For years I have been informing my wellness provider clients, such as health coaches, fitness professionals, nutrition counselors, and mental wellness coaches that the HIPAA privacy and security rules do not typically apply to them. This is because they do not usually conduct HIPAA standard transactions (such as filing insurance claims) and it is questionable as to whether they are “health care providers” as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Then came the final Breach Notification Rule by the Federal Trade Commission (FTC). The FTC published the final Breach Notification Rule at the end of April 2024 and it takes effect at the end of July 2024. This rule applies to “Personal Health Record” related entities (PHR related entities) and vendors of PHRs and requires them to notify clients in the event of a breach of “unsecured” PHR identifiable information. See 16 CFR § 318.3. If you know anything about the HIPAA privacy and security breach notification rules, it can be one of the most embarrassing, expensive and onerous regulations with which HIPAA covered entities and business associates must comply. I have had clients go through the HIPAA breach notification process, and it isn’t fun. Escaping the regulatory burden of HIPAA and other health care laws is what draws so many providers into the wellness space, where many of those laws just don’t apply.
Enter the final FTC Breach Notification Rule, which now will apply to a lot of wellness providers. Who, exactly? Well, if you are a health or wellness coach, or fitness or diet professional, that uses an online platform or wellness app whereby your client enters their personal health information and that platform or app has the technical capacity to draw information from multiple sources, such as a fitness tracker, calendars, or geolocations (to name but a few), then the FTC Breach Notification Rule applies to you. That means if you are a wellness provider who uses apps or online platforms to tailor your services to your clients so that they can eat better, exercise better, lose weight, sleep better, etc., you should pay attention to this final rule and come into compliance by the end of July 2024.
How to Come into Compliance
First, the Breach Notification Rule applies only to PHR information that is “unsecured.” So, if you secure any health information that is collected from your clients, you should be relieved from having to notify clients should a breach occur. If you don’t know if your PHR information is secured, ask the creator or distributor of the online platform or app that you are using for your wellness business. If they don’t know or aren’t familiar with how to safely secure PHR information, that should be a warning sign that maybe you should be looking for another online platform or app vendor. Regardless, you should have data privacy and security policies and procedures to help prevent data breaches. Even though you may not be subject to HIPAA, you can use HIPAA compliant policies and procedures as a guide to keep the data you collect safe. We have developed HIPAA compliant policies and procedures for purchase here and here.
If you are using an online platform or app that does not secure PHR information, then you should do whatever you can to prevent a breach from occurring. Click on the links above to purchase our HIPAA policies and procedures, which can help mitigate risk of a breach if implemented and followed. If you still aren’t sure what to do, schedule a consult with us by clicking here. Wellness Law is here to help wellness providers learn about and embrace compliance.