The Federal Trade Commission (FTC), having recently taken its first enforcement actions under the Health Breach Notification Rule (HBNR) it adopted in 2009,1 is now proposing, in a notice of proposed rulemaking (NPRM) published on June 9, 2023,2 significant expansions to the HBNR's scope. As stated in an earlier press release, the FTC believes "it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened," and "[t]he proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology."3

The HBNR requires notification to individuals, the FTC, and in some cases the media, of breaches of the security of "personal health records" (PHRs) experienced by PHR "vendors," "PHR related entities," and "third party service providers." A PHR under the HBNR is an electronic record of PHR identifiable health information that can be drawn from multiple sources, and that is managed, shared, and controlled by or for the individual to whom the information pertains. Although the HBNR was generally viewed as quite limited in scope, nine months ago the FTC issued a policy statement warning mobile app developers about their potential status as PHR vendors and that when such a vendor "discloses sensitive information without users' authorization, this is a 'breach of security' under the [HBNR]."4 All of the agency's recent (and only) enforcement actions under the HBNR were against mobile app developers.

As explained in the NPRM, the FTC now intends to codify its interpretations of the HBNR expressed in the September 2021 policy statement and to make additional HBNR modifications. The FTC is inviting comments on the proposed modifications until August 8, 2023.