Understanding HBNR and Its Implications for Health Apps and Organizations
The Health Breach Notification Rule (HBNR) plays a crucial role in regulating health-related data, particularly for entities that fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA). Understanding the distinctions between HBNR and HIPAA, as well as the specific requirements of HBNR, is essential for organizations handling personal health information.
Distinguishing Between HBNR and HIPAA
While both HBNR and HIPAA regulate health-related data, their scopes differ significantly. HIPAA applies to covered entities such as health plans, health care clearinghouses, and most health care providers. In contrast, HBNR applies to vendors of Personal Health Records (PHRs), PHR-related entities, and third-party service providers for these vendors or entities.
Key Definitions Under HBNR
- PHR Identifiable Health Information: This includes information related to an individual’s past, present, or future physical or mental health, provision of health care, or payment for health care that can identify the individual.
- Vendors of PHRs: Entities that offer or maintain PHRs, excluding HIPAA-covered entities and their business associates.
- PHR-Related Entities: Entities that offer products or services through a vendor’s website or online service and access or send unsecured PHR identifiable health information.
- Third-Party Service Providers: Entities that provide services to vendors of PHRs or PHR-related entities and handle or disclose unsecured PHR identifiable health information.
HBNR Notification Requirements
In the event of a data breach involving unsecured PHR identifiable health information, HBNR-regulated entities must notify affected individuals, the Federal Trade Commission (FTC), and, in certain cases, the media. The notification must be made without unreasonable delay and within 60 calendar days of breach discovery.
Notification Contents
The notice must include:
- A brief explanation of the breach
- Description of the types of affected information
- Steps individuals can take to protect themselves
- Actions taken by the organization to mitigate harm
- Contact information for further inquiries
Minimizing HBNR Compliance Risks
To minimize risks, organizations should:
- Maintain a robust cybersecurity program meeting FTC standards
- Implement an effective privacy compliance program
- Ensure appropriate contractual terms with third-party service providers
By understanding and complying with HBNR requirements, health apps and organizations can protect consumer health information and avoid regulatory risks.
