As more people rely on health apps and online tracking technologies to manage their wellness, there has been a corresponding increase in the collection and storage of sensitive medical information. While health care entities are mandated to follow HIPAA regulations to safeguard this information, these new technologies are not traditionally subject to the same standards. However, the Federal Trade Commission (FTC) addressed this gap by releasing a policy statement affirming that health apps and connected device companies must comply with the FTC Health Breach Notification Rule.
Cyber Insurance brokers can help organizations stay compliant with evolving industry regulations to reduce the risk of data breaches and potential claims. This guide provides key details about health information security regulations, their impact, and how you can help your clients navigate today’s complex regulatory landscape.
Today’s Regulatory Frameworks for Protecting Sensitive Health Information
The HIPAA Breach Notification Rule mandates that covered entities, such as health care providers, health plans, health care clearinghouses, and their business associates, notify affected stakeholders of any breach of unsecured protected health information (PHI).
Entities that collect and store health information not covered under HIPAA are still obliged to protect sensitive data under the FTC Health Breach Notification Rule (HBNR). This rule requires vendors of personal health records and other entities to inform the FTC and affected consumers when a data breach compromises the confidentiality of personal health records.
In September 2021, the FTC released a policy statement clarifying that health apps and connected devices that collect or use health information must comply with the Health Breach Notification Rule. The statement also expanded the definition of data breach to include sharing health information and unauthorized access rather than being limited to cyber attacks.
Following suit, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a bulletin that emphasizes the obligations of HIPAA-mandated entities and business associates when using online tracking technologies. This OCR guidance prohibits the use of tracking technologies in a way that results in impermissible disclosures of PHI to tracking technology third parties and other violations of HIPAA rules. An example would be the disclosure of PHI to vendors for marketing purposes without HIPAA-compliant authorizations.
These regulatory changes have significant implications for organizations that handle sensitive information or utilize tracking technologies, as noncompliance can lead to hefty regulatory penalties and even legal consequences. Cyber Insurance brokers can help their clients navigate these changes by educating them and tailoring a comprehensive Cyber Insurance policy that can provide adequate protection against possible data breaches and legal liabilities.
Regulators In Action: Real-World Examples
The data breach of Anthem Inc. in 2015 is considered one of the biggest health care data breaches in history, compromising the protected health information of nearly 79 million people. According to OCR’s investigation, Anthem failed to conduct enterprise-wide risk analysis and implement robust access control measures to prevent cyber attackers from accessing sensitive information. The health insurance company paid a record-breaking settlement of $16 million for potential violations of HIPAA’s Security and Privacy Rules.
More recently, in February 2023, the FTC took action against prescription drug provider GoodRx Holdings Inc. (GoodRx) for violating the FTC Health Breach Notification Rule. The company was ordered to pay $1.5 million in penalties and will be prohibited from sharing user health data for advertising purposes due to its failure to notify consumers of the unauthorized disclosure of personal health information with third-party advertisers. This case is considered the first enforcement action by FTC under the HBNR.
Facebook and its law firm have recently suffered the same consequences, as they were ordered to pay almost $1 million in penalties for denying that they shared users’ private information with third parties without consent.
These real-world cases highlight the importance of complying with industry regulations and investing in adequate Cyber Insurance to mitigate the financial impact of cyber attacks and noncompliance to industry standards.
How Brokers Can Help Clients Stay Compliant
Cyber Insurance brokers play an integral role in helping clients navigate the ever-changing landscape of data privacy laws and regulations through the following ways:
- Providing Education and Training: Brokers can educate their clients on new regulatory changes, cyber security best practices, and incident response planning to help them understand their obligations and prepare for potential cyber threats.
- Conducting Risk Assessments: Brokers can help pinpoint vulnerabilities and develop mitigation strategies by assessing the company’s current security measures and third-party relationships.
- Recommending and Customizing Coverage: Brokers can customize a policy to address gaps in clients’ risk management strategies depending on the company’s unique risk profile.
Be the Cyber Security Expert Your Clients Need with ProWriters
Regulators have implemented policies like the FTC Health Breach Notification Rule to protect consumers’ sensitive health and personal information. Unfortunately, the proliferation of online tracking technologies and third-party tools makes it more challenging for organizations to stay compliant. Brokers can help clients navigate the complexities of today’s regulatory landscape by providing guidance on changes, educating them on data protection measures, and tailoring a policy fit for their needs and budget. ProWriters makes this simple for you.
At ProWriters, we provide brokers with all of the resources they need to become the cyber security experts on whom their clients can rely. Reach out today to learn how we can help!