Rule's scope is broader than apps categorized as ``Health 
and Fitness'' and the NPRM's PRA analysis therefore underestimated the 
number of covered entities and the resulting number of reportable 
breaches.\297\ As discussed above,\298\ the Commission is adopting 
these amendments to clarify that the Rule applies to mobile health 
applications and similar technologies. The Commission also highlighted 
several key limitations to the Rule's scope.\299\ Thus, the 193,000 
covered entities is a rough proxy for all covered PHRs, because it 
encompasses mobile health applications categorized as ``Health and 
Fitness.'' Similar health technologies are included in the roughly 
193,000 covered entities because most websites and connected health 
devices that will be covered by the amendments act in conjunction with 
an app.\300\
---------------------------------------------------------------------------

    \297\ See Chamber at 2; CHI at 6-7; CCIA at 8-9.
    \298\ See section II.1.c.
    \299\ Id.
    \300\ Indeed, one of the commenters who argued the Rule's 
coverage is broader than projected in the NPRM's PRA analysis 
acknowledged that there has been growth in the number of websites 
and apps since the 2009 PRA analysis estimated 700 covered entities 
to be covered by the Rule. Chamber at 2. Further, the approximately 
193,000 covered entities may overestimate the number of covered 
entities, as some apps or websites may not qualify as a covered 
entity given the Rule's boundaries. For example, a website or app 
must have the technical capacity to draw information from multiple 
sources and that same website or app must still be ``managed, 
shared, and controlled by or primarily for the individual'' to be 
covered by the Rule.
---------------------------------------------------------------------------

    FTC staff estimates these entities will, cumulatively, experience 
82 breaches per year for which notification may be required. With the 
proviso that there is insufficient data at this time about the number 
and incidence rate of breaches at entities covered by the amendments 
(due to underreporting prior to issuance of the Policy Statement), FTC 
staff determined the number of estimated breaches by calculating the 
breach incidence rate for HIPAA-covered entities, and then applied this 
rate to the estimated total number of entities that will be subject to 
the amendments.\301\ Additionally, as the number of breaches per year 
has grown significantly in the recent years,\302\ and FTC staff expects 
this trend to continue, FTC staff relied on the average number of 
breaches from 2021 through 2023 to estimate the annual breach incidence 
rate for HIPAA-covered entities.
---------------------------------------------------------------------------

    \301\ FTC staff used information publicly available from HHS on 
HIPAA related breaches because the HIPAA Breach Notification Rule is 
similarly constructed. However, while there are similarities between 
HIPAA-covered entities and HBNR-covered entities, it is not 
necessarily the case that rates of breaches would follow the same 
pattern. For instance, HIPAA-covered entities are generally subject 
to stronger data security requirements under HIPAA, but also may be 
more likely targets for security incidents (e.g., ransomware attacks 
on hospitals and other medical treatment centers covered by HIPAA 
have increased dramatically in recent years); thus, this number 
could be an under- or overestimate of the number of potential 
breaches per year.
    \302\ According to HHS's Office for Civil Rights (``OCR''), the 
number of breaches per year grew from 276 in 2013 to 739 breaches in 
2023. See Breach Portal, U.S. Dep't of Health & Human Servs., Office 
for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024). The data was 
downloaded on March 1, 2024, resulting in limited data for 2024. 
Thus, breaches from 2024 were excluded from the calculations. 
However, breach investigations that remain open (under 
investigation) from years prior to 2024 are included in the count of 
yearly breaches.
---------------------------------------------------------------------------

    Specifically, HHS's OCR reported 715 breaches in 2021, 719 breaches 
in 2022, and 733 breaches in 2023,\303\ which results in an average of 
722 breaches between 2021 and 2023. Based on the 1.7 million entities 
that are covered by the HIPAA Breach Notification Rule \304\ and the 
average number of breaches for 2021-2023, FTC staff determined an 
annual breach incidence rate of 0.000425 (722/1.7 million). 
Accordingly, multiplying the breach incidence rate (0.000425) by the 
estimated number of entities covered by the amendments (193,000) 
results in an estimated 82 breaches per year.\305\
---------------------------------------------------------------------------

    \303\ See Breach Portal, U.S. Dep't of Health & Human Servs., 
Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024).
    \304\ In a Federal Register publication titled ``Proposed 
Modifications to the HIPAA Privacy Rule to Support, and Remove 
Barriers to, Coordinated Care and Individual Engagement'', OCR 
proposes increasing the number of covered entities from 700,000 to 
774,331. 86 FR 6446, 6497 (Jan. 21, 2021). For purposes of 
calculating the annual breach incidence rate, FTC staff utilized 
700,000 covered entities because the proposed estimate of 774,331 
covered entities represents a projected increase that has not been 
finalized by OCR. The OCR publication also lists the number of 
covered Business Associates as 1,000,000. 86 FR 6528. FTC staff 
arrived at 1.7 million entities subject to the HIPAA Breach 
Notification Rule by adding 700,000 covered entities and 1,000,000 
Business Associates.
    \305\ One commenter argued that basing the NPRM's projection of 
the annual number of breaches on the breach incidence rate for 
HIPAA-covered entities is problematic because the NPRM's proposed 
definition of a breach of security ``goes far and beyond'' the HIPAA 
definition of a breach. CCIA at 8-9. To the extent the commenter is 
referring to the fact that the Rule's definition of breach of 
security covers unauthorized disclosures, the Commission notes the 
HIPAA Breach Notification Rule similarly covers unauthorized 
disclosures. See Breach Notification Rule, U.S. Dep't of Health & 
Human Servs., Office for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html (``A breach is, 
generally, an impermissible use or disclosure under the Privacy Rule 
that compromises the security or privacy of the protected health 
information.'').
---------------------------------------------------------------------------

Costs
    To determine the costs for purposes of this analysis, FTC staff has 
developed estimates for two categories of potential costs: (1) the 
estimated annual burden hours and labor cost of determining what 
information has been breached, identifying the affected customers, 
preparing the breach notice, and making the required report to the 
Commission; and (2) the estimated capital and other non-labor costs 
associated with notifying consumers.
    Estimated Annual Burden Hours: 12,300.
    Estimated Annual Labor Cost: $883,140.
    First, to determine what information has been breached, identify 
the affected customers, prepare the breach notice, and make the 
required report to the Commission, FTC staff estimates covered firms 
will require per breach, on average, 150 hours of employee labor at a 
cost of $10,770.\306\ This estimate does not include the cost of 
equipment or other tangible assets of the breached firms because they 
likely will use the equipment and other assets they have for ordinary 
business purposes. Based on the estimate that there will be 82 breaches 
per year the annual hours of burden for affected entities will be 
12,300 hours (150 hours x 82 breaches) with an associated labor cost of 
$883,140 (82 breaches x $10,770).
---------------------------------------------------------------------------

    \306\ This estimate is the sum of 40 hours of marketing 
managerial time (at an average wage of $76.10), 40 hours of computer 
programmer time ($49.42), 20 hours of legal staff ($78.74), and 50 
hours of computer and information systems managerial time ($83.49). 
See Occupational Employment and Wage Statistics, U.S. Bureau of 
Labor Statistics (May 2022), https://www.bls.gov/oes/current/oes_nat.htm#00-0000.
---------------------------------------------------------------------------

    Estimated Capital and Other Non-Labor Costs: $91,984,370.
    The capital and non-labor costs associated with breach 
notifications depend upon the number of consumers contacted and whether 
covered firms are likely to retain the services of a forensic expert. 
For breaches affecting large numbers of consumers, covered firms are 
likely to retain the services of a forensic expert. FTC staff 
estimates, for each breach requiring the services of forensic experts, 
forensic experts will spend approximately 40 hours to assist in the 
response to the cybersecurity intrusion, at an estimated cost of 
$20,000.\307\ FTC staff estimates the

[[Page 47053]]

services of forensic experts will be required in 60% of the 82 
breaches. Based on the estimate that there will be 49 breaches per year 
requiring forensic experts (60% x 82 breaches), the annual hours burden 
for affected entities will be 1,960 hours (49 breaches requiring 
forensic experts x 40 hours) with an associated cost of $980,000 (49 
breaches requiring forensic experts x $20,000).
---------------------------------------------------------------------------

    \307\ This estimate is the sum of 40 hours of forensic expert 
time at a cost of $500 per hour, which yields a total cost of 
$20,000 (40 hours x $500/hour).
---------------------------------------------------------------------------

    Using the data on HIPAA-covered breach notices available from HHS 
for the years 2018-2023, FTC staff estimates the average number of 
individuals affected per breach is 93,497.\308\ Given an estimated 82 
breaches per year, FTC staff estimates an average of 7,666,754 
consumers per year will receive a breach notification (82 breaches x 
93,497 individuals per breach).
---------------------------------------------------------------------------

    \308\ HHS Breach Data, supra note 303. This analysis uses the 
last six years of HHS breach data to generate the average, in order 
to account for the variation in number of individuals affected by 
breaches observed in the HHS data over time.
---------------------------------------------------------------------------

    Based on a recent study of data breach costs, FTC staff estimates 
the cost of providing notice to consumers to be $11.87 per breached 
record.\309\ This estimate includes the costs of electronic notice, 
letters, outbound calls or general notice to data subjects; and 
engagement of outside experts.\310\ Applied to the above-stated 
estimate of 7,666,754 consumers per year receiving breach notification 
yields an estimated total annual cost for all forms of notice to 
consumers of $91,004,370 (7,666,754 consumers x $11.87 per record). 
Accordingly, the estimated capital and non-labor costs total 
$91,984,370 ($980,000 + $91,004,370).
---------------------------------------------------------------------------

    \309\ See IBM Security, Costs of a Data Breach Report 2023 
(2023), https://www.ibm.com/reports/data-breach (``2023 IBM Security 
Report''). The research for the 2023 IBM Security Report is 
conducted independently by the Ponemon Institute, and the results 
are reported and published by IBM Security. Figure 2 of the 2023 IBM 
Security Report shows that cost per record of a breach was $165 per 
record in 2023, $164 in 2022, and $161 in 2021, resulting in an 
average cost of $163.33. Figure 5 of the 2023 IBM Security Report 
shows that 8.3% ($0.37m/$4.45m) of the average cost of a data breach 
are due to ``Notification'' costs. The fraction of average breach 
costs due to ``Notification'' were 7.1% in 2022 and 6.4% in 2021 
(IBM Security, Costs of a Data Breach Reports 2022 and 2021). Using 
the average of these numbers (7.27%), FTC staff estimates that 
notification costs per record across the three years are 7.27% x 
$163.33 = $11.87 per record.
    \310\ See 2023 IBM Security Report at 72.
---------------------------------------------------------------------------

    FTC staff notes these estimates likely overstate the costs imposed 
by the amendments because FTC staff made conservative assumptions in 
developing many of the underlying estimates. Moreover, many entities 
covered by the amendments already have similar notification obligations 
under State data breach laws.\311\ In addition, the Commission has 
taken several steps designed to limit the potential burden on covered 
entities that are required to provide notice, including by providing 
exemplar notices that entities may choose to use if they are required 
to provide notifications and expanding the use of electronic 
notifications.
---------------------------------------------------------------------------

