Amendments to the FTC Health Breach Notification Rule

Overview of the FTC Health Breach Notification Rule (HBN Rule) Amendments

The Federal Trade Commission (FTC) has proposed amendments to its Health Breach Notification Rule (HBN Rule), which mandates notification protocols for breaches involving unsecured personally identifiable health data. This is particularly relevant for vendors of personal health records (PHRs) and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA). These amendments aim to expand and clarify the scope of the rule, redefine security breaches, modernize notification methods, and increase transparency in breach reporting.

Key Amendments Impacting the Neurotechnology Industry

1. Expanded Scope Including Health Apps: The clarification that developers of various health-related applications fall under the rule is critical, as many neurotechnology applications collect sensitive health data.

2. Redefinition of PHR and Breach: The amendments redefine what constitutes a PHR and a breach. For neurotechnology firms, this means applications that draw PHR identifiable health information from multiple sources (e.g., biometric data, neurological health data) are clearly covered under this rule.

3. Modernized Notification Methods: The push towards modernizing notification methods (e.g., electronic notices) is essential as many neurotechnology firms engage with users primarily through digital platforms.

4. Enhanced Content and Timing of Notifications: More detailed content in notifications and adjusted timing requirements ensure that both the affected individuals and the FTC are promptly informed, which is crucial for maintaining user trust in neurotechnology products.

Implications for Neurotechnology Applications

Example: Neurofeedback Apps

Consider a neurofeedback app that helps users manage anxiety by tracking their brain activity through a wearable EEG device. This app, if it draws information from multiple sources (e.g., the EEG device, user input, and perhaps a third-party analytics platform), would qualify as a PHR under the HBN Rule. Any breach in this scenario, such as unauthorized access to brain activity data, would need to be reported to both the affected users and the FTC, highlighting the necessity for robust security measures in neurotechnology.

Example: Cognitive Enhancement Platforms

A platform offering cognitive enhancement exercises that track neurological performance and integrate third-party health data for personalized training regimens would also fall under this rule. The integration with third-party services (e.g., health analytics or biomarker platforms) makes the platform a PHR, and any breach involving these integrated services would trigger notification requirements.

Example Breach Notices

The Federal Trade Commission (FTC) provides examples of how entities can notify individuals of a breach under the Health Breach Notification Rule (HBN Rule). These exemplar notices are crucial for neurotechnology firms, as they illustrate how to communicate effectively with users in the event of a data breach, emphasizing transparency and promptness.

• Mobile Text Messages

• In-App Notifications

• Email Notifications

• Web Banner Notifications

Scenario 1: Neurofeedback App Breach

Suppose a neurofeedback app experiences a breach where user data, including EEG readings and personal identifiers, are compromised. The company can use the following adapted notifications:

Mobile Text Message

Text messages should alert the user to a security breach involving their health information, directs them to a non-clickable URL for more details, and notes that an email has also been sent.

“Due to a security breach on our system, the health information you shared with us through [name of product] is now in the hands of unknown attackers. Visit [add non-clickable URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.”

In-App Message Notifications

In-app messages should be similar to the text message, but may include specifics such as the type of data breached (e.g., neurological data, biometric identifiers). It emphasizes immediate and direct communication within the application where the user engages with the service.

“Due to a security breach on our system, the health information you shared with us through [name of product] is now in the hands of unknown attackers. This could include your [Add specifics – for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.”

Web Banner Notifications

Used on the main webpage, it informs users about the breach and includes specific details about the data involved. It advises users to visit a link for more information and often includes a clear call to action, such as “Take Action” to check or secure their accounts.

Email Notifications

Email notifications should be a comprehensive message detailing the breach event, the specific data involved, steps the user can take to protect themselves (e.g., credit monitoring, fraud alerts), and what the company is doing in response. It is a crucial method for reaching users with more detailed information and for documenting the company’s response efforts.

Email Sender: [Company]

Email Subject Line: [Company] Breach of Your Health Information

Dear [Name],

We are contacting you because an attacker recently gained unauthorized access to our system and stole health information about our customers, including you.

