Federal Trade Commission

The Federal Trade Commission (FTC) has been a chief federal agency protecting consumers' privacy interests as technology rapidly changes and raises new privacy challenges. The FTC's overall enforcement approach has been to use law enforcement, policy initiatives, and consumer and business education to protect consumers' personal information. 

Health Breach Notification Rule

In addition to its broad authority under Section 5 of the Federal Trade Commission Act (the FTC Act) with respect to unfair and deceptive trade practices, the Health Breach Notification Rule (HBNR) is the key authority the FTC leverages to enforce in the context of health data.

On May 30, 2024, the FTC finalized amendments to the HBNR, which became effective on July 29, 2024. These amendments expand the scope and application of the HBNR, which requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers for PHRs or PHR-related entities to the extent not otherwise subject to the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, the FTC, and, in certain instance, the media, where a breach of unsecured 'PHR identifiable health information' occurs. PHR identifiable health information is defined as data that is created or received by covered healthcare providers and relates to an individual's physical or mental health, treatments, or healthcare provisions.

In recent years, the FTC updated its guidance on the HBNR to address the growing use of digital health apps and connected devices. Specifically, the FTC clarified that many health apps, fitness trackers, and other digital services handling health data may fall under HBNR's purview. The amended HBNR aligns definitions and scope of applicability to include such health apps, connected devices, and other online services. The rule now applies to any entity with the technical capacity to pull health information from multiple sources, even if it only does so from one source.

When a breach occurs, entities must notify the affected individuals. If the breach affects 500 or more individuals, the media must also be notified. Notably, the amended HBNR modifies the definition of 'breach of security,' expanding it to include unauthorized disclosures of PHR identifiable information, not just unauthorized acquisitions. This change emphasizes the need to obtain consumer authorization prior to sharing information with certain third parties. 

From an enforcement perspective, the FTC continues to scrutinize the healthcare sector with respect to the use of online tracking technologies and its sharing of health information with third-party advertising technology (AdTech) vendors. In certain cases, the FTC has used its authority, under both the FTC Act and the HBNR, to take enforcement action against entities disclosing health information to AdTech vendors. The FTC also issued joint letters with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to approximately 130 healthcare organizations, reiterating the potential applicability of HBNR to the sharing of health information with AdTech vendors. However, a recent ruling in the case American Hospital Association, et at. v. Becerra, et al. vacated guidance issued by the OCR on when HIPAA may apply to certain proscribed combinations of information collected using online tracking technologies. As such, it remains unclear what impact this ruling may have on FTC's future enforcement efforts under HBNR.

To comply, organizations should assess whether they fall under the expanded HBNR and evaluate data-sharing practices to determine if these could trigger breach notification requirements. Organizations should also revise incident response and breach reporting policies to meet updated timelines and content requirements required by the HBNR.

Children's Online Privacy Protection Act

As previously discussed in an article that focused on children's privacy updates, children's online privacy has become a top priority in the US, though federal progress has been slow. Children's Online Privacy Protection Act (COPPA) required the FTC to issue and enforce regulations concerning children's online privacy. The FTC's original COPPA Rule became effective on April 21, 2000, and an amended COPPA Rule took effect on July 1, 2013.

The COPPA Rule imposes certain requirements on operators of websites or online services (including mobile apps and Internet of Things (IoT) devices) directed to children under thirteen years of age and on operators of general audience websites or online services that knowingly collect, use, or disclose personal information from children under the age of thirteen. The COPPA Rule requires operators to notify parents and get their express consent before collecting, using, or disclosing personal information from children under thirteen years old. FTC enforcement activity makes it clear that the COPPA Rule applies to health data.

On December 20, 2023, the FTC proposed updates to COPPA. The period for public comments ended on March 11, 2024, but a final rule has yet to be implemented. It should be noted that the FTC's regulatory authority remains limited under the existing statute, and as such, some lawmakers are seeking to amend COPPA itself through promising bipartisan legislation, which, as of the date of this article, have not become law.