    \311\ Many State data breach notification statutes require 
notification when a breach occurs involving certain health or 
medical information of individuals in that State. See, e.g., Ala. 
Code 8-38-1 et seq.; Alaska Stat. 45.48.010 et seq.; Ariz. Rev. 
Stat. 18-551 et seq.; Ark. Code 4-110-101 et seq.; Cal. Civ. Code 
1798.80 et seq.; Cal. Health & Safety Code 1280.15; Colo. Rev. Stat. 
6-1-716; Del. Code Ann. tit. 6 12B-101 et seq.; D.C. Code 28-3851 et 
seq.; Fla. Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.; Md. 
Code Com. Law 14-3501 et seq; Mo. Rev. Stat. 407.1500; Nev. Rev. 
Stat. 603A.010 et seq.; N.H. Rev. Stat. 359-C:19-C:21; N.H. Rev. 
Stat. 332-I:5; N.D. Cent. Code 51-30-01-07; Or. Rev. Stat. 646A.600-
646A.628; R.I. Gen. Laws 11-49.3-1--11-49.3-6; SDCL 22-40-19--22-40-
26; Tex. Bus. & Com. Code 521.002, 521.053, 521.151-152; 9 V.S.A. 
2430, 2435; Va. Code 18.2-186.6; Va. Code 32.1-127.1:05; Va. Code 
58.1-341.2; Wash. Rev. Code 19.255.010 et seq.
---------------------------------------------------------------------------

IV. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) \312\ requires that the 
Commission provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility 
Analysis (``FRFA'') with a final rule, unless the Commission certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities. As discussed in the IRFA, the 
Commission believes the final rule will not have a significant economic 
impact upon small entities.
---------------------------------------------------------------------------

    \312\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

    In this document, the Commission largely adopts the amendments 
proposed in its NPRM. The Commission believes the amendments will not 
have a significant economic impact upon small entities, although they 
may affect a substantial number of small businesses. Among other 
things, the amendments clarify certain definitions, revise the 
disclosures that must accompany notice of a breach under the Rule, and 
modernize the methods of notice to allow additional use of electronic 
notice such as email by entities affected by a breach. In addition, the 
amendments improve the Rule's readability by clarifying cross-
references and adding statutory citations. The Commission does not 
anticipate that these changes will add significant additional costs for 
entities covered by the Rule, and by authorizing electronic notice in 
additional circumstances, the amendments may reduce costs for many 
entities covered by the Rule. Therefore, the Commission certifies that 
the amendments will not have a significant economic impact on a 
substantial number of small entities. Although the Commission certifies 
under the RFA that the Rule will not have a significant impact on a 
substantial number of small entities, and hereby provides notice of 
that certification to the Small Business Administration (``SBA''), the 
Commission has determined, nonetheless, that it is appropriate to 
publish an FRFA to inquire into the impact of the proposed amendments 
on small entities.

A. Need for and Objectives of the Amendments

    The objective of the amendments is to clarify existing notice 
obligations for entities covered by the Rule. The legal basis for the 
amendments is section 13407 of the Recovery Act.

B. Significant Issues Raised in Public Comments

    Although the Commission received several comments that argued that 
the amendments would be burdensome for businesses, none argued 
specifically that smaller businesses in particular would be subject to 
special burdens. The Commission did not receive any comments filed by 
the Chief Counsel for Advocacy of the SBA.

C. Small Entities to Which the Amendments Will Apply

    The amendments, like the current Rule, will apply to vendors of 
personal health records, PHR related entities, and third party service 
providers, including developers and purveyors of health apps, connected 
health devices, and similar technologies. As discussed in the 
Commission's PRA estimates above, FTC staff estimates the amendments 
will apply to approximately 193,000 covered entities. The Commission 
estimates that a substantial number of these entities likely qualify as 
small businesses. According to the Statistics on Small Businesses 
Census data, approximately 94% of ``Software Publishers'' (the category 
to which health and fitness apps belong) are small businesses.\313\
---------------------------------------------------------------------------

    \313\ 2017 SUSB Annual Data Tables by Establishment Industry, 
U.S. Census Bureau (May 2021), https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html, using ``Data by Enterprise 
Receipts Size.'' The U.S. Small Business Administration (``SBA'') 
categorizes Software Publishers as a small business if the annual 
receipts are less than $41.5 million; the 2017 data is the most 
recent data available reporting receipts size.

---------------------------------------------------------------------------

[[Page 47054]]

D. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements, Including Classes of Covered Small Entities and 
Professional Skills Needed To Comply

    The Recovery Act and the amendments contain certain reporting 
requirements. The amendments will clarify which entities are subject to 
those reporting requirements. Specifically, the Act and amendments 
require vendors of personal health records and PHR related entities to 
provide notice to consumers, the Commission, and in some cases the 
media in the event of a breach of unsecured PHR identifiable health 
information. The Act and amendments also require third party service 
providers to provide notice to vendors of personal health records and 
PHR related entities in the event of such a breach. If a breach occurs, 
each entity covered by the Act and amendments will expend costs to 
determine the extent of the breach and the individuals affected. If the 
entity is a vendor of personal health records or a PHR related entity, 
additional costs will include the costs of preparing a breach notice, 
notifying the Commission, compiling a list of consumers to whom a 
breach notice must be sent, and sending a breach notice. Such entities 
may incur additional costs in locating consumers who cannot be reached, 
and in certain cases, posting a breach notice on a website, notifying 
consumers through media advertisements, or sending breach notices 
through press releases to media outlets.
    In-house costs may include technical costs to determine the extent 
of breaches; investigative costs of conducting interviews and gathering 
information; administrative costs of compiling address lists; 
professional/legal costs of drafting the notice; and potentially, costs 
for postage, web posting, and/or advertising. Costs may also include 
the purchase of services of a forensic expert. As discussed in the 
context of the PRA, FTC staff estimates that compliance with these 
requirements will likely result in $883,148 in labor costs and 
$91,984,370 in capital and other non-labor costs. The estimated cost 
per covered entity is $481 (the total labor, capital, and non-labor 
costs of $92,867,518 divided by 193,000 covered entities). The SBA 
categorizes Software Publishers with annual receipts under $41.5 
million as a small business; the per entity cost of $481 represents 
0.0001% of this annual receipts threshold.

E. Significant Alternatives to the Amendments

    In drafting the Rule, the Commission has made every effort to avoid 
unduly burdensome requirements for entities. In particular, the 
Commission believes that the changes to facilitate electronic notice 
will assist small entities by significantly reducing the costs of 
sending breach notices. In addition, the Commission is making available 
exemplar notices that entities covered by the Rule may use, in their 
discretion, to notify individuals. The Commission anticipates these 
exemplar notices will further reduce the burden on entities that are 
required to provide notice under the Rule. The Commission is not aware 
of alternative methods of compliance that will reduce the impact of the 
amendments on small entities, while also comporting with the Recovery 
Act. The statutory requirements are specific as to the timing, method, 
and content of notice.

V. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Office of Information and Regulatory Affairs designated this rule 
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 318

    Breach, Consumer protection, Health, Privacy, Reporting and 
recordkeeping requirements, Trade practices.


0
Accordingly, the Federal Trade Commission revises and republishes 16 
CFR part 318 to read as follows:

PART 318--HEALTH BREACH NOTIFICATION RULE

Sec.
318.1 Purpose and scope.
318.2 Definitions.
318.3 Breach notification requirement.
318.4 Timeliness of notification.
318.5 Methods of notice.
318.6 Content of notice.
318.7 Enforcement.
318.8 Applicability date.
318.9 Sunset.

    Authority: 42 U.S.C. 17937 and 17953.


Sec.  318.1  Purpose and scope.

    (a) This part, which shall be called the ``Health Breach 
Notification Rule,'' implements section 13407 of the American Recovery 
and Reinvestment Act of 2009, 42 U.S.C. 17937. This part applies to 
foreign and domestic vendors of personal health records, PHR related 
entities, and third party service providers, irrespective of any 
jurisdictional tests in the Federal Trade Commission (FTC) Act, that 
maintain information of U.S. citizens or residents. This part does not 
apply to HIPAA-covered entities, or to any other entity to the extent 
that it engages in activities as a business associate of a HIPAA-
covered entity.
    (b) This part preempts State law as set forth in section 13421 of 
the American Recovery and Reinvestment Act of 2009, 42 U.S.C 17951.


Sec.  318.2  Definitions.

    Breach of security means, with respect to unsecured PHR 
identifiable health information of an individual in a personal health 
record, acquisition of such information without the authorization of 
the individual. Unauthorized acquisition will be presumed to include 
unauthorized access to unsecured PHR identifiable health information 
unless the vendor of personal health records, PHR related entity, or 
third party service provider that experienced the breach has reliable 
evidence showing that there has not been, or could not reasonably have 
been, unauthorized acquisition of such information. A breach of 
security includes an unauthorized acquisition of unsecured PHR 
identifiable health information in a personal health record that occurs 
as a result of a data breach or an unauthorized disclosure.
    Business associate means a business associate under the Health 
Insurance Portability and Accountability Act, Public Law 104-191, 110 
Stat. 1936, as defined in 45 CFR 160.103.
    Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information in the notice.
    (1) Reasonably understandable. You make your notice reasonably 
understandable if you:
    (i) Present the information in the notice in clear, concise 
sentences, paragraphs, and sections;
    (ii) Use short explanatory sentences or bullet lists whenever 
possible;
    (iii) Use definite, concrete, everyday words and active voice 
whenever possible;
    (iv) Avoid multiple negatives;
    (v) Avoid legal and highly technical business terminology whenever 
possible; and
    (vi) Avoid explanations that are imprecise and readily subject to 
different interpretations.
    (2) Designed to call attention. You design your notice to call 
attention to the nature and significance of the information in it if 
you:
    (i) Use a plain-language heading to call attention to the notice;
    (ii) Use a typeface and type size that are easy to read;

[[Page 47055]]

