Consumer Reports submitted comments on the FTC’s Notice of Proposed Rulemaking on the Health Breach Notification Rule. In general, we supported the FTC’s proposed changes that would create stricter requirements guiding how companies may collect and share consumers’ health information. The proposed changes include:
- Expanding the definition of healthcare provider and healthcare services and supplies to cover health and wellness apps that are not otherwise covered by HIPAA;
- Clarifying that unauthorized sharing of consumers’ PHR identifiable information is a breach of security;
- Expanding the scope of personal health records that must report breaches of security;
- Requiring that breached entities must use modern contact methods to notify consumers of a breach; and
- Requiring breached entities to include more detail to breach notices so that consumers may take action to protect themselves.
We also urged the FTC to go further with the Rule, arguing that the Commission should:
- Define “authorization” to mean a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement; and
- Include information “about” an individual and device identifiers in its definition of PHR identifiable information.
To read the full comment, please see the attached PDF.