Home » Readers Write » Currently Reading:

Readers Write: Strengthening the Net: The FTC’s Expanded Reach on Health Data Protection

May 29, 2024 Readers Write 2 Comments

Strengthening the Net: The FTC’s Expanded Reach on Health Data Protection
By Chris Bowen

Chris Bowen, MBA is founder and CISO of ClearData.


The Federal Trade Commission (FTC) recently finalized changes to the Health Breach Notification Rule (HBNR), signaling a move from fragmented, independent privacy and security measures towards a unified, collaborative defense. This new rule puts patients and consumers in the driver’s seat of their privacy and serves as a call to action for companies that create, collect, manage, and use health information, providing a potent deterrent against vulnerabilities that could expose their data.

Understand this: The FTC’s stance is unwavering and authoritative. It demands not mere compliance, but the utmost adherence to rigorous standards of care and caution in handling confidential health information.

The Health Breach Notification Rule mandates that vendors of personal health records and associated entities that are not covered by HIPAA must inform individuals in case of a breach with unsecured data. If a third-party service provider to these entities experiences a breach, it must inform the entity, which then notifies the individuals. The Rule also outlines the specifics of when, how, and what to notify in the event of specific breaches.

HBNR specifically applies to personal health record vendors and other entities that offer products or services through them, and third-party service providers to them. It covers a variety of platforms from health apps to wearable technologies. Unfortunately, 81% of Americans assume that all protected health data that is collected by digital health apps is protected under HIPAA.

In May 2023, the FTC proposed amendments to the Health Breach Notification Rule (HBNR) to clarify its scope regarding the collection of consumer health data by health apps and related technologies. The finalization of these changes is an unambiguous signal to the digital health ecosystem that the integrity of healthcare data is non-negotiable. No longer can firms hide behind the complexities or nascent nature of digital health technologies; the time to comply and protect is now, and the FTC has implemented rules that leave no uncertainty about the seriousness of the endeavor.

The updated HBNR ushers in several key shifts that set a higher standard for security and transparency. First among these is the expanded content required in a breach notification to patients. This move is not merely bureaucratic; it aligns with the growing demand for clarity and accountability that patients and providers alike require to maintain trust in the face of technological unknowns.

The Commission has made significant revisions and clarifications to the rules governing health apps and technologies that are not covered by HIPAA, enhancing the protection of personal health information (PHI). Among these changes are revised definitions to emphasize the rule’s application to health apps, clarification on what constitutes a “breach of security,” and a more precise scope for “PHR related entities” that includes those offering services via online and mobile platforms.

Additionally, the final rule expands the methods and content of breach notifications to consumers, including the use of electronic communication and detailed information on the breach’s impact.

It also adjusts the timing for notifying the FTC in the event of a breach, setting strict deadlines to ensure prompt action. These updates mark a significant step forward in securing PHI and underscore the importance of compliance and clear communication in the digital health space.

The FTC’s action demands not just compliance, but leadership — leadership in technological integrity, transparency, and fortitude in the face of cyber threats. Change will require investment, invention, and unwavering commitment, but the benefits extend far beyond mere regulatory peace of mind. In championing cybersecurity, we champion the future of healthcare, a future that is secure, trusted, and resilient. Digital health entities that fall short will find themselves lacking not just in regulatory compliance, but also in the trust and investment of a discerning public.

Consumer Protected Health Information is not just a term. It embodies the very essence of what is ours, our narratives of health, history, and future.

The time has come for a unified front in healthcare cybersecurity. We, the technologists, innovators, lawmakers, and guardians of the healthcare digital landscape, must rise to this challenge with unity and tenacity.

It is time for every digital health company, every healthcare professional, and every policymaker to reassess, reinvent, and redouble their efforts in cybersecurity. The FTC’s changes provide the roadmap. It is now up to us to ensure a future where patient data is as secure as the healthcare we strive to provide.

The stakes are too high, the threats too real, and the need for action too pressing.

HIStalk Featured Sponsors


Currently there are "2 comments" on this Article:

  1. Great points, and couldn’t agree more. We are doing some research on this topic, and it would be great if you could share the reference for this stat: “Unfortunately, 81% of Americans assume that all protected health data that is collected by digital health apps is protected under HIPAA.”

  2. The CHPI rules for non-HIPAA-covered entities are being enhanced at the same time as TEFCA is being adopted. TEFCA is designed to streamline permitted healthcare data exchange and bring it from the Wild West jungle into compliance and strict adherence. The new TEFCA exchange and Permitted Purposes rules create a level-playing field and provide paved paths for treatment and consumer access, including non-HIPAA compliant apps, payment and operations, and public health purposes. Combined with tightened CPHI and data privacy regulations, the industry is well-positioned to start being more transparent in privacy adherence.

Text Ads


  1. Re: Epic responds to an Epic Care Everywhere infant matching issue. This is cool. Multiple people working together to solve…

  2. There was a time when I would have accepted such an argument. It's pithy, accurate, and has long been accepted…

  3. Re: "If there were objective and reasonable criteria to determine what ought to be a states right versus a national-level…

  4. RE: A federal judge will likely invalidate the FTC’s ban on non-compete agreements based on [states rights]. Ah yes, yet…

  5. If you are interested, I can recommend a music-themed set of YouTube videos. The author is a guy named Rick…

Founding Sponsors


Platinum Sponsors





































Gold Sponsors









RSS Webinars

  • An error has occurred, which probably means the feed is down. Try again later.