    (iii) Provide wide margins and ample line spacing;
    (iv) Use boldface or italics for key words; and
    (v) In a form that combines your notice with other information, use 
distinctive type size, style, and graphic devices, such as shading or 
sidebars, when you combine your notice with other information. The 
notice should stand out from any accompanying text or other visual 
elements so that it is easily noticed, read, and understood.
    (3) Notices on websites or within-application messaging. If you 
provide a notice on a web page or using within-application messaging, 
you design your notice to call attention to the nature and significance 
of the information in it if you use text or visual cues to encourage 
scrolling down the page if necessary to view the entire notice and 
ensure that other elements on the website or software application (such 
as text, graphics, hyperlinks, or sound) do not distract attention from 
the notice, and you either:
    (i) Place the notice on a screen that consumers frequently access, 
such as a page on which transactions are conducted; or
    (ii) Place a link on a screen that consumers frequently access, 
such as a page on which transactions are conducted, that connects 
directly to the notice and is labeled appropriately to convey the 
importance, nature and relevance of the notice.
    Covered health care provider means a provider of services (as 
defined in 42 U.S.C. 1395x(u)), a provider of medical or other health 
services (as defined in 42 U.S.C. 1395x(s)), or any other entity 
furnishing health care services or supplies.
    Electronic mail means email in combination with one or more of the 
following: text message, within-application messaging, or electronic 
banner.
    Health care services or supplies means any online service such as a 
website, mobile application, or internet-connected device that provides 
mechanisms to track diseases, health conditions, diagnoses or 
diagnostic testing, treatment, medications, vital signs, symptoms, 
bodily functions, fitness, fertility, sexual health, sleep, mental 
health, genetic information, diet, or that provides other health-
related services or tools.
    HIPAA-covered entity means a covered entity under the Health 
Insurance Portability and Accountability Act (HIPAA), Public Law 104-
191, 110 Stat. 1936, as defined in 45 CFR 160.103.
    Personal health record (PHR) means an electronic record of PHR 
identifiable health information on an individual that has the technical 
capacity to draw information from multiple sources and that is managed, 
shared, and controlled by or primarily for the individual.
    PHR identifiable health information means information that:
    (1) Relates to the past, present, or future physical or mental 
health or condition of an individual, the provision of health care to 
an individual, or the past, present, or future payment for the 
provision of health care to an individual; and
    (i) Identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe 
that the information can be used to identify the individual; and
    (2) Is created or received by a:
    (i) Covered health care provider;
    (ii) Health plan (as defined in 42 U.S.C. 1320d(5));
    (iii) Employer; or
    (iv) Health care clearinghouse (as defined in 42 U.S.C. 1320d(2)); 
and
    (3) With respect to an individual, includes information that is 
provided by or on behalf of the individual.
    PHR related entity means an entity, other than a HIPAA-covered 
entity or an entity to the extent that it engages in activities as a 
business associate of a HIPAA-covered entity, that:
    (1) Offers products or services through the website, including any 
online service, of a vendor of personal health records;
    (2) Offers products or services through the websites, including any 
online service, of HIPAA-covered entities that offer individuals 
personal health records; or
    (3) Accesses unsecured PHR identifiable health information in a 
personal health record or sends unsecured PHR identifiable health 
information to a personal health record.
    State means any of the several States, the District of Columbia, 
Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern 
Mariana Islands.
    Third party service provider means an entity that:
    (1) Provides services to a vendor of personal health records in 
connection with the offering or maintenance of a personal health record 
or to a PHR related entity in connection with a product or service 
offered by that entity; and
    (2) Accesses, maintains, retains, modifies, records, stores, 
destroys, or otherwise holds, uses, or discloses unsecured PHR 
identifiable health information as a result of such services.
    Unsecured means PHR identifiable information that is not protected 
through the use of a technology or methodology specified by the 
Secretary of Health and Human Services in the guidance issued under 
section 13402(h)(2) of the American Reinvestment and Recovery Act of 
2009, 42 U.S.C. 17932(h)(2).
    Vendor of personal health records means an entity, other than a 
HIPAA-covered entity or an entity to the extent that it engages in 
activities as a business associate of a HIPAA-covered entity, that 
offers or maintains a personal health record.


Sec.  318.3  Breach notification requirement.

    (a) In general. In accordance with Sec. Sec.  318.4 (regarding 
timeliness of notification), 318.5 (regarding methods of notice), and 
318.6 (regarding content of notice), each vendor of personal health 
records, following the discovery of a breach of security of unsecured 
PHR identifiable health information that is in a personal health record 
maintained or offered by such vendor, and each PHR related entity, 
following the discovery of a breach of security of such information 
that is obtained through a product or service provided by such entity, 
shall:
    (1) Notify each individual who is a citizen or resident of the 
United States whose unsecured PHR identifiable health information was 
acquired by an unauthorized person as a result of such breach of 
security;
    (2) Notify the Federal Trade Commission; and
    (3) Notify prominent media outlets serving a State or jurisdiction, 
following the discovery of a breach of security, if the unsecured PHR 
identifiable health information of 500 or more residents of such State 
or jurisdiction is, or is reasonably believed to have been, acquired 
during such breach.
    (b) Third party service providers. A third party service provider 
shall, following the discovery of a breach of security, provide notice 
of the breach to an official designated in a written contract by the 
vendor of personal health records or the PHR related entity to receive 
such notices or, if such a designation is not made, to a senior 
official at the vendor of personal health records or PHR related entity 
to which it provides services, and obtain acknowledgment from such 
official that such notice was received. Such notification shall include 
the identification of each customer of the vendor of personal health 
records or PHR related entity whose unsecured PHR identifiable health 
information has been, or is reasonably believed to have been, acquired 
during such breach. For

[[Page 47056]]

purposes of ensuring implementation of this paragraph (b), vendors of 
personal health records and PHR related entities shall notify third 
party service providers of their status as vendors of personal health 
records or PHR related entities subject to this part. While some third 
party service providers may access unsecured PHR identifiable health 
information in the course of providing services, this does not render 
the third party service provider a PHR related entity.
    (c) Breaches treated as discovered. A breach of security shall be 
treated as discovered as of the first day on which such breach is known 
or reasonably should have been known to the vendor of personal health 
records, PHR related entity, or third party service provider, 
respectively. Such vendor, entity, or third party service provider 
shall be deemed to have knowledge of a breach if such breach is known, 
or reasonably should have been known, to any person, other than the 
person committing the breach, who is an employee, officer, or other 
agent of such vendor of personal health records, PHR related entity, or 
third party service provider.


Sec.  318.4  Timeliness of notification.

    (a) In general. Except as provided in paragraph (d) of this section 
(exception for law enforcement), all notifications required under Sec.  
318.3(a)(1) (required notice to individuals), (a)(3) (required notice 
to media), and (b) (required notice by third party service providers), 
shall be sent without unreasonable delay and in no case later than 60 
calendar days after the discovery of a breach of security.
    (b) Timing of notice to FTC. All notifications required under Sec.  
318.5(c) (regarding notice to FTC) involving the unsecured PHR 
identifiable health information of 500 or more individuals shall be 
provided contemporaneously with the notice required by paragraph (a) of 
this section. All logged notifications required under Sec.  318.5(c) 
(regarding notice to FTC) involving the unsecured PHR identifiable 
health information of fewer than 500 individuals may be sent annually 
to the Federal Trade Commission no later than 60 calendar days 
following the end of the calendar year.
    (c) Burden of proof. The vendor of personal health records, PHR 
related entity, and third party service provider involved shall have 
the burden of demonstrating that all notifications were made as 
required under this part, including evidence demonstrating the 
necessity of any delay.
    (d) Law enforcement exception. If a law enforcement official 
determines that a notification, notice, or posting required under this 
part would impede a criminal investigation or cause damage to national 
security, such notification, notice, or posting shall be delayed. This 
paragraph (d) shall be implemented in the same manner as provided under 
45 CFR 164.528(a)(2), in the case of a disclosure covered under Sec.  
164.528(a)(2).


Sec.  318.5  Methods of notice.

    (a) Individual notice. A vendor of personal health records or PHR 
related entity that discovers a breach of security shall provide notice 
of such breach to an individual promptly, as described in Sec.  318.4 
(regarding timeliness of notification), and in the following form:
    (1) Written notice at the last known address of the individual. 
Written notice may be sent by electronic mail if the individual has 
specified electronic mail as the primary method of communication. Any 
written notice sent by electronic mail must be Clear and Conspicuous. 
Where notice via electronic mail is not available or the individual has 
not specified electronic mail as the primary method of communication, a 
vendor of personal health records or PHR related entity may provide 
notice by first-class mail at the last known address of the individual. 
If the individual is deceased, the vendor of personal health records or 
PHR related entity that discovered the breach must provide such notice 
to the next of kin of the individual if the individual had provided 
contact information for his or her next of kin, along with 
authorization to contact them. The notice may be provided in one or 
more mailings as information is available.
    (2) If, after making reasonable efforts to contact all individuals 
to whom notice is required under Sec.  318.3(a), through the means 
provided in paragraph (a)(1) of this section, the vendor of personal 
health records or PHR related entity finds that contact information for 
ten or more individuals is insufficient or out-of-date, the vendor of 
personal health records or PHR related entity shall provide substitute 
notice, which shall be reasonably calculated to reach the individuals 
affected by the breach, in the following form:
    (i) Through a conspicuous posting for a period of 90 days on the 
home page of its website; or
    (ii) In major print or broadcast media, including major media in 
geographic areas where the individuals affected by the breach likely 
reside. Such a notice in media or web posting shall include a toll-free 
phone number, which shall remain active for at least 90 days, where an 
individual can learn if the individual's unsecured PHR identifiable 
health information may have been included in the breach.
    (3) In any case deemed by the vendor of personal health records or 
PHR related entity to require urgency because of possible imminent 
misuse of unsecured PHR identifiable health information, that entity 
may provide information to individuals by telephone or other means, as 
appropriate, in addition to notice provided under paragraph (a)(1) of 
this section.
    (b) Notice to media. As described in Sec.  318.3(a)(3), a vendor of 
personal health records or PHR related entity shall provide notice to 
prominent media outlets serving a State or jurisdiction, following the 
discovery of a breach of security, if the unsecured PHR identifiable 
health information of 500 or more residents of such State or 
jurisdiction is, or is reasonably believed to have been, acquired 
during such breach.
    (c) Notice to FTC. Vendors of personal health records and PHR 
related entities shall provide notice to the Federal Trade Commission 
following the discovery of a breach of security, as described in Sec.  
318.4(b) (regarding timing of notice to FTC). If the breach involves 
the unsecured PHR identifiable health information of fewer than 500 
individuals, the vendor of personal health records or PHR related 
entity may maintain a log of any such breach and submit such a log 
annually to the Federal Trade Commission as described in Sec.  318.4(b) 
(regarding timing of notice to FTC), documenting breaches from the 
preceding calendar year. All notices pursuant to this paragraph (c) 
shall be provided according to instructions at the Federal Trade 
Commission's website.


Sec.  318.6  Content of notice.

    Regardless of the method by which notice is provided to individuals 
under Sec.  318.5 (regarding methods of notice), notice of a breach of 
security shall be in plain language and include, to the extent 
possible, the following:
    (a) A brief description of what happened, including: the date of 
the breach and the date of the discovery of the breach, if known; and 
the full name or identity (or, where providing the full name or 
identity would pose a risk to individuals or the entity providing 
notice, a description) of any third parties that acquired unsecured PHR 
identifiable health information as a result of a breach of security, if 
this information is known to the vendor of

[[Page 47057]]

personal health records or PHR related entity;
    (b) A description of the types of unsecured PHR identifiable health 
information that were involved in the breach (such as but not limited 
to full name, Social Security number, date of birth, home address, 
account number, health diagnosis or condition, lab results, 
medications, other treatment information, the individual's use of a 
health-related mobile application, or device identifier (in combination 
with another data element));
    (c) Steps individuals should take to protect themselves from 
potential harm resulting from the breach;
    (d) A brief description of what the entity that experienced the 
breach is doing to investigate the breach, to mitigate harm, to protect 
against any further breaches, and to protect affected individuals, such 
as offering credit monitoring or other services; and
    (e) Contact procedures for individuals to ask questions or learn 
additional information, which must include two or more of the 
following: toll-free telephone number; email address; website; within-
application; or postal address.