Office for Civil Rights

Unlike the FTC, HHS's privacy focus is limited to the privacy and security of health information used and disclosed by certain healthcare entities. HHS has delegated enforcement authority in this space to the OCR, and such authority comes from several laws, including HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and the Genetic Information Nondiscrimination Act (GINA). The OCR also plays an important role in implementing, enforcing, and educating stakeholders on the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2).

HIPAA, the HITECH Act, and their implementing regulations

OCR oversees compliance with HIPAA and the HITECH Act and their implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule), the Enforcement Rule, the rule for Breach Notification for Unsecured Protected Health Information (the Breach Notification Rule), and the Omnibus Rule. Broadly, HIPAA requires the protection of the privacy and security of individuals' medical records and other individually identifiable health information, ensuring confidentiality and limiting unauthorized access. Specifically, HIPAA primarily governs health plans, healthcare clearinghouses, and healthcare providers who conduct healthcare transactions electronically (each a Covered Entity) regarding the use, disclosure, and safeguarding of protected health information (PHI).

HIPAA requirements also apply to business associates that carry out healthcare activities and functions for, or on behalf of, Covered Entities (Business Associates). A Covered Entity must have a written Business Associate Agreement (BAA) that describes services to be provided and requires the Business Associate to comply with HIPAA requirements. Beyond these BAA obligations, Business Associates are directly liable for compliance with certain provisions of HIPAA.

The last major updates to HIPAA were implemented in 2013 through the Omnibus Rule, though a few noteworthy updates occurred in recent years. First, in response to the Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization, which overruled Roe v. Wade and eliminated the federal constitutional right to abortion, the OCR promulgated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the 2024 Privacy Rule). The 2024 Privacy Rule amends the Privacy Rule to bolster privacy protections concerning reproductive health care information. The 2024 Privacy Rule represents a shift from the prior Privacy Rule, where disclosures of PHI in responses to legitimate law enforcement inquiries were generally permitted but not required. Now, OCR's new rule aims to protect individuals seeking lawful reproductive health care from such disclosures. The 2024 Privacy Rule became effective on June 25, 2024, with a general compliance date of December 23, 2024.

The 2024 Privacy Rule explicitly prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others involved in lawful reproductive health care. To further protect patient privacy, it requires Covered Entities and Business Associates to obtain signed attestations, ensuring that certain requests for PHI are not intended for prohibited purposes. Additionally, the rule mandates that Covered Entities update their Notices of Privacy Practices (NPPs) to support reproductive health care privacy with a compliance date of February 16, 2026.

An additional update involves an amendment to the HITECH Act effective January 5, 2021, that requires HHS to consider the presence of 'recognized cybersecurity practices' when determining penalties, audit results, or mitigation remedies under the HITECH Act or HIPAA. This amendment incentivizes Covered Entities and Business Associates to adopt recognized cybersecurity frameworks to mitigate risks associated with security threats and potentially reduce the severity of HHS enforcement actions following security incidents or data breaches.

The amendment specifies that entities demonstrating the adoption of recognized security practices for at least twelve months may benefit from lower fines, shortened audits, or lighter mitigation remedies in the event of HIPAA violations. Recognized security practices include standards and guidelines developed under the National Institute of Standards and Technology Act (NIST Act), the Cybersecurity Act of 2015, and other relevant cybersecurity programs. OCR released a video in October of 2022 explaining what recognized security practices are and what types of information OCR would find persuasive to show they have been in place for 12 months. The amendment offers flexibility for entities to implement these practices according to their organizational needs.

The general sentiment from healthcare industry stakeholders is that substantial updates to modernize HIPAA are necessary and overdue, considering advancements in health technology and the evolving needs of the healthcare industry. OCR, building on public feedback obtained through a Request for Information from 2018, issued a Notice of Proposed Rulemaking on December 10, 2020, proposing a slew of changes to the HIPAA Privacy Rule, but a final rule remains to be issued.

Genetic Information Nondiscrimination Act

GINA is a federal law that prohibits discrimination based on genetic information in both health coverage and employment contexts. The law encourages individuals to obtain genetic testing without fear of discrimination based on the results. GINA modifies HIPAA by expanding the definition of PHI to include genetic information. Under HIPAA, this genetic information is protected as part of an individual's PHI, meaning that it cannot be disclosed or used improperly by Covered Entities or Business Associates.