What happened and what it means for you

On [March 1, 2024], we learned that an attacker had accessed a file containing our customers’ health information on [February 28, 2024]. The file included your name, the name of your health insurance company, your date of birth, and your group or policy number.

What you can do to protect yourself

You can take steps now to reduce the risk of identity theft.

1. Review your medical records, statements, and bills for signs that someone is using your information. Under the health privacy law known as HIPAA, you have the right to access your medical records. Get your records and review them for any treatments or doctor visits you don’t recognize. If you find any, report them to your healthcare provider in writing. Then go to www.IdentityTheft.gov/steps to see what other steps you can take to limit the damage. Also review the Explanation of Benefits statement your insurer sends you when it pays for medical care. Some criminals wait before using stolen information so keep monitoring your benefits and bills.

2. Review your credit reports for errors. You can get your free credit reports from the three credit bureaus at www.annualcreditreport.com or call 1-877-322-8228. Look for medical billing errors, like medical debt collection notices that you don’t recognize. Report any medical billing errors to all three credit bureaus by following the “What To Do Next” steps on www.IdentityTheft.gov.

3. Sign up for free credit monitoring to detect suspicious activity. Credit monitoring detects and alerts you about activity on your credit reports. Activity you don’t recognize could be a sign that someone stole your identity. We’re offering free credit monitoring for two years through [name of service]. Learn more and sign up at [URL].

4. Consider freezing your credit report or placing a fraud alert on your credit report. A credit report freeze means potential creditors can’t get your credit report without your permission. That makes it less likely that an identity thief can open new accounts in your name. A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it. A fraud alert will make it harder for someone to open a new credit account in your name. It tells creditors to contact you before they open any new accounts in your name or change your accounts. A fraud alert lasts for one year. After a year, you can renew it. To freeze your credit report, contact each of the three credit bureaus, Equifax, Experian, and TransUnion.

To place a fraud alert, contact any one of the three credit bureaus, Equifax, Experian, and TransUnion. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your credit report.

Credit Bureau Contact Information

Equifax

www.equifax.com/personal/credit-report-services

1-800-685-1111

Experian

www.experian.com/help

1-888-397-3742

TransUnion

www.transunion.com/credit-help

1-888-909-8872

Learn more about how credit report freezes and fraud alerts can protect you from identity theft or prevent further misuse of your personal information at

www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.

What we are doing in response

We hired security experts at Nave Security to secure our system. We are working with law enforcement to find the attacker. And we are investigating whether we made mistakes that made it possible for the attackers to get in.

Learn more about the breach.

Go to [URL] to learn more about what happened and what you can do to protect yourself. If we have any updates, we will post them there.

If you have questions or concerns, call us at [telephone number], email us at [address], or go to [URL].

Sincerely,

First & Last Name

[Role], [Company]

Scenario 2: Cognitive Enhancement Platform Data Misuse

In a case where a cognitive enhancement platform inadvertently shares user data with a third-party without permission:

Text Message Notifications

“You shared health information with us when you used [product name]. We discovered that we shared your health information with third parties for [describe why the company shared the info] without your permission. Visit [add non-clickable URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with more information.”

In-App Notifications

“You shared health information with us when you used [product name]. We discovered that we shared your health information with third parties for [if known, describe why the company shared the info] without your permission. This could include your [Add specifics – for example, your name, email, address, blood pressure data]. Visit [URL] to learn what happened, how it affects you, and what you can do to protect your information. We also sent you an email with additional information.”

Web Banner Notifications

Immediately upon discovery, display a banner on the platform informing users of the data sharing incident and direct them to a specific URL where they can learn more about the breach and how to protect their information.

Email Notifications

Email Sender: [Company]

Email Subject Line: Urgent: Unauthorized Disclosure of Your Health Data by [Company]

Dear [Name],

We are reaching out with important information regarding a recent incident involving your personal health data.