Sec.  318.7  Enforcement.

    Any violation of this part shall be treated as a violation of a 
rule promulgated under section 18 of the Federal Trade Commission Act, 
15 U.S.C. 57a, regarding unfair or deceptive acts or practices, and 
thus subject to civil penalties (as adjusted for inflation pursuant to 
Sec.  1.98 of this chapter), and the Commission will enforce this part 
in the same manner, by the same means, and with the same jurisdiction, 
powers, and duties as are available to it pursuant to the Federal Trade 
Commission Act, 15 U.S.C. 41 et seq.


Sec.  318.8  Applicability date.

    This part shall apply to breaches of security that are discovered 
on or after September 24, 2009.


Sec.  318.9  Sunset.

    If new legislation is enacted establishing requirements for 
notification in the case of a breach of security that apply to entities 
covered by this part, the provisions of this part shall not apply to 
breaches of security discovered on or after the effective date of 
regulations implementing such legislation.

    By direction of the Commission, Commissioners Holyoak and Ferguson 
dissenting.

April J. Tabor,
Secretary.

    Note: The following appendices will not appear in the Code of 
Federal Regulations.

Appendix A--Health Breach Notification Rule Exemplar Notices

    The notices below are intended to be examples of notifications 
that entities may use, in their discretion, to notify individuals of 
a breach of security pursuant to the Health Breach Notification 
Rule. The examples below are for illustrative purposes only. You 
should tailor any notices to the particular facts and circumstances 
of your breach. While your notice must comply with the Health Breach 
Notification Rule, you are not required to use the notices below.

Mobile Text Message and In-App Message Exemplars

Text Message Notification Exemplar 1

    Due to a security breach on our system, the health information 
you shared with us through [name of product] is now in the hands of 
unknown attackers. Visit [add non-clickable URL] to learn what 
happened, how it affects you, and what you can do to protect your 
information. We also sent you an email with additional information.

Text Message Notification Exemplar 2

    You shared health information with us when you used [product 
name]. We discovered that we shared your health information with 
third parties for [describe why the company shared the info] without 
your permission. Visit [add non-clickable URL] to learn what 
happened, how it affects you, and what you can do to protect your 
information. We also sent you an email with more information.

In-App Message Notification Exemplar 1

    Due to a security breach on our system, the health information 
you shared with us through [name of product] is now in the hands of 
unknown attackers. This could include your [Add specifics--for 
example, your name, email, address, blood pressure data]. Visit 
[URL] to learn what happened, how it affects you, and what you can 
do to protect your information. We also sent you an email with 
additional information.

In-App Message Notification Exemplar 2

    You shared health information with us when you used [product 
name]. We discovered that we shared your health information with 
third parties for [if known, describe why the company shared the 
info] without your permission. This could include your [Add 
specifics--for example, your name, email, address, blood pressure 
data]. Visit [URL] to learn what happened, how it affects you, and 
what you can do to protect your information. We also sent you an 
email with additional information.

Web Banner Exemplars

Web Banner Notification Exemplar 1

    Due to a security breach on our system, the health information 
you shared with us through [name of product] is now in the hands of 
unknown attackers. This could include your [Add specifics--for 
example, your name, email, address, blood pressure data]. Visit 
[URL] to learn what happened, how it affects you, and what you can 
do to protect your information.
     Recommend: Include clear ``Take action'' call to action 
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TR30MY24.018

Web Banner Notification Exemplar 2

    You shared health information with us when you used [product 
name]. We discovered that we shared your health information with 
third parties for [if known, describe why the company shared the 
info] without your permission. This could include your [Add 
specifics--for example, your name, email, address, blood pressure 
data]. Visit [URL] to learn what happened, how it affects you, and 
what you can do to protect your information.
     Recommend: Include clear ``Take action'' call to action 
button, such as the example below:

[[Page 47058]]

[GRAPHIC] [TIFF OMITTED] TR30MY24.019

Email Exemplars

Exemplar Email Notice 1

Email Sender: [Company] 
Email Subject Line: [Company] Breach of Your Health Information
Dear [Name],

    We are contacting you because an attacker recently gained 
unauthorized access to our system and stole health information about 
our customers, including you.
    What happened and what it means for you
    On [March 1, 2024], we learned that an attacker had accessed a 
file containing our customers' health information on [February 28, 
2024]. The file included your name, the name of your health 
insurance company, your date of birth, and your group or policy 
number.
    What you can do to protect yourself
    You can take steps now to reduce the risk of identity theft.
    1. Review your medical records, statements, and bills for signs 
that someone is using your information. Under the health privacy law 
known as HIPAA, you have the right to access your medical records. 
Get your records and review them for any treatments or doctor visits 
you don't recognize. If you find any, report them to your healthcare 
provider in writing. Then go to www.IdentityTheft.gov/steps to see 
what other steps you can take to limit the damage.
    Also review the Explanation of Benefits statement your insurer 
sends you when it pays for medical care.
    Some criminals wait before using stolen information so keep 
monitoring your benefits and bills.
    2. Review your credit reports for errors. You can get your free 
credit reports from the three credit bureaus at 
www.annualcreditreport.com or call 1-877-322-8228. Look for medical 
billing errors, like medical debt collection notices that you don't 
recognize. Report any medical billing errors to all three credit 
bureaus by following the ``What To Do Next'' steps on 
www.IdentityTheft.gov.
    3. Sign up for free credit monitoring to detect suspicious 
activity. Credit monitoring detects and alerts you about activity on 
your credit reports. Activity you don't recognize could be a sign 
that someone stole your identity. We're offering free credit 
monitoring for two years through [name of service]. Learn more and 
sign up at [URL].
    4. Consider freezing your credit report or placing a fraud alert 
on your credit report. A credit report freeze means potential 
creditors can't get your credit report without your permission. That 
makes it less likely that an identity thief can open new accounts in 
your name. A freeze remains in place until you ask the credit bureau 
to temporarily lift it or remove it.
    A fraud alert will make it harder for someone to open a new 
credit account in your name. It tells creditors to contact you 
before they open any new accounts in your name or change your 
accounts. A fraud alert lasts for one year. After a year, you can 
renew it.
    To freeze your credit report, contact each of the three credit 
bureaus, Equifax, Experian, and TransUnion.
    To place a fraud alert, contact any one of the three credit 
bureaus, Equifax, Experian, and TransUnion. As soon as one credit 
bureau confirms your fraud alert, the others are notified to place 
fraud alerts on your credit report.
    Credit bureau contact information

Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-
1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872

    Learn more about how credit report freezes and fraud alerts can 
protect you from identity theft or prevent further misuse of your 
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
    What we are doing in response
    We hired security experts to secure our system. We are working 
with law enforcement to find the attacker. And we are investigating 
whether we made mistakes that made it possible for the attackers to 
get in.
    Learn more about the breach.
    Go to [URL] to learn more about what happened and what you can 
do to protect yourself. If we have any updates, we will post them 
there.
    If you have questions or concerns, call us at [telephone 
number], email us at [address], or go to [URL].

Sincerely,
First name Last Name
[Role], [Company]

Exemplar Email Notice 2

Email Sender: [Company] 
Email Subject Line: Unauthorized disclosure of your health 
informationby [Company]

Dear [Name],

    We are contacting you because you use our company's app [name of 
app]. When you downloaded our app, we promised to keep your personal 
health information private. Instead, we disclosed health information 
about you without your approval.
    What happened?
    We told [insert Company name, identity, or, where providing full 
name or identity would pose a risk to individuals or the entity 
providing notice, a description of type of company] that you use our 
app, and between [January 10, 2024] and [March 1, 2024], we gave 
them your name and your email address.
    We gave [insert Company name, identity, or where providing full 
name or identity would pose a risk to individuals or the entity 
providing notice, a description of type of company] this information 
so they could use it for advertising and marketing purposes. For 
example, to target you for ads for cancer drugs.
    What we are doing in response
    We will stop selling or sharing your health information with 
other companies. We will stop using your health information for 
advertising or marketing purposes. We have asked Company XYZ to 
delete your health information, but it's possible they could 
continue to use it for advertising and marketing.
    What you can do
    We made important changes to our app to fix this problem. 
Download the latest updates to our app then review your privacy 
settings. You can also contact Company XYZ to request that it delete 
your data.
    Learn more
    Learn more about our privacy and security practices at [URL]. If 
we have any updates, we will post them there.
    If you have any questions or concerns, call us at [telephone 
number] or email us at [address].

Sincerely,

First name Last Name
[Role], [Company]

Exemplar Email Notice 3

Email Sender: [Company] 
Email Subject Line: [Company] Breach of Your Health Information

Dear [Name],

    We are contacting you about a breach of your health information 
collected through the [product], a device sold by our company, 
[Company].
    What happened?
    On [March 1, 2024], we discovered that our employee had 
accidentally posted a database online on [February 28, 2024]. That 
database included your name, your credit or debit card information, 
and your blood pressure readings. We don't know if anyone else found 
the database and saw your information. If someone found the 
database, they could use personal information to steal your identity 
or make unauthorized charges in your name.
    What you can do to protect yourself
    You can take steps now to reduce the risk of identity theft.
    1. Get your free credit report and review it for signs of 
identity theft. Order your free credit report at 
www.annualcreditreport.com. Review it for accounts and activity you 
don't recognize. Recheck your credit reports periodically.

[[Page 47059]]

    2. Consider freezing your credit report or placing a fraud alert 
on your credit report. A credit report freeze means potential 
creditors can't get your credit report without your permission. That 
makes it less likely that an identity thief can open new accounts in 
your name. A freeze remains in place until you ask the credit bureau 
to temporarily lift it or remove it.
    A fraud alert will make it harder for someone to open a new 
credit account in your name. It tells creditors to contact you 
before they open any new accounts in your name or change your 
accounts. A fraud alert lasts for one year. After a year, you can 
renew it.
    To freeze your credit report, contact each of the three credit 
bureaus, Equifax, Experian, and TransUnion.
    To place a fraud alert, contact any one of the three credit 
bureaus, Equifax, Experian, and TransUnion. As soon as one credit 
bureau confirms your fraud alert, the others are notified to place 
fraud alerts on your credit report.
    Credit bureau contact information

Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-
1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872

    Learn more about how credit report freezes and fraud alerts can 
protect you from identity theft or prevent further misuse of your 
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
    3. Sign up for free credit monitoring to detect suspicious 
activity. Credit monitoring detects and alerts you about activity on 
your credit reports. Activity you don't recognize could be a sign 
that someone stole your identity. We're offering free credit 
monitoring for two years through [name of service]. Learn more and 
sign up at [URL].
    What we are doing in response
    We are investigating our mistakes. We know the database 
shouldn't have been online and it should have been encrypted. We are 
making changes to prevent this from happening again.
    We are working with experts to secure our system. We are 
reviewing our databases to make sure we store health information 
securely.
    Learn more about the breach.
    Go to [URL] to learn more about what happened and what you can 
do to protect yourself. If we have any updates, we will post them 
there.
    If you have questions or concerns, call us at [telephone 
number], email us at [address], or go to [URL].

