Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an informative blog about the Statement and what it could mean for non-HIPAA covered health apps. Now that the dust has settled, we thought it would be a good time to do a deeper dive into the Rule and provide some food for thought regarding compliance with it.
For starters, let’s get one thing out of the way. For many years, the FTC has brought caseafter case regarding a range of health privacy issues, and there is no reason to think that will change, particularly given congressional interest in vastly increasing the agency’s funding for privacy work. It is worth noting that the Rule is one of the FTC’s few privacy tools that allows for civil penalties (up to $43,792 per violation per day), a particularly important enforcement consideration for the agency after the Supreme Court’s AMG ruling substantially curtailed the agency’s ability to obtain equitable monetary relief. When appropriate, the Rule is a logical enforcement tool for the agency in the post-AMG era.
Prior to issuance of the Statement, there was conspicuously little talk about the Rule, as seemingly evidenced by perhaps minimal compliance. The Rule requires notice to consumers and to the FTC following a breach. And after more than a decade of the Rule’s being in effect, the FTC’s website indicates that a total of five companies have provided notice to the agency. I am quite certain that even the most optimistic among us would look at this and conclude rampant noncompliance, especially given the frequency with which we read about breaches of health information generally. Now, admittedly, prior to the issuance of the Statement, the FTC appeared to have a much narrower interpretation of the Rule’s application. Commissioner Christine Wilson makes this the thesis of her dissent, stating that rather than “clarifying” the scope of the Rule, the Statement “expands it” and contradicts “existing FTC business guidance” about the limited scope of the Rule. Commissioner Noah Phillips raised similar concerns.
As a former FTC official, I am always intrigued by dissenting and concurring opinions issued by commissioners, but the bottom line is that, at the moment, a compliance-minded company should assume that a broader interpretation of the Rule will apply, even though the third vote for the statement, former Commissioner Chopra, is now Director Chopra at the CFPB and Alvaro Bedoya has not yet been confirmed to be a third Democratic vote at the Commission. So, what does this mean for businesses that aren’t covered by HIPAA and that are capable of drawing health information from multiple sources, in the broadest sense of that phrase?
At its core, the Rule requires…
California delays CPRA regulations
The California Privacy Protection Agency (CPPA) was supposed to finalize new pri…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