Related to health coverage, group health plans and insurers are prohibited from using genetic information to make decisions about coverage, rates, or pre-existing condition exclusions. OCR issued a final rule implementing GINA and amending the HIPAA rules, effective in March of 2013. OCR ensures compliance with GINA's rules in the same manner as it enforces other HIPAA requirements.

Related to employment, employers are prohibited from using genetic information in hiring, firing, promotion, or any other employment decisions. Additionally, employers cannot request, require, or purchase genetic information about an employee or their family members for purposes of making such decisions. The Equal Employment Opportunity Commission (EEOC) enforces the employment-related provisions of GINA. The EEOC issued regulations implementing GINA effective in January 2011, which were amended in 2016 to clarify provisions for employer wellness programs.

Confidentiality of Substance Use Disorder Patient Records regulations (Part 2)

On February 8, 2024, HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, announced a final rule modifying the regulations governing the confidentiality of substance use disorder (SUD) treatment information under 42 C.F.R. Part 2 (Part 2) applicable to qualifying Part 2 programs (Part 2 Programs). The final rule, which became effective on April 16, 2024, better aligns Part 2's confidentiality provisions with HIPAA (implementing the confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The final rule introduces several key changes to Part 2 regulations, many of which align with HIPAA's requirements. One of the more significant changes is in patient consent requirements. A single written consent can now be used for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations (TPO) purposes unless the patient revokes consent in writing. Disclosure under such consent must include a copy of the consent or an explanation of its scope. HIPAA Covered Entities and Business Associates can also redisclose SUD records in accordance with HIPAA. However, separate consent is still required for SUD counseling notes and for disclosures in legal proceedings against the patient, and SUD records obtained in an audit or evaluation cannot be used for prosecution.

In terms of patient rights, the final rule requires significant updates to Part 2 Program Privacy Notices to better align it with HIPAA's Notice of Privacy Practices requirements. It also grants patients the right to an accounting of disclosures for up to three years and introduces a new right to opt out of fundraising communications. These updates aim to provide patients with more control over their personal information and ensure transparency in how their records are used and disclosed.

In addition, the final rule streamlines data management for SUD records by removing the requirement for data segregation by Part 2 Programs, Covered Entities, and Business Associates that receive a single consent for future TPO uses. However, such entities must still be able to identify SUD records if consent is revoked or they receive a subpoena for the SUD records in a proceeding against the patient. The final rule also applies HIPAA's Breach Notification Rule to Part 2 Programs and aligns penalties under Part 2 with HIPAA. Additionally, the definition of a Qualified Service Organization (QSO) now includes Business Associates that are also HIPAA-Covered Entities, further integrating Part 2 with HIPAA.

Despite the February 16, 2026 compliance date, operationalizing these new requirements could pose challenges. Ultimately, these changes will help streamline privacy compliance and ease administrative burdens many entities face day-to-day in trying to comply with the varying requirements between HIPAA and Part 2. In addition, these changes intend to improve the coordination of care for SUD patients, increase access to care, and streamline payment for such care. Nonetheless, several key requirements of Part 2 remain distinct from HIPAA. Therefore, SUD programs, payors, and vendors must understand such differences.

Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology

The HHS, Office of the National Coordinator for Health IT, recently rebranded as Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC), plays a pivotal role in promoting interoperability, privacy, and security in health information exchange within the US health care system. Two key data-related regulatory frameworks overseen by ASTP/ONE include information blocking rules and the Trusted Exchange Framework and Common Agreement (TEFCA).

Information blocking rules

The information blocking rules, promulgated under the 21st Century Cures Act, intend to promote seamless access, exchange, and use of electronic health information (EHI). Information blocking refers to practices by actors, including healthcare providers, developers of certified health IT, health information networks (HINs), and health information exchanges (HIEs) that unreasonably limit or restrict the access, exchange, or use of EHI.