Sincerely,

First name Last Name
[Role], [Company]

Appendix B--Joint Statement by FTC Chair and Commissioners

Joint Statement of Chair Lina M. Khan, Commissioner Rebecca Kelly 
Slaughter, and Commissioner Alvaro M. Bedoya

    Today, the FTC finalizes an update to the Health Breach 
Notification Rule (``the Final Rule'') that ensures its protections 
keep pace with the rapid proliferation of digital health records. We 
do so to fulfill a clear statutory directive given to us by 
Congress.
    In 2009, as part of the American Recovery and Reinvestment Act 
(``ARRA''), Congress passed the Health Information Technology for 
Economic and Clinical Health Act (``HITECH Act'').\314\ Among other 
things, the HITECH Act sought to fill the gaps left by the privacy 
and security protections created under the Health Insurance 
Portability and Accountability Act (``HIPAA''), which was passed 
more than a decade earlier.\315\ Specifically, it expanded the kinds 
of entities subject to the privacy and security provisions of 
HIPAA,\316\ gave state attorneys general enforcement powers,\317\ 
and--most relevant here--directed the Commission to issue a rule 
requiring entities not covered by HIPAA to provide notification of 
any breach of unsecured health records.\318\ The Commission issued 
the original rule in 2009.\319\ In 2020, the Commission initiated 
its regular decennial rule review and, in 2021, the Commission 
issued a policy statement clarifying how the rule applies to health 
apps and other connected devices.\320\ In the years since, the 
Commission has brought enforcement actions against health apps 
alleging violations of the Health Breach Notification Rule.\321\ 
Today's issuance of the Final Rule codifies this approach, honoring 
the statutory directive that people must be notified when their 
health records are breached.
---------------------------------------------------------------------------

    \314\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-
5, 123 Stat. 115 (2009) at Sec. 13400 et seq.
    \315\ Health Insurance Portability and Accountability Act, 
Public Law 104-191, 110 Stat. 1936, 2022 (1996) at Sec. 1171, 
codified at 42 U.S.C. 1320d.
    \316\ Health Information Technology for Economic and Clinical 
Health Act, Public Law 111-5, Div. A, Title XIII, Subtitle D, 
sections 13401 and 13404 (codified at 42 U.S.C. 17937(a))
    \317\ Id. 13410(e).
    \318\ Id. 13407(g)(1).
    \319\ 74 FR 42962 (Aug. 25, 2009).
    \320\ Statement of the Commission on Breaches by Health Apps and 
Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
    \321\ See, e.g., Fed. Trade Comm'n, FTC Enforcement Action to 
Bar GoodRx from Sharing Consumers' Sensitive Health Info for 
Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising; Fed. Trade Comm'n, 
Ovulation Tracking App Premom Will be Barred from Sharing Health 
Data for Advertising Under Proposed FTC Order (May 17, 2023), 
https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc.
---------------------------------------------------------------------------

    The dissent argues that the Commission's action ``exceeds the 
Commission's statutory authority.'' \322\ But its analysis 
contravenes a plain reading of the statute.
---------------------------------------------------------------------------

    \322\ Dissenting Statement of Comm'rs Melissa Holyoak and Andrew 
Ferguson at 1 (Apr. 25, 2024) (hereinafter ``Dissent'').
---------------------------------------------------------------------------

    In the HITECH Act, Congress directed the FTC to issue rules 
requiring vendors of personal health records (``PHR'') to notify 
consumers and the FTC following ``a breach of security of unsecured 
PHR identifiable health information.'' \323\ The statute defines the 
term ``PHR identifiable health information'' as ``individually 
identifiable health information, as defined in section 1320d(6) of 
this title.'' \324\ Section 1320d(6), a portion of the Social 
Security Act created by HIPAA, defines ``individually identifiable 
health information'' as ``any information . . . that is created or 
received by a health care provider, health plan, employer, or health 
care clearinghouse.'' \325\ Section 1320d(3), another section of the 
Social Security Act created by HIPAA, defines ``health care 
provider'' as, first, ``a provider of services'' as defined in 
section 1395x(u); \326\ second, ``a provider of medical or other 
health services'' as defined in section 1395x(s); \327\ and, third, 
``any other person furnishing health care services or supplies.'' 
\328\
---------------------------------------------------------------------------

    \323\ Health Information Technology for Economic and Clinical 
Health Act, Public Law 111-5, Div. A, Title XIII, Subtitle D, 
section 13407 (codified at 42 U.S.C. 17937(a)).
    \324\ 42 U.S.C. 17937(f)(2).
    \325\ 42 U.S.C. 1320d(6).
    \326\ See 42 U.S.C. 1395x(u) (``The term ``provider of 
services'' means a hospital, critical access hospital, rural 
emergency hospital, skilled nursing facility, comprehensive 
outpatient rehabilitation facility, home health agency, hospice 
program, or, for purposes of section 1395f(g) and section 1395n(e) 
of this title, a fund.'').
    \327\ 42 U.S.C. 1395x(s) (listing a vast array of services, 
tests, supplies, and measurements, comprising over 2000 words and 15 
categories, one of which has over 30 subcategories).
    \328\ 42 U.S.C. 1320d(3) (emphasis added).
---------------------------------------------------------------------------

    The term ``health care services or supplies,'' undefined in the 
statute, is defined in the Final Rule as follows:
    Health care services or supplies means any online service such 
as a website, mobile application, or internet-connected device that 
provides mechanisms to track diseases, health conditions, diagnoses 
or diagnostic testing, treatment, medications, vital signs, 
symptoms, bodily functions, fitness, fertility, sexual health, 
sleep, mental health, genetic information, diet, or that provides 
other health-related services or tools.\329\
---------------------------------------------------------------------------

    \329\ HBNR Final Rule Sec.  318.2(e).
---------------------------------------------------------------------------

    The dissent argues that this definition violates certain canons 
of statutory construction.\330\ But its effort to cabin the third 
category of HIPAA's ``health care provider'' reads it out of 
existence, violating the canon that holds interpretations giving 
effect to every clause of a statute are superior to those that 
render distinct clauses superfluous.\331\ Specifically, the second

[[Page 47060]]

category of ``health care provider'' already comprises a vast array 
of ``provider[s] of medical and other services.'' \332\ If the 
Commission were to interpret the third category as comprising, as 
the dissent recommends, only ``traditional forms of health care 
providers,'' this distinct provision would be entirely redundant.
---------------------------------------------------------------------------

    \330\ Dissent at 2 (``When a statute contains a list, ``each 
word in that list presumptively has a `similar' meaning'' under the 
canon of noscitur a sociis. And when a general term follows a list 
of specific terms, the ejusdem generis canon teaches that the 
general term ``should usually be read in light of those specific 
words to mean something `similar.' '' Together, these canons 
instruct that the final category of health care provider that 
includes the general term ``other person'' must be similar to the 
more specific terms that precede it.'' (citations omitted)).
    \331\ Marx v. Gen. Revenue Corp., 568 U.S. 371, 386 (2013) 
(Thomas, J.) (``Finally, the canon against surplusage is strongest 
when an interpretation would render superfluous another part of the 
same statutory scheme.'').
    \332\ 42 U.S.C. 1320(d)(3) (citing 42 U.S.C. 1395x(u)).
---------------------------------------------------------------------------

    The dissent's approach also fails to give meaning to other 
textual differences between the second and third category. The 
second category in the definition of ``health care provider'' 
discusses a ``provider'' and ``medical'' services.\333\ The third 
category, by contrast, drops the terms ``provider'' in favor of 
``person furnishing'' and drops ``medical'' in favor of ``health 
care.'' \334\ Honoring the materially different words of the statute 
requires us to read these two categories as covering distinct, not 
entirely overlapping, entities.\335\ The Final Rule faithfully 
follows these textual markers and identifies specific services and 
tools that comprise ``health care services or supplies.'' \336\ 
Contrary to this plain reading of the text, the dissent claims that 
Congress must have meant for this provision to apply only to 
``traditional forms of health care providers.'' \337\ But we cannot 
subordinate the text of the statute to speculative accounts of what 
Congress intended.
---------------------------------------------------------------------------

    \333\ 42 U.S.C. 1320(d)(3).
    \334\ Id.
    \335\ See Southwest Airlines Co. v. Saxon, 596 U.S. 450, 458 
(2022) (Thomas, J.) (``Where a document has used one term in one 
place, and a materially different term in another, the presumption 
is that the different term denotes a different idea'' (cleaned up)).
    \336\ In addition to defining this term by identifying specific 
services, the Final Rule actually also narrowed the definition 
originally proposed in the NPRM, by eliminating ``includes'' from 
the definition. SBP at 27 (``[T]he Commission has substituted the 
word `means' for `includes' to avoid implying greater breadth than 
the Commission intends.'').
    \337\ Dissent at 3. This rejection of the text of the statute, 
in favor of vague speculation about what Congress intended, mirrors 
the argument advanced by the Chamber of Commerce (``the Chamber''). 
The Chamber purports to rely on a ``plain text reading'' of the 
statute but immediately switches--in the very same sentence--to 
vague notions of Congressional intent: ``It is clear from a plain 
text reading of both the HITECH Act and HIPPA [sic] that Congress 
intended for the HBNR to cover health records more aligned with the 
provision of health services provided by traditional health 
providers at a time when it was attempting to digitize traditional 
health records.'' Comment submitted by U.S. Chamber of Com., Health 
Breach Notification Rule, Regulations.gov (Aug. 8, 2023) at 3, 
https://www.regulations.gov/comment/FTC-2023-0037-010.
    \337\ Dissent at 3.
---------------------------------------------------------------------------

    The dissent also notes that the Department of Health and Human 
Services (``HHS'') ``has never interpreted the term `health care 
provider' to reach the expansive, creative conclusion that the 
Commission does today.'' \338\ HHS has, however, interpreted 
``health care provider,'' and its interpretation of this term is 
consistent with the Commission's definition.\339\ In the HIPAA 
Privacy Rule, HHS defines first two categories of ``health care 
provider'' using the same language as the statute, but the third 
category is changed from ``any other person furnishing health care 
services or supplies'' to ``any other person or organization who 
furnishes, bills, or is paid for health care in the normal course of 
business.'' \340\ HHS also defines ``health care'' broadly, as any 
``care, services, or supplies related to the health of an 
individual.'' \341\
---------------------------------------------------------------------------

    \338\ Dissent at 3.
    \339\ That the HIPAA Privacy rule has a narrower overall scope 
does not change this fact.
    \340\ 45 CFR 160.103.
    \341\ Id. (emphasis added). The dissent asserts that we 
``mischaracterize[] the HIPAA Privacy Rule, which only applies to 
HIPAA `covered entities' and their `business associates,'--i.e., to 
traditional health care providers, that do not include the broad 
swath of app developers the Final Rule will encompass.'' Dissent at 
4 n.24 (internal citations omitted). It is not clear how this 
qualifies as a mischaracterization. Indeed, this is precisely the 
stated purpose of the Health Breach Notification Rule: To cover 
entities that HIPAA does not. The dissent also notes that we fail to 
recognize that HHS provides two examples of ``health care.'' But, 
HHS expressly states that the definition ``includes, but is not 
limited to'' these categories. 45 CFR 160.103. In any case, the 
breadth of these categories further underscores the expansive scope 
of HHS's definition of health care. Id.
    \341\ Dissent at 2.
---------------------------------------------------------------------------

