FTC Housecleaning Highlights Health Data Rule that Could Be More Relevant During the Pandemic  


The Federal Trade Commission is seeking comment on a decade-old rule that has never been enforced.

The Federal Trade Commission is seeking comment on its Health Breach Notification rule, which has so far been completely sidelined by the Health and Human Services Department’s robust enforcement of an older data privacy law.

In a notice set to publish in the Federal Register Friday, the FTC asks whether particular sections of the rule should be retained, eliminated or modified. The FTC reviews its rules every 10 years to make sure they’re still effective for addressing current business practices and market dynamics.

The HBN rule requires vendors of public health records to notify the FTC of a data breach within 10 days—and consumers within 60 days—of discovery. It was issued in 2009 and aimed at entities not covered by the 1996 Health Insurance Portability and Accountability Act’s breach notification rule, which HHS enforces.

But while the PHR vendors have been getting swept up under enforcement of the HHS rule as “business associates,”  that could be changing. 

“The FTC has not had occasion to enforce its Rule because, as the PHR market has developed over the past decade, most PHR vendors, related entities, and service providers have been HIPAA-covered entities or ‘business associates’ subject to HHS’s rule,” the notice reads. “However, as consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.”

In launching a $200 million telehealth program at the end of last month, the Federal Communications Commission said greater use of such virtual tools is important for freeing up brick and mortar resources to treat people affected by the coronavirus.