Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Changes to the Federal Trade Commission (FTC) Health Breach Notification Rule closes some gaps but adds some ambiguity
Journal of Data Protection & Privacy,
7
(1),
41-50
(2024)
Abstract
On 26th April, 2024, the Federal Trade Commission (FTC) issued a final rule amending the 2009 Health Breach Notification Rule (HBNR). The primary aim of the Final Rule is to close gaps between the preceding version of the FTC's breach notification rule and the protections offered by the breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The FTC focused on the personal data regularly processed by direct-to-consumer Health Apps, which represent a growing segment of the healthcare industry not regulated by HIPAA. This paper provides an in-depth analysis of the changes introduced by the Final Rule, the implications for businesses not regulated by HIPAA, and the potential operational ripple effects for many businesses now regulated under the Final Rule. It also discusses the updated individual notification obligations and the need for impacted individuals to be made aware of potential risks while balancing issues related to notice fatigue.
Keywords: Health Breach Notification Rule; Federal Trade Commission; personal health records; HIPAA; data privacy; mobile health apps
The full article is available to subscribers to the journal.
Author's Biography
Trinity Car Trinity is the managing counsel for a Fortune 1000 company and a designated privacy law specialist with a strong industry focus on health care and life sciences. In addition to advising on data protection laws, Trinity also serves as the Canadian DPO and regularly provides guidance on GDPR compliance. She has a deep understanding of the applicability of the Health Insurance Portability and Accountability Act (HIPAA) to health care and research. Trinity has extensive experience advising clients ranging in size and maturity from newly public to Fortune 200 in a variety of areas including implementing emerging technologies, advising on complex data flows, negotiating large technology deals, incident response, M&A, privacy contracting (including legitimising international data transfer) and global privacy compliance. Trinity is a frequent speaker and author on privacy-related topics and holds a CIPP/US, CIPM and FIP in addition to her PLS from the IAPP.
Brad Rostolsky Brad is a member of the Health Care & FDA Practice in Greenberg Traurig's Philadelphia office. As a healthcare regulatory and transactional attorney, Brad represents a range of clients in the health sector including hospitals, health plans, medical practices, pharmacies, patient assistance programmes, electronic health records providers, management companies, pharmaceutical manufacturers and medical device companies. He regularly advises clients on virtually all aspects of health information privacy and security compliance under the Health Insurance Portability and Accountability Act (HIPAA) and state law, and spends considerable time helping clients navigate the multi-speciality realm of digital health, including providing business structuring advice to facilitate pursuing desired operational outcomes without running afoul of regulatory constraints. Brad also has deep experience guiding clients through significant privacy and security incident response and associated investigations. Brad's experience also includes assisting hospitals on arrangements with physicians, such as joint ventures, physician recruitment, practice acquisitions and employment arrangements, as well as compliance with federal and state laws governing referrals among healthcare providers, such as the Anti-Kickback Statute and the Stark Law. Brad also advises clients in a variety of areas including the corporate practice of medicine, facility licensing, hospital/medical staff relationships, informed consent and regulatory compliance in the operation of Medicare, Medicaid and other third party reimbursement programmes.