    Notably, in its 1999 Notice of Proposed Rulemaking for the HIPAA 
Privacy Rule, HHS originally had proposed to define the term 
``health care'' as constituting ``the provision of care, services, 
or supplies. . . .'' \342\ But, in its final rule, HHS eliminated 
the concept of ``provision'' in order to distinguish the broader 
term of ``health care'' from the narrower term ``treatment.'' \343\ 
HHS explained: ``We delete the term `providing' from the definition 
[of health care] to delineate more clearly the relationship between 
`treatment,' as the term is defined in Sec.  164.501, and `health 
care.' '' \344\ HHS defined ``treatment,'' in contrast to ``health 
care,'' as ``the provision, coordination, or management of health 
care and related services.'' \345\ In short, HHS defines ``health 
care'' broadly, covering all aspects related to the health of an 
individual, and defines ``treatment'' more narrowly, referring to 
the provision of medical care to an individual. The dissent's 
proposal to narrow the third category of ``health care provider'' to 
``traditional forms of health care providers'' closely mirrors the 
approach that HHS rejected when it defined this term.\346\
---------------------------------------------------------------------------

    \342\ Proposed Rule, Standards for Privacy of Individually 
Identifiable Health Information, 64 FR 59918, 60049 (Nov. 3, 1999) 
(emphasis added).
    \343\ 65 FR 82462, 82477.
    \344\ Id.
    \345\ 45 CFR 164.501.
    \346\ Dissent at 2.
---------------------------------------------------------------------------

    The dissent also claims that changing the phrase ``can be 
drawn'' to ``has the technical capacity to draw'' violates the 
surplusage canon because it renders the limitation meaningless as to 
health apps, because ``virtually every app has the technical 
capacity to draw some information from more than one source.'' \347\ 
This argument fails for two reasons. First, as the Statement of 
Basis and Purpose (``SBP'') explains, there are products and 
services that do not satisfy this requirement.\348\ Second, even if 
the definition did reach every health app, that would not itself 
suggest that the Final Rule's definition was wrongly crafted. 
Rather, it would reflect the rapid growth in digital applications 
and services related to consumers' health.\349\
---------------------------------------------------------------------------

    \347\ Dissent at 4.
    \348\ SBP at 29-30.
    \349\ The dissent's argument anachronistically assumes that 
Congress intended for the Rule to cover some health apps, but not 
other health apps. But, in fact, the Apple and Google app stores 
were in their infancy when Congress drafted this legislation in 
2009, and so there is no indication that Congress was thinking about 
specific health apps at all. To the extent the dissent's argument is 
that Congress simply did not anticipate the vast number of products 
that would end up covered by the broad category of ``supplies and 
services,'' it is not within the Commission's authority to re-write 
the statute based on the Commission's belief of what Congress would 
have wanted. MCI Telecomms. Corp. v. Am. Telephone & Telegraph Co., 
512 U.S. 218, 229 (1994) (holding that FCC's authority to ``modify'' 
does not extend to eliminating altogether a statutory requirement).
---------------------------------------------------------------------------

    The practical ramifications of the dissent's legal shortcomings 
are significant.
    Just last year, the Commission brought an action against Easy 
Healthcare Corporation, alleging privacy violations by its fertility 
tracking application Premom.\350\ As laid out in the complaint, 
Premom--which encourages users to provide information about their 
menstrual cycles, fertility, and pregnancy, as well as to import 
their data from other services, such as Apple Health--shared 
information with advertisers and China-based companies through 
software development kits (``SDKs'') embedded in the application. 
The Commission's eight-count complaint against Easy Healthcare 
reflected the seriousness of this misconduct, charging the business 
with deceptive and unfair practices, as well as a violation of the 
Health Breach Notification Rule, which triggered civil penalties.
---------------------------------------------------------------------------

    \350\ Press Release, Fed. Trade Comm'n, Ovulation Tracking App 
Premom Will be Barred from Sharing Health Data for Advertising Under 
Proposed FTC Order (May 17, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc.
---------------------------------------------------------------------------

    Under the dissent's analysis of health care services or 
supplies, the developer of the Premom application--Easy Healthcare--
would not be covered by the Health Breach Notification Rule. This 
reading would mean that when companies like Easy Healthcare suffer a 
breach that may divulge health information to companies located in 
China, the Health Breach Notification Rule would not require them to 
disclose the breach to its users. It would also mean that when Easy 
Healthcare broadcasts women's sensitive health data across the vast 
commercial surveillance network propped up by SDKs and ad networks, 
the Health Breach Notification Rule would not require Easy 
Healthcare to alert women. Today's Final Rule rejects this atextual 
and cramped reading of the law, ensuring that businesses that hold 
themselves out as health care services companies--like Easy 
Healthcare--

[[Page 47061]]

are considered ``health care services'' companies under the law.
    Lastly, the dissent claims that the Final Rule introduces 
ambiguity where previous there was none. But GoodRx suggests 
otherwise. In a unanimous action, the Commission charged GoodRx with 
making unauthorized disclosures of people's health data to Facebook 
and Google, among others.\351\ GoodRx, meanwhile, disputed the 
applicability of the HBNR to its practices, calling it a ``novel'' 
application.\352\ By codifying how HBNR applies to online platforms 
and applications, today's Final Rule provides market participants 
with more clarity about what entities are covered--thereby providing 
greater certainty and notice.\353\
---------------------------------------------------------------------------

    \351\ Press Release, Fed. Trade Comm'n, FTC Enforcement Action 
to Bar GoodRx from Sharing Consumers' Sensitive Health Info for 
Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising; See also, Concurring 
Statement of Comm'r Christine S. Wilson, GoodRx Holdings, Inc. (Feb. 
1, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/2023090_goodrx_final_concurring_statement_wilson.pdf (``Today's 
settlement marks the first enforcement matter in which the FTC has 
invoked the HBNR. I congratulate staff on this important step--the 
agency rightly is focused on protecting the privacy of sensitive 
health data and empowering consumers to make informed choices about 
the goods and services they use.''); see also id. at 5 (describing 
the GoodRx case as ``an important milestone in the Commission's 
privacy work.''). The dissent suggests that Commissioners Holyoak 
and Ferguson would have supported the application of HBNR to GoodRx.
    \352\ See GoodRx, GoodRx Response to FTC Settlement (Feb. 1, 
2023) (``We believe this is a novel application of the Health Breach 
Notification Rule by the FTC. . . . We do not agree with the 
assertion that this was a violation of the HBNR.'').
    \353\ The dissent concedes that it does support an update to the 
rule that provides more clarity--and specifically an update that 
provides clarity to show that the rule covers GoodRx. Dissent at 7 
(``I would support changes to the Rule that clarify the Rule's 
application to companies like GoodRx.''). That is precisely what 
today's Final Rule does. Previously, the rule did not define 
``health care services or supplies,'' and today's Final Rule does. 
Previously, health apps like GoodRx stated that it was unclear 
whether the rule applies to them, and today's Final Rule makes clear 
that it does. This concession from the dissent suggests a more 
modest disagreement with the contours of how the Rule defines 
``health care services or supplies,'' though--notably--the dissent 
does not provide an alternative definition.
---------------------------------------------------------------------------

    GoodRx marked the first time the Commission had ever enforced 
the Health Breach Notification Rule. A top priority for us at the 
Commission is ensuring we are faithfully discharging our statutory 
duties, rather than letting the authorities that Congress has 
granted us sit dormant, and we are proud of the work the Commission 
and the staff are doing to take care that the full set of laws 
assigned to the FTC are being faithfully executed.\354\ We agree 
with the dissent that we must look out for the institutional 
integrity of the Commission. Failing to use the full scope of our 
statutory tools to protect Americans--and failing to update our 
application of these tools even as technologies change--would 
undermine the agency's integrity and credibility alike.
---------------------------------------------------------------------------

    \354\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Hits R360 
and its Owner With $3.8 Million Civil Penalty Judgment for Preying 
on People Seeking Treatment for Addiction (May 17, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-hits-r360-its-owner-38-million-civil-penalty-judgment-preying-people-seeking-treatment-addiction (the Commission's first action brought under the 
Opioid Addiction Recovery Fraud Prevention Act); Harris Jewelry, 
Press Release, Fed. Trade Comm'n, FTC and 18 States Sue to Stop 
Harris Jewelry from Cheating Military Families with Illegal 
Financing and Sales Tactics (Jul. 20, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/07/ftc-18-states-sue-stop-harris-jewelry-cheating-military-families-illegal-financing-sales-tactics (the Commission's first action brought under the Military 
Lending Act); Press Release, Fed. Trade Comm'n, Smart Home 
Monitoring Company Vivint Will Pay $20 Million to Settle FTC Charges 
That It Misused Consumer Credit Reports (Apr. 29, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/04/smart-home-monitoring-company-vivint-will-pay-20-million-settle-ftc-charges-it-misused-consumer (the Commission's first action brought under the 
Red Flags Rule, brought under Acting Chair Slaughter); Press 
Release, Fed. Trade Comm'n, FTC Sues Burger Franchise Company That 
Targets Veterans and Others With False Promises and Misleading 
Documents (Feb. 8, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/02/ftc-sues-burger-franchise-company-targets-veterans-others-false-promises-misleading-documents (the 
Commission's first action under the Franchise Rule since 2007); 
Press Release, Fed. Trade Comm'n, FTC Issues Rule to Deter Rampant 
Made in USA Fraud (Jul. 1, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/07/ftc-issues-rule-deter-rampant-made-usa-fraud (issuance of the Made in the USA Rule, more than 25 years 
after Congress authorized the Commission to promulgate a rule).
---------------------------------------------------------------------------

    We are deeply grateful to the Division of Privacy and Identity 
Protection for leading the Commission's work to activate the Health 
Breach Notification Rule and for finalizing this Rule update. In an 
environment rife with new and evolving threats to Americans' health 
data, ensuring we are faithfully harnessing all of our statutory 
tools to protect people from data breaches is paramount.