What happened and what it means for you:

Between January 10, 2024, and March 1, 2024, we inadvertently shared your personal health data, including your name and email address, with third-party companies for marketing purposes without your explicit consent.

What you can do to protect yourself:

1. Review Your Privacy Settings: We recommend updating your app to the latest version and reviewing your privacy settings to ensure your data is protected according to your preferences.

2. Contact Third Parties: If you wish, you can contact the companies who received your data to request its deletion. Although we have already requested them to erase your information, taking direct action might offer additional assurance.

3. Monitor for Misuse: Keep an eye on your email for any unsolicited marketing messages that you suspect might have resulted from this incident. If you receive suspicious communications, consider reporting them as spam or phishing.

4. Sign Up for Free Credit Monitoring: We understand the importance of safeguarding your data. As a precaution, we are offering two years of free credit monitoring service through [name of service]. You can sign up here: [URL].

   
   

What we are doing in response:

• Ceasing Data Sharing: We are stopping all data sharing with external entities for advertising and marketing purposes. Our priority is to ensure that your information is used strictly for its intended purpose—to enhance your cognitive capabilities through our platform.

• Enhancing Security Measures: We have implemented stricter data handling and privacy protocols to prevent future occurrences. This includes rigorous oversight of how your data is accessed and used internally and by third parties.

• Transparency and Updates: We commit to maintaining transparency with you about this incident’s developments. Please visit [URL] for updates and more information about what we are doing to protect your data.

If you have any concerns or need further assistance, please do not hesitate to contact us at [telephone number] or [email address].

Sincerely,

First Name Last Name

[Role], [Company]

Conclusion

The Federal Trade Commission’s (FTC) amendments to the Health Breach Notification Rule (HBN Rule) mark a significant shift in the regulatory landscape affecting entities that manage personal health records (PHRs), especially those outside the scope of HIPAA. For the neurotechnology industry, which frequently deals with sensitive health data through advanced technologies, these changes underscore the critical importance of robust data security and transparent communication practices.

Key takeaways from the discussions include:

1. Expanded Coverage and Definitions: The amendments clarify that developers of health applications, including those in neurotechnology, are indeed covered under the HBN Rule if they handle PHR identifiable health information. This broadened scope ensures that more entities are accountable for protecting consumer health data, compelling neurotechnology firms to rigorously evaluate and enhance their data handling practices.

2. Enhanced Notification Protocols: The updated rule emphasizes modernized notification methods, such as electronic notices via email, in-app messages, and web banners, reflecting the digital nature of interactions today. For neurotechnology companies, this means developing and maintaining dynamic systems to quickly inform users of any data breaches, thus preserving trust and complying with legal obligations.

3. Examples and Recommendations for Compliance: The FTC provides notices to guide entities on how to notify affected individuals effectively. These examples not only serve as a template but also as a reminder of the critical elements that should be included in breach notifications. Neurotechnology companies can adapt these to their specific user engagement models, ensuring clarity and actionability for end-users.

4. Proactive Data Protection Measures: It’s evident that ongoing vigilance in data protection is essential. Neurotechnology firms are advised to implement advanced security measures, regular audits, and transparent data usage policies. Additionally, developing an incident response strategy is crucial for minimizing the impact of potential data breaches.

5. Commitment to Consumer Rights and Transparency: The amendments and the accompanying discussions emphasize the importance of respecting consumer rights to privacy and providing clear, concise information about data breaches. This aligns with broader consumer protection trends and ethical considerations in handling health data, particularly sensitive neurological information.

In conclusion, as neurotechnology continues to evolve and intersect with areas of significant regulatory attention, companies within this space must be proactive in their approach to data security and breach notifications. Adhering to the FTC’s HBN Rule not only ensures compliance but also enhances consumer trust, which is invaluable in the competitive and rapidly advancing field of neurotechnology. This regulatory alignment, coupled with a commitment to ethical data practices, will be pivotal in shaping the future of neurotechnology, fostering innovation while protecting individual privacy.