A MoFo Privacy Minute Q&A: What to Expect with the FTC’s Amended Health Breach Notification Rule Going into Effect

29 Jul 2024
Privacy + Data Security
Client Alert

This is “A MoFo Privacy Minute,” where we answer the questions our clients are asking us in sixty seconds or less.

Question: I heard that the amendments to the FTC’s Health Breach Notification Rule (HBNR) go into effect on July 29, 2024? Is my company subject to the HBNR?

Answer: The Federal Trade Commission (FTC)’s final rule, which expands the scope and application of the HBNR, takes effect on July 29, 2024.

The HBNR applies to vendors of personal health records (PHRs) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA). The HBNR requires vendors of PHRs and related entities not covered by HIPAA to notify individuals, the FTC, and in some cases, the media, in the event of a breach of unsecured covered data.

The amended HBNR clarifies that the HBNR’s application extends to developers of health apps and similar technologies, and generally to online services that provide healthcare services and supplies, including developers of mobile health applications and related technologies not covered by HIPAA (i.e., any website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, or diet, or that provides other health-related services or tools).

The HBNR becomes effective against the backdrop of the FTC’s emphasis on regulating evolving technologies to better protect health information handled by entities not regulated under HIPAA, including through a growing number of FTC enforcement actions.

Entities that are not subject to HIPAA but that interact with or handle health information should continue to carefully and regularly assess the applicability of the HBNR to their practices and review their efforts to comply with the HBNR, paying close attention to the clarifications made under the final rule. See our client alert on the HBNR final rule for additional background on the HBNR and its requirements.

For more MoFo Privacy Minutes visit our resource center.

Contacts
(202) 887-8768
(202) 572-6759
About Morrison Foerster

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

© 2025 Morrison & Foerster LLP Client Alert www.mofo.com