Dissenting Statement of Commissioner Melissa Holyoak, Joined by 
Commissioner Andrew Ferguson

    The Health Breach Notification Rule (``Final Rule'') that the 
Commission adopts today exceeds the Commission's statutory 
authority, puts companies at risk of perpetual non-compliance, and 
opens the Commission to legal challenge that could undermine its 
institutional integrity. I share the majority's goal of protecting 
the privacy and security of consumers' identifiable health 
information,\1\ and I support vigorous enforcement of laws 
protecting sensitive personal information with which Congress has 
entrusted the FTC.\2\ I would support finalizing a rule that extends 
and clarifies the scope of the Commission's enforcement in this 
important area of consumer protection if that rule were consistent 
with our grant of authority from Congress. But, no matter how the 
majority attempts to shoehorn its desired policy goal into a ``plain 
reading'' of the statute,\3\ I cannot support a rule that exceeds 
the bounds Congress clearly established. Indeed, a core principle 
guiding my tenure at the Commission will be that our rules must 
effectuate the law as it is--not as the Commission may wish it to 
be. For these reasons, I respectfully dissent.
---------------------------------------------------------------------------

    \1\ Like the majority, and other Commissioners before me, I 
support federal privacy legislation, particularly where such 
legislation could address gaps in sector-specific laws and level the 
playing field for companies navigating a patchwork of laws. And like 
the majority, and other Commissioners before me, I care deeply about 
protecting the privacy and security of consumers' health 
information, particularly where it falls outside the bounds of the 
Health Insurance Portability and Accountability Act (``HIPAA''). For 
more than two decades, the FTC has been in a leader in protecting 
consumers' health information. See, e.g., Eli Lilly, FTC File No. 
0123214 (May 10, 2002), https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3214-eli-lilly-company-matter. I look forward 
to continuing the Commission's important work in this area.
    \2\ See, e.g., Children's Online Privacy Protection Rule, 16 CFR 
part 312, as authorized by the Children's Online Privacy Protection 
Act of 1998, 15 U.S.C. 6501 et seq.
    \3\ Joint Statement of Chair Lina M. Khan, Comm'r Rebecca Kelly 
Slaughter, and Comm'r Alvaro M. Bedoya at 2 (Apr. 24, 2024) 
(``Majority Statement'').
---------------------------------------------------------------------------

    The American Recovery and Reinvestment Act of 2009 (``Recovery 
Act'') \4\ authorized the Commission to issue a rule requiring 
vendors of ``personal health records'' (``PHRs'') and related 
entities that are not covered by HIPAA to notify individuals and the 
FTC of a ``breach of security'' of ``unsecured PHR identifiable 
health information.'' \5\ The Commission issued the Health Breach 
Notification Rule in 2009,\6\ initiated a routine review of the Rule 
in 2020,\7\ issued a policy statement re-interpreting the then-
current Rule in 2021 (``2021 Policy Statement''),\8\ issued a Notice 
of Proposed Rulemaking on June 9, 2023 (``NPRM''),\9\ and today 
issues the Final Rule.\10\
---------------------------------------------------------------------------

    \4\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-5, 
123 Stat. 115 (2009).
    \5\ 42 U.S.C. 17937(a), (g).
    \6\ 74 FR 42962 (Aug. 25, 2009).
    \7\ 85 FR 31085 (May 22, 2020).
    \8\ See Statement of the Comm'n on Breaches by Health Apps and 
Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (``2021 Policy Statement'').
    \9\ 88 FR 37819 (June 9, 2023).
    \10\ See Statement of Basis and Purpose (``SBP'') accompanying 
the Final Rule, Section I (summarizing procedural history).
---------------------------------------------------------------------------

    I am encouraged that today the Commission is acting by 
rulemaking, as authorized by statute and following a period of 
notice and comment that elicited a range of views, rather than 
acting by fiat in a policy statement, as the Commission did in 
2021.\11\ I cannot endorse any policy statement that either 
displaces Congress's authority to make law or subverts the 
rulemaking process. The 2021 Policy Statement did both. The majority 
clearly recognizes this overreach. After all, if the 2021 Policy 
Statement had any force, today's rulemaking would be unnecessary.
---------------------------------------------------------------------------

    \11\ See 2021 Policy Statement, supra note 8.
---------------------------------------------------------------------------

    Setting aside this troubling history, I turn to the Final Rule 
itself, which, unfortunately, I find equally troubling in its 
extension beyond the parameters established by Congress.

[[Page 47062]]

    Some background first. Under the Recovery Act, PHR identifiable 
health information means ``individually identifiable health 
information,'' as defined by the Social Security Act, 42 U.S.C. 
1320d(6).\12\ The Social Security Act defines ``individually 
identifiable health information'' as information that is ``created 
or received by a health care provider, health plan, employer, or 
health care clearinghouse.'' \13\ The Social Security Act then 
defines ``health care provider'' to include three categories: ``[1] 
a provider of services (as defined in section 1395x(u) of this 
title), [2] a provider of medical or other health services (as 
defined in section 1395x(s) of this title), and [3] any other person 
furnishing health care services or supplies.'' \14\
---------------------------------------------------------------------------

    \12\ 42 U.S.C. 17937(f)(2).
    \13\ 42 U.S.C. 1320d(6).
    \14\ Id. 1320d(3).
---------------------------------------------------------------------------

    The Commission takes liberties with the final category in that 
definition (``any other person furnishing health care services or 
supplies'') to adopt a new, capacious definition of ``covered health 
care provider'' and a new, similarly capacious definition of 
``health care services and supplies,'' whose joint effect is to 
sweep a large swath of apps and app developers under the purview of 
the Final Rule. These expansive definitions are not consistent with 
the statute. Under longstanding principles of statutory 
interpretation, the final category of provider (``any other person . 
. .'') must be understood in relation to the first two categories 
(``provider of services'' and ``provider of medical or other health 
services'').\15\ When a statute contains a list, ``each word in that 
list presumptively has a `similar' meaning'' under the canon of 
noscitur a sociis.\16\ And when a general term follows a list of 
specific terms, the ejusdem generis canon teaches that the general 
term ``should usually be read in light of those specific words to 
mean something `similar.' '' \17\ Together, these canons instruct 
that the final category of health care provider that includes the 
general term ``other person'' must be similar to the more specific 
terms that precede it.
---------------------------------------------------------------------------

    \15\ See Yates v. United States, 574 U.S. 528, 549-51 (2015) 
(Alito, J., concurring); Antonin Scalia & Bryan A. Garner, Reading 
Law: The Interpretation of Legal Texts 195-196,199-200 (2012).
    \16\ Yates, 574 U.S. at 549.
    \17\ Id. at 550.
---------------------------------------------------------------------------

    The first two categories of health care provider incorporate the 
definitions of sections 1395x(u) and 1395x(s) of the Social Security 
Act, respectively.\18\ The first category of provider includes ``a 
hospital, critical access hospital, rural emergency hospital, 
skilled nursing facility, comprehensive outpatient rehabilitation 
facility, home health agency, hospice program, or . . . a fund.'' 
\19\ The second category of provider includes an extensive list 
(section 1395x(s) includes 17 paragraphs and over 35 subparagraphs) 
of medical professionals including physicians, physician assistants, 
nurse practitioners, clinical psychologists, clinical social 
workers, and others, and the specific services administered by 
medical professionals.\20\ These two categories comprise traditional 
forms of health care providers.
---------------------------------------------------------------------------

    \18\ 42 U.S.C. 1320d(3).
    \19\ 42 U.S.C. 1395x(u).
    \20\ Id. 1395x(s).
---------------------------------------------------------------------------

    The final category, addressing ``any other person furnishing 
health care services or supplies,'' must therefore only include 
persons that are ``similar in nature'' to these first two 
categories.\21\ The majority argues that my ``effort to cabin the 
third category . . . reads it out of existence, violating the canon 
that holds interpretations giving effect to every clause of a 
statute are superior to those that render distinct clauses 
superfluous.'' \22\ This application of the canon is incorrect. 
Requiring similarity among categories does not result in 
superfluity; it merely prevents interpretations that extend beyond 
what the text permits. A catch-all's limited application due to its 
context is not a reason to expand that phrase to encompass 
dissimilar applications.
---------------------------------------------------------------------------

    \21\ Yates, 574 U.S. at 545 (internal quotation marks omitted).
    \22\ Majority Statement at 2.
---------------------------------------------------------------------------

    The Final Rule's definition of ``covered health care provider'' 
is not remotely similar, because it incorporates a new, 
astonishingly broad definition of ``health care services or 
supplies,'' which means ``any online service such as a website, 
mobile application, or internet-connected device that provides 
mechanisms to track diseases, health conditions, diagnoses or 
diagnostic testing, treatment, medications, vital signs, symptoms, 
bodily functions, fitness, fertility, sexual health, sleep, mental 
health, genetic information, diet, or that provides other health-
related services or tools.'' \23\ Thus, the Commission transforms 
``health care provider,'' which both under common usage and in 
context of the statutory provision means entities such as physicians 
and hospitals, to now include any company ``furnishing'' a health-
related app.\24\ As a result, the Final Rule creates a tautology: 
Health app developers may be ``vendors of personal health records'' 
by offering an app containing health information that has been 
created or received by a health care provider, where the health app 
developer is itself the health care provider that creates or 
receives that health information by virtue of offering the app.
---------------------------------------------------------------------------

    \23\ Final Rule at 98.
    \24\ The SBP explains that an app developer (or any company 
``furnishing'' a health app) would be covered as a health care 
provider because its health app is a health care service or supply. 
SBP at 7, 22-28.
---------------------------------------------------------------------------

    Notably, even though the Department of Health and Human Services 
(``HHS'') interprets this same provision of the Social Security Act, 
HHS has--notwithstanding the majority's assertion to the contrary 
\25\--never interpreted the term ``health care provider'' to reach 
the expansive, creative conclusion that the Commission does 
today.\26\ The majority's argument misstates the scope and language 
of the HIPAA Privacy Rule, which only applies to HIPAA ``covered 
entities'' and their ``business associates,'' \27\--i.e., to 
traditional health care providers that do not include the broad 
swath of app developers the Final Rule will encompass. 
Significantly, the majority omits from its characterization of the 
term ``health care'' HHS's own illustrations of that term, which 
highlight the proximity to traditional forms of health care by 
different kinds of medical professionals:
---------------------------------------------------------------------------

    \25\ Majority Statement at 3.
    \26\ See NPRM at 37823.
    \27\ 45 CFR 160.102 through 103.
---------------------------------------------------------------------------

    (1) Preventive, diagnostic, therapeutic, rehabilitative, 
maintenance, or palliative care, and counseling, service, 
assessment, or procedure with respect to the physical or mental 
condition, or functional status, of an individual or that affects 
the structure or function of the body; and
    (2) Sale or dispensing of a drug, device, equipment, or other 
item in accordance with a prescription.\28\
---------------------------------------------------------------------------

    \28\ Id. Sec.  160.103.
---------------------------------------------------------------------------

    The Majority Statement repeatedly says that HHS defines ``health 
care'' broadly,\29\ but the language it cites provides no such 
support.
---------------------------------------------------------------------------

    \29\ Majority Statement at 3-4.
---------------------------------------------------------------------------

    Aware of this incongruency, the Commission seeks to 
differentiate its use of ``health care provider'' from that of 
``other government agencies.'' \30\ Yet the Commission provides no 
explanation why its definition should differ, particularly where it 
is unclear whether the Commission has interpretative authority over 
the Social Security Act's definition of health care provider and 
where other agencies are delegated such interpretative 
authority.\31\
---------------------------------------------------------------------------

    \30\ SBP at 26.
    \31\ Id. at 13 (noting that HHS interprets these provisions of 
the Social Security Act). Cf. City of Arlington, Tex. v. F.C.C., 569 
U.S. 290, 323 (2013) (Roberts, C.J., dissenting) (``When presented 
with an agency's interpretation of such a statute, a court cannot 
simply ask whether the statute is one that the agency administers; 
the question is whether authority over the particular ambiguity at 
issue has been delegated to the particular agency.'').

