FPF Files Comments for the FTC Health Breach Notification Rule Addressing Specific Definitions and Clarity of Scope

On August 8th, the Future of Privacy Forum (FPF) filed comments with the U.S. Federal Trade Commission (the Commission) regarding the Notice of Proposed Rulemaking (NPRM) to clarify the scope and application of the Health Breach Notification Rule (HBNR). 

The HBNR was promulgated in 2009 as part of the American Recovery and Reinvestment Act as a breach of security rule. Recent complaints brought by the Commission, GoodRx and Easy Healthcare, were the inaugural and second application of the HBNR and indicated a novel range of alleged privacy breaches rather than traditional security breaches. The cases indicated a shift in the interpretation of “breach of security” by the Commission that drew many proto-typical practices into scope. The NPRM seeks to clarify this broadened scope which has amalgamated traditional breaches of security with nascent breaches of privacy. To draw out and address key issues in the NPRM and the Commission’s considerations, we recommended that the Commission consider the nuance of definitions and address the complexities of breach by specifically:

• Define a Standard for Identifiability for “PHR identifiable health data” to Clearly Expand Protections for a Broad Spectrum of Personal Information
• Define “Relates to” to Include the Creation of Health-Related Inferences from a Wide Range of Routine Commercial Datasets,  While Establishing Clear Obligations for Businesses
• Establish Clear Guidelines for Intentional Data Sharing that Does Not Require Affirmative Consent
• Ensure that the Rule Contains “Good Faith” Exceptions for Merely Technical Violations
• Further Define “Breach of Security” to Clarify Where the Commission May Take Enforcement Action

FPF’s full comments to the Commission are available here.