These rules prohibit information blocking unless a clear exception applies. Exceptions relate to preventing harm, privacy, security, infeasibility, health IT performance, licensing, fees, content, and TEFCA manner. Actors must ensure that their systems facilitate access to EHI, including ensuring that patients can access their own health information electronically without unreasonable delays or barriers. The rules aim to enable patients and healthcare providers to share and access health information across the care continuum securely and efficiently, as well as spur digital innovation through promoting broad access to EHI.

On March 11, 2024, ASTP/ONC's Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing Final Rule (HTI-1 Final Rule) went into effect. Among several elements of HTI-1, ONC promulgated 'information blocking enhancements,' which include new and updated definitions as well as new and updated information blocking exceptions. Other sections of HTI-1 introduce algorithm transparency and replace 'clinical decision support' with the 'decision support intervention' certification and maintenance of certification criterion.

On July 10, 2024, ASTP/ONC issued a sweeping follow-on proposed rule titled 'Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability' (the HTI-2 Proposed Rule). The HTI-2 Proposed Rule, if finalized as drafted, would:

• expand the scope of the Health Information Technology Certification Program to include new and updated certification criteria, especially related to public health and application program interfaces, broaden the U.S. Core Data for Interoperability (USCDI), and clarify ASTP/ONC's direct review of certified health IT;
• modify information blocking rules related to what constitutes 'interference' with access, exchange, or use of EHI, as well as create new and modify existing information blocking exceptions; and
• provide greater transparency to TEFCA requirements.

Trusted Exchange Framework and Common Agreement

TEFCA aims to create a nationwide, standardized approach for health information exchange to improve interoperability across the healthcare ecosystem through a single 'on-ramp' for data sharing. TEFCA establishes common rules and technical specifications to promote secure data exchange across different networks, enabling providers, patients, and others to access and share health information seamlessly across the US. This framework is intended to ensure that health information can be exchanged efficiently across state lines and between different types of healthcare organizations, regardless of the technology they use.

TEFCA is governed by the Recognized Coordinating Entity (RCE) under a contract with ASTP/ONC. TEFCA's key technical implementors are QHINs, which serve as initial connection points for qualifying participants to join the TEFCA network. Qualifying Subparticipants may join TEFCA by connecting to participants. On December 12, 2023, ASTP/ONC officially designated the first qualified health information networks (QHINs), which executed the Common Agreement to implement TEFCA. Through 2024 and moving forward, these QHINs are responsible for building the technical infrastructure to realize the vision of TEFCA.

TEFCA currently permits six exchange purposes, including treatment, payment, healthcare operations, public health, government benefits determination, and individual access services. Some of these exchange purposes, such as treatment, require participants and subparticipants that query the network to also be responsible for responding to queries initiated by other requestors in the network.

TEFCA includes strict privacy and security protections to ensure that health information exchanged across networks is secure. Participants in TEFCA must comply with relevant privacy laws, including HIPAA, and adhere to stringent privacy and security standard operating procedures to connect to TEFCA and protect patient information. In 2024, various disputes arose related to the propriety of certain types of persons and entities connecting to health information networks under the auspices of Treatment Exchange purposes. On July 1, 2024, the RCE issued guidance addressing what kinds of entities may connect and participate in Treatment Exchange purposes under a TEFCA SOP. ASTP/ONC and the RCE are likely to continue issuing similar guidance on the existing exchange purposes as well as aim to expand to the seventh exchange purpose of 'research' moving forward.

Office for Human Research Protections

The HHS Office for Human Research Protections (OHRP) is a federal agency that protects the rights and welfare of people involved in research funded or conducted by HHS. OHRP's responsibilities include overseeing and enforcing the Common Rule, discussed below, and other HHS regulations that protect research participants. OHRP also develops educational programs and provides guidance and clarification on ethical and regulatory issues.

Federal Regulations for the Protection of Human Subjects

Federal Regulations for the Protection of Human Subjects (the Common Rule) governs federally supported research involving human subjects. The Common Rule's purpose is to protect human subjects in federally funded research by requiring informed consent from each research subject, review of the proposed research by an Institutional Review Board (IRB), and assurances of compliance by the researchers involved.