---------------------------------------------------------------------------

[[Page 47063]]

    The Commission also takes troubling liberties with the statute's 
definition of ``personal health record,'' which are evident from a 
side-by-side comparison of the statute and the Final Rule:

------------------------------------------------------------------------
              Recovery act                          Final rule
------------------------------------------------------------------------
``an electronic record of PHR            ``an electronic record of PHR
 identifiable health information . . .    identifiable health
 on an individual that can be drawn       information on an individual
 from multiple sources and is managed,    that has the technical
 shared, and controlled by or primarily   capacity to draw information
 for the individual.'' \32\.              from multiple sources and that
                                          is managed, shared, and
                                          controlled by or primarily for
                                          the individual.'' \33\
------------------------------------------------------------------------

    Under the Final Rule, a PHR need not actually draw health 
information from multiple sources, as the statute contemplates 
(because the statutory phrase ``that can be drawn'' modifies its 
immediate antecedent, ``health information''). Rather, under the 
Final Rule, a single source of health information will render an app 
a PHR as long as the ``PHR'' has the ``technical capacity'' to draw 
some other information elsewhere.\34\ The implications of this 
change, in conjunction with the expansion of ``health care 
provider,'' are significant. Any retailer that offers an app that 
tracks health-related purchases (e.g., bandages, vitamins, dandruff 
shampoo) may be a vendor of a PHR covered by the Rule if the app 
draws health information (e.g., purchasing information) from the 
consumer and the app has the ``technical capacity'' to draw any 
information from any other source. As the Statement of Basis and 
Purpose notes, commenters warned that virtually every app has the 
technical capacity to draw some information from more than one 
source.\35\ That expansive scope could be appropriate if Congress's 
language permitted it. But the Commission's interpretation, which 
effectively renders the Recovery Act's ``multiple sources'' 
requirement meaningless, ignores longstanding principles of 
statutory interpretation that require each provision of a statute to 
be given effect.\36\
---------------------------------------------------------------------------

    \32\ 42 U.S.C. 17921(11).
    \33\ Final Rule at 99.
    \34\ See SBP at 32 (``Next, adding the phrase `technical 
capacity to draw information' clarifies that a product is a personal 
health record if it can draw any information from multiple sources, 
even if it only draws health information from one source.'').
    \35\ See id. at 34.
    \36\ Scalia & Garner, supra note 15 at 174 (discussing 
surplusage canon).
---------------------------------------------------------------------------

    The Commission's expansive definitions of ``covered health care 
provider,'' ``health care services and supplies,'' and ``personal 
health record'' have a profound effect on the scope of the Rule: 
Most companies that offer or disseminate health-related apps or 
similar products would be treated as ``covered health care 
providers'' that therefore hold ``PHR identifiable health 
information'' in their apps (i.e., PHRs), such that they are vendors 
of PHRs--even if their app is merely health-adjacent.
    Remarkably, the Commission imposes no limit on this 
extraordinary breadth in the Rule itself. Rather, in a post-NPRM 
attempt to check the scope, the Commission fashions a limiting 
principle: Apps are covered only if they are ``more than 
tangentially relating to health.'' \37\ This extra-statutory, extra-
regulatory limit has several significant problems.
---------------------------------------------------------------------------

    \37\ SBP at 28.
---------------------------------------------------------------------------

    First, if the majority were correct, from where would it draw 
the authority to impose this ``more than tangentially relating to 
health'' limitation? If Congress in fact commanded us to cover all 
the apps the majority claims, this extra-textual limitation would be 
beyond our power to impose.\38\ Why, then, does the majority blink 
in the face of what it understands Congress to have required? There 
may be good policy reasons not to follow Congress's language--as the 
majority understands it--wherever it leads, but we do not have power 
to shortchange Congress's commands. That even the majority feels 
compelled to adopt this extra-textual limitation--again, as the 
majority understands the text--on the statute's reach suggests that 
the language probably does not mean what the majority says.
---------------------------------------------------------------------------

    \38\ See Nat'l Fed'n of Indep. Business v. Dep't of Labor, 595 
U.S. 109, 117 (2022) (per curiam) (``Administrative agencies are 
creatures of statute. They accordingly possess only the authority 
that Congress has provided.'').
---------------------------------------------------------------------------

    The second problem is substantive: What does this language mean? 
When does an app cross the line between tangentially related to 
health and more than tangentially related? If a gas station with a 
loyalty app sells Advil, is the app only tangentially related to 
health and outside the Final Rule's purview? If the gas station adds 
Robitussin and pregnancy tests to its inventory, does it cross the 
line to more than tangentially related to health? If a clothing 
store with an e-commerce app sells a handful of maternity shirts, is 
the app only tangentially related to health? If the store adds more 
maternity clothes, nursing bras, and some anti-nausea ginger tea to 
its in-app offerings, is the app more than tangentially related to 
health? If vitamins, over-the-counter medicines, acne creams, 
bandages, and similar items comprise 0.1% or 1% or 10% of a 
superstore's inventory, when is the retailer's e-commerce app more 
than tangentially related to health? I see no clear answers to any 
of these hypotheticals in today's Final Rule, which suggests that 
the marketplace will see no clear answers either.\39\
---------------------------------------------------------------------------

    \39\ The expansive coverage increases the likelihood of creating 
unintended consequences. Will the gas station decline to add over-
the-counter medicines to its inventory to avoid crossing the line of 
``more than tangentially related to health''? Will the clothing 
retailer shy away from maternity apparel? Will the e-commerce giant 
avoid selling bandages and dandruff shampoo? These potentially 
detrimental outcomes undermine a Rule intended to benefit consumers.
---------------------------------------------------------------------------

    The third problem is procedural. The Commission did not propose 
this ambiguous but impactful limitation in a Notice of Proposed 
Rulemaking--likely because there is no statutory basis for this 
newly-created language. Rather, it introduces this crucial concept 
for the first time in a Statement of Basis and Purpose (a purely 
interpretive document) as a post hoc fix to the problem the 
Commission itself created with its expansive definitions. As a 
result, the Commission did not provide notice or receive public 
comment on the efficacy or propriety of this limitation, depriving 
the public of its opportunity to meaningfully participate in the 
rulemaking process and depriving itself of potentially valuable 
input from commenters.
    The final problem is that this post hoc, extra-regulatory 
limitation renders the Commission's burden analysis inadequate. The 
Paperwork Reduction Act (``PRA'') requires the Commission to 
estimate the reportable breaches by entities covered by the Rule and 
compliance costs.\40\ The Regulatory Flexibility Act (``RFA'') 
requires the Commission to assess the economic impact on small 
businesses.\41\ Apparently relying on the SBP's ``more than 
tangentially related to health'' limitation, the PRA and RFA 
analyses only address breaches by apps categorized as ``Health and 
Fitness.'' \42\ Because the Rule itself contains no such limitation, 
general retailers with e-commerce apps, gas stations with loyalty 
apps, and other similar generalists that sell any health-related 
items do not factor into these analyses. As a result, they likely 
dramatically underestimate the numbers of regulated entities, number 
of breaches, and costs to businesses.
---------------------------------------------------------------------------

    \40\ See generally 44 U.S.C. 3501 et seq.; SBP at 86.
    \41\ 5 U.S.C. 601 through 612.
    \42\ SBP at 86, 93.
---------------------------------------------------------------------------

    Perhaps the breath of the Final Rule would be more of a 
theoretical than practical concern to businesses, if they could 
adopt practices sufficient to avoid any breach that would trigger 
notice obligations under the Final Rule, or, in the event of a 
breach, err on the side of notification. But Sec.  318.3(b) of the 
Final Rule imposes affirmative obligations on companies to notify 
their service providers if they are covered by the Final Rule, 
regardless of whether they experience a breach.\43\ To comply with 
this requirement, companies must know whether they are covered by 
the Rule--that is, which side of ``more than tangentially relating 
to health'' they fall on. Without clarity on that line, companies 
run the risk of being in

[[Page 47064]]

perpetual violation of the Final Rule and, therefore, perpetually at 
the mercy of the Commission's enforcement discretion. The 
Commission, at this moment, may not intend to pursue such technical 
violations. But any expression of intended restraint will be cold 
comfort to companies that have seen the Commission's self-imposed 
restraint wax and wane in other areas.\44\
---------------------------------------------------------------------------

    \43\ This may have been a sensible requirement in 2009, when the 
scope of the Rule was much narrower, but it has dramatic 
consequences in this much-expanded Rule.
    \44\ Significantly, the Majority Statement is silent as to the 
propriety and consequences of its ``tangentially related'' limiting 
principle, likely because this approach is indefensible.
---------------------------------------------------------------------------

    I find the majority's liberties with the statute particularly 
troubling because they are unnecessary to reach health apps. Indeed, 
the Commission's own recent enforcement action against digital 
healthcare platform GoodRx makes that clear. Only last year, a 
bipartisan Commission applied the 2009 Rule to GoodRx's online 
platform and app because the company received identifiable health 
information on prescription medications (among other things) from 
pharmacy benefit managers and pharmacies, among other sources, so 
that consumers could manage their information.\45\ The majority 
argues that today's changes are necessary to provide clarity to the 
market about the Rule's scope,\46\ but GoodRx has already done 
that--and I would support changes to the Rule that are consistent 
with the statute. In short, I agree with the majority's goals--
safeguarding consumers' sensitive health information and 
implementing a Congressional mandate to put consumers on notice of 
the breach of that data--but I believe that we must effectuate those 
goals within the scope of the law as it is, rather than legislating 
in the guise of applying the law.
---------------------------------------------------------------------------

    \45\ See Concurring Statement of Commissioner Christine S. 
Wilson, GoodRx, Matter No. 2023090 1 n.2 (Feb. 1, 2023) (``GoodRx 
has violated the HBNR based on a plain reading of the text, setting 
aside any gloss the Commission sought to add in its September 2021 
Statement on Breaches by Health Apps and Other Connected 
Devices.''), https://www.ftc.gov/system/files/ftc_gov/pdf/2023090_goodrx_final_concurring_statement_wilson.pdf.
    \46\ Majority Statement at 5.
---------------------------------------------------------------------------

    The FTC is a venerable institution that does vital work to 
protect consumers and promote competition, thanks to its hardworking 
and devoted career staff. I commend the staff attorneys, economists, 
and technologists who worked on the rule for their careful and 
thoughtful consideration of difficult issues. Ultimately, while I am 
sympathetic to the majority's goal, I fear that adopting a Final 
Rule that is irreconcilable with the statute and that puts companies 
in an untenable position puts the Commission at risk. Legal 
challenges may undermine the Commission's institutional integrity, 
and Congress may be reluctant to trust the Commission with other 
authority--even the much-needed authority to protect the privacy of 
consumers' sensitive personal information. I therefore respectfully 
dissent.

[FR Doc. 2024-10855 Filed 5-29-24; 8:45 am]
BILLING CODE 6750-01-P