News & Insights


April 29, 2024

Health Headlines – April 29, 2024


FTC Finalizes Amendments to Health Breach Notification Rule Aimed at Clarifying its Application to Health Applications and Similar Technologies

On April 26, 2024, the Federal Trade Commission (FTC) released a pre-publication version of its final changes to the Health Breach Notification Rule (HBNR) designed to clarify the scope of the HBNR, including its coverage of health applications and other similar technologies, authorize the expanded use of email and other electronic means of providing notice to consumers of a breach, and expand the required content of the consumer notice. The final HBNR will go into effect sixty days after its publication in the Federal Register.

Clarifying the Covered Entities
The FTC modified the definition of “PHR identifiable health information” and added definitions for “covered health care provider” and “health care services or supplies” to clarify that the HBNR applies to developers of mobile health applications and similar technologies not covered by HIPAA.

Clarifying the Covered Breaches
The FTC amended the definition of “breach of security” to clarify that the HBNR covers unauthorized acquisitions of identifiable health information that occur as a result of a data security breach or an unauthorized disclosure. The FTC noted that the HBNR covers unauthorized uses where an entity exceeds authorized access to use PHR identifiable health information, such as where the entity obtains the data for one legitimate purpose, but later uses that data for another purpose that was not authorized by the individual.

Clarifying What It Means for a Personal Health Record to Draw Information from Multiple Sources
The FTC amended the definition of “personal health record” (PHR) to mean an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. The FTC clarified that a product is a personal health record if it can draw information from multiple sources, even if the consumer elects to limit information to a single source only, in a particular instance.

Revising What Constitutes a “PHR Related Entity”
The FTC revised the definition of “PHR related entity” to clarify that the HBNR covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. The FTC also specified that only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.

Expanding the Method of Electronic Notice
The HBNR will authorize the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers. The HBNR will require notice effectuated via “electronic mail” to occur via email in combination with one or more of the following: text message, within-application messaging, or electronic banner messages.

Revising the Required Content of the Notice
The HBNR will require that the notice to individuals include: (1) full name or identity (or where providing name or identity would pose a risk to individuals or the entity providing notice, a description) of the third parties that acquired the PHR identifiable health information as a result of a breach of security; (2) a description of the types of unsecured PHR identifiable health information that were involved in the breach; (3) a description of what the entity that experienced the breach is doing to protect affected individuals; and (4) two or more contact procedures, which may include a toll-free telephone number, email address, website, within-application, or postal address.

Revising the Required Timing of the Notice
The HBNR will require that for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than sixty calendar days after the discovery of a breach of security.

The unpublished Final Rule is available here. The FTC press release is available here.
Reporter, Jason A. de Jesus, Los Angeles, +1 213 443 4343,

California Hospitals Sue Insurance Company Over Delayed Patient Discharges

Last week, the California Hospital Association (CHA), which represents more than 400 hospitals, filed a lawsuit against Anthem Blue Cross (Anthem) alleging that Anthem’s untimely arrangement for, and authorization of, medically necessary post-acute care for Anthem’s members resulted in Anthem’s members being forced to need additional acute-care days in hospitals in violation of California laws. The lawsuit alleges that this practice, in combination with Anthem’s refusal to pay for the additional, avoidable days in the hospitals that Anthem required to occur, constitutes an unfair business practice in violation of California law.

Hospital Survey Reveals Insurance Delays are an Industry Problem
If a patient needs post-acute care, a hospital cannot discharge the patient until the patient’s health plan authorizes and arranges for such care. Hospitals allege that Anthem and other health plans routinely fail to authorize and arrange for such care, leaving patients in acute hospital beds when the patients no longer need such acute care and while those beds could be used for other patients who require acute care. According to a recent survey from CHA, an estimated 4,500 Californians daily spend unnecessary time occupying hospital beds waiting for their discharges to be approved for transfer to a more appropriate care setting after acute care. In the aggregate, these discharge delays result in a significant burden on California’s hospitals:

  • California hospitals provide an estimated 1 million days of avoidable inpatient care;
  • California hospitals provide an estimated 7.5 million hours of avoidable emergency department care; and
  • $3.25 billion in hospital costs are expended that could otherwise be avoided.

The survey notes that discharge delays place a particular burden on the hospitals because insurers typically do not reimburse the hospital for patient stays for patients who have been medically cleared for discharge to a post-acute care setting.

California Hospital Association Seeks Injunctive Relief Against Insurance Delays
According to the complaint filed by CHA, the California’s Knox Keene Act “precludes Anthem from unilaterally discontinuing authorization for ongoing acute care before there is an agreement between Anthem and the treating provider for post-acute care.” The complaint alleges that Anthem ignores this obligation by failing to arrange for post-acute care for its members and simultaneously discontinuing authorization and payment for the ongoing care that the hospital is still providing to the patient awaiting transfer.

The complaint contains four patient examples of Anthem failing to timely arrange for post-acute care while at the same time denying payments to the hospital while the patient had to remain in the hospital receiving acute care. For those patient examples, the complaint alleges Anthem denied payment to hospitals for between 7 to 28 days even though Anthem had forced the additional acute care to be needed rather than care at a post-acute facility.

According to CHA, the alleged practices amount to unlawful and unfair business practices under California’s Unfair Competition Law. Resultingly, CHA seeks an injunction to stop these alleged practices by Anthem from continuing.

CHA is represented by King & Spalding in its lawsuit against Anthem.

The complaint filed by CHA can be accessed here.
Reporter, Christopher C. Jew, Los Angeles, + 1 213 443 4336,, and William H. Mavity, Los Angeles, + 1 213 218 4043,


FTC Issues Near-Total Ban on Non-Competes in Final Rule, with a Narrow Exception for Existing Agreements with “Senior Executives”
On April 23, 2024, the Federal Trade Commission approved its final rule banning non-compete agreements nationwide with limited and narrow exceptions. The final rule has exceedingly broad reach, invalidating existing non-competes and prohibiting future non-competes, regardless of industry and regardless of whether a worker is an employee or an independent contractor. The final rule will become effective 120 days from the date it is published in the Federal Register and court challenges seeking to enjoin the final rule are expected. For additional information and insight, read the full King & Spalding Client Alert here.