Whether life sciences and wellness companies have developed a product for consumers or created an online service, they may have to comply with the FTC's recently finalized changes to the Health Breach Notification Rule (HBNR). HBNR applies to medical products and services as well as health and wellness products to the extent that they collect identifiable health data (e.g. device identifier + heart rate) at the direction of a consumer. However, it is not enough for the products or services to simply collect health data, they must allow consumers to upload that health data with an online service (e.g. app or website). This application of HBNR  should come as no surprise to those following the FTC's enforcement; however, to the uninitiated, the changes seek to update the HBNR so that the FTC can more effectively enforce it. The essential modifications surround the clarification that "breach of security" includes the unauthorized disclosure of identifiable health data without a consumer's consent, including secondary uses, and the revised definition of "PHR-related entities" brings into scope both wellness and medical products and services such as fitness trackers, blood pressure cuffs and connected glucose monitors, and other connected health monitoring devices that send identifiable health data to a company's health app at the direction of a consumer. Non-compliance with these regulations could lead to severe penalties and damage to your company's reputation.

As a result of the changes, HBNR will draw in software and product manufacturing companies in the wellness space that provide fitness, sleep and diet-related products and services that many companies may have assumed were outside HBNR's purview. 

Most importantly, all companies should consider whether they are:  

• Providing wellness products and services that may collect or send health data concerning identifiable consumers to any online service (e.g., app, website, or internet-connected device). Health data associated with wellness products and services is in scope, and HBNR is not limited to medical products and services (e.g., telehealth, reproductive, prescription biological). While the FTC has limited its enforcement actions to traditional medical products and services such as telehealth, prescription, genetic, sexual health, mental health, substance abuse and reproductive health, HBNR regulates "any online service, such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnosis or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools." As a result, companies will need to consider whether their products or services fall into the wellness category. 
• Using emergent health data, such as health data inferred from non-health data. While many companies are focused on Washington's My Health My Data Act (MHMDA), the FTC has signaled that it, too, will look at practices involving non-health data to infer consumers' health status or condition.  In addition, HBNR regulates unique, persistent identifiers, such as mobile advertising identifiers, to the extent that they are combined with health information that can be used to identify or re-identify a consumer. Furthermore, using non-health data associated with an identifiable consumer to infer their health status or condition may be considered an unauthorized use of that consumer's data, leading to notification obligations if the company has not obtained affirmative consent.      
• Collecting or disclosing any of the above health data without authorization from the consumer, which is not limited to cybersecurity intrusions and data exfiltration. Comments in HBNR suggest that companies may disclose health data to vendors, such as analytics providers that provide tracking analytics, that are (1) required for a website or app to operate and function; (2) prohibited from using, sharing, or disclosing the health data for any purposes beyond providing the services to the company; and (3) disclosed the specific purposes for which the vendor received health data, clearly and conspicuously in the company's privacy notice. In addition, the FTC suggests that secondary uses of health data may exceed a company's authorization and be considered an unauthorized use requiring notification. This comment tees up enforcement against companies using such data for their algorithms and AI purposes. As a result, companies will be responsible for notifying consumers when they have disclosed health data to vendors that do not provide necessary services unless they have obtained affirmative express consent from the consumer. Finally, the developers of online services such as health apps and websites (i.e., vendors of personal health records) and companies that provide products that collect health data without a corresponding app (i.e., PHR-related entities)  may have notification obligations under HBNR.  

While there are certainly a few additional landmines that companies should be looking out for, the FTC has indicated that companies that provide products and services only indirectly related to health, such as those offered by general retailers, are not subject to the HBNR. For example, purchasing a pregnancy test from a general retailer is not considered within the rule's scope. However, if a general retailer provides health-specific products and services, such as an app that requires collecting identifiable health information, they will be subject to the HBNR. Many of the remaining obligations are specific to notice requirements in the event of a breach, including the ability to send notice via email, in-app notification, website banner, and additional content obligations, such as providing the consumer with an explanation concerning the likely impact to the consumer from unauthorized disclosure.