In January 2019, the Common Rule was revised to address the considerable changes in the research landscape. These included:

• increases in global research participation;
• emphasis on interdisciplinary research;
• greater reliance on technology;
• an ability to collect, analyze, and synthesize big data; and
• more reliance on industry funding of research. 

One of the significant revisions includes expanding the definition of 'human subject' to include identifiable biospecimens. Additionally, informed consent requirements were updated to include a clear summary of key information, new elements relating to the secondary use of data and genomic research, and a broad consent option for future unspecified research. Such a consent form must now be posted on a publicly available website after recruitment closes.

Other important updates include broadening exempt categories of research and allowing certain types of studies to qualify for less rigorous review by an IRB. Specifically, minimal-risk studies no longer require annual continuing review, reducing administrative burdens for low-risk research. The revised Common Rule also mandates the use of a single IRB for multi-site cooperative studies to streamline oversight and ensure consistency. Finally, the expedited review process was updated and simplified to further improve the efficiency of research oversight.

National Institutes of Health Office of Science Policy

Also related to medical research, the National Institutes of Health (NIH) Office of Science Policy (OSP) works across the biomedical research industry to develop and implement NIH policy that aims to evolve with rapidly advancing science and technology while promoting responsible research conduct. In May 2024, the NIH Office of Science Policy issued a voluntary resource titled Informed Consent for Research Using Digital Health Technologies: Points to Consider & Sample Language that provides points to consider and sample language for informed consent using certain digital health technologies. NIH recognized that such digital health technologies have increasingly been deployed in biomedical and behavioral health research, leading to enhanced scientific discovery and improved health outcomes. Yet, NIH also recognized that such technologies may pose new considerations for potential study participants related to the ownership and control of such data. 

White House Office of Science and Technology Policy

The White House Office of Science and Technology Policy (OSTP) is another federal government body that has an interest in medical research and related health data. The OSTP advises the President on scientific, engineering, and technological issues and is charged with coordinating federal policies and initiatives to ensure science and technology benefit the nation, driving innovation, economic growth, and national security.

On July 9, 2024, the OSTP issued Guidelines for Research Security Programs (the Final Guidelines) aimed at strengthening research security at certain universities, nonprofits, and federally-funded research institutions. The Final Guidelines, which were issued in accordance with National Security Presidential Memorandum - 33 dated January 14, 2021 (NSPM-33) and the research security provisions of CHIPS and Science Act, require federal agencies that fund research and development (R&D) to implement a certification requirement for certain research institutions -defined in the Final Guidelines as 'Covered Institutions'- certifying that the institution has established a research security program that addresses cybersecurity, foreign travel security, research security, and export control. The Final Guidelines further describe which participants in the U.S. R&D enterprise qualify as Covered Institutions. 

The Final Guidelines are issued amidst the significant attention from lawmakers and federal agencies about the risk of potential theft of US intellectual property and the threat of undue foreign influence. These risks are specifically acknowledged by OSTP in the Final Guidelines, whose stated purpose is to minimize the risks posed by strategic competitors to US R&D enterprises. The measures were implemented with the goal to 'improve research security while preserving the openness that has long enabled U.S. R&D leadership throughout the world.'

While the certification requirements set forth in the Final Guidelines are only applicable to Covered Institutions, the Final Guidelines notably also encourage federal agencies to adopt similar research security requirements for non-covered institutions.

Conclusion

In summary, the evolving and vast federal landscape of US health data laws is pressing organizations to adopt stronger data governance programs. With increasing enforcement and oversight from agencies like the FTC, OCR, ASTP/ONC, and OHRP, organizations handling health data must stay vigilant in meeting legal and regulatory requirements under the HBNR, COPPA, HIPAA, GINA, Part 2, the Information Blocking Rules, the Common Rule, and others. As digital health services expand, staying informed and proactive is crucial to managing emerging risks, avoiding penalties, and maintaining trust with consumers and stakeholders.

Alaap Shah Member of the Firm
[email protected]
Lisa Pierce Reisz Attorney
[email protected]
Avery Schumacher Associate
[email protected]
Epstein Becker & Green, P.C., Washington, DC