Federal Register / Vol. 85, No.
100 / Friday, May 22, 2020 / Proposed Rules 31085
from a manufacturer, the instructions must Rule’’ or the ‘‘Rule’’). The Commission records of identifiable health
be accomplished using a method approved is soliciting comment as part of the information that can be drawn from
by the Manager, Large Aircraft Section, FTC’s systematic review of all current multiple sources and that are managed,
International Validation Branch, FAA; or
Commission regulations and guides. shared, and controlled by or primarily
EASA; or Airbus SAS’s EASA Design
Organization Approval (DOA). If approved by DATES: Written comments must be for the individual. Specifically, the
the DOA, the approval must include the received on or before August 20, 2020. Recovery Act recognized that vendors of
DOA-authorized signature. personal health records and PHR related
ADDRESSES: Interested parties may file a
(3) Required for Compliance (RC): For any entities (i.e., companies that offer
comment online or on paper by
service information referenced in EASA AD products and services through PHR
2020–0077 that contains RC procedures and
following the Request for Comment part
websites or access information in or
tests: Except as required by paragraph (i)(2) of the SUPPLEMENTARY INFORMATION
send information to PHRs) were
of this AD, RC procedures and tests must be section below. Write ‘‘Health Breach
collecting consumers’ health
done to comply with this AD; any procedures Notification Rule, 16 CFR part 318,
information but were not subject to the
or tests that are not identified as RC are Project No. P205405,’’ on your comment
recommended. Those procedures and tests
privacy and security requirements of the
and file your comment online at https://
that are not identified as RC may be deviated Health Insurance Portability and
www.regulations.gov by following the Accountability Act (‘‘HIPAA’’).4 The
from using accepted methods in accordance instructions on the web-based form. If
with the operator’s maintenance or Recovery Act directed the FTC to issue
you prefer to file your comment on a rule requiring these entities, and their
inspection program without obtaining
approval of an AMOC, provided the
paper, mail your comment to the third-party service providers, to provide
procedures and tests identified as RC can be following address: Federal Trade notification of any breach of unsecured
done and the airplane can be put back in an Commission, Office of the Secretary, individually identifiable health
airworthy condition. Any substitutions or 600 Pennsylvania Avenue NW, Suite information. Accordingly, the HBN Rule
changes to procedures or tests identified as CC–5610 (Annex B), Washington, DC requires vendors of PHRs and PHR
RC require approval of an AMOC. 20580, or deliver your comment to the related entities to provide: (1) Notice to
(j) Related Information following address: Federal Trade consumers whose unsecured
Commission, Office of the Secretary, individually identifiable health
(1) For information about EASA AD 2020–
0077, contact the EASA, Konrad-Adenauer-
Constitution Center, 400 7th Street SW, information has been breached; (2)
Ufer 3, 50668 Cologne, Germany; telephone 5th Floor, Suite 5610 (Annex B), notice to the media, in many cases; and
+49 221 89990 6017; email ADs@ Washington, DC 20024. (3) notice to the Commission. The Rule
easa.europa.eu; Internet FOR FURTHER INFORMATION CONTACT: also requires third party service
www.easa.europa.eu. You may find this Elisa Jillson (202–326–3001), Division of providers (i.e., those companies that
EASA AD on the EASA website at https:// Privacy and Identity Protection, Bureau
ad.easa.europa.eu. You may view this
provide services such as billing or data
of Consumer Protection, Federal Trade storage) to vendors of PHRs and PHR
material at the FAA, Airworthiness Products
Section, Operational Safety Branch, 2200
Commission, 600 Pennsylvania Avenue related entities to provide notification to
South 216th St., Des Moines, WA. For NW, Washington, DC 20580. such vendors and entities following the
information on the availability of this SUPPLEMENTARY INFORMATION: discovery of a breach.
material at the FAA, call 206–231–3195. This The Rule requires notice ‘‘without
material may be found in the AD docket on I. Background unreasonable delay and in no case later
the internet at https://www.regulations.gov The Commission typically reviews its than 60 calendar days’’ after discovery
by searching for and locating Docket No. rules every ten years to ensure that the of a data breach. If the breach affects 500
FAA–2020–0456. rules have kept up with changes in the or more individuals, notice to the FTC
(2) For more information about this AD,
contact Vladimir Ulyanov, Aerospace
marketplace, technology, and business must be provided ‘‘as soon as possible
Engineer, Large Aircraft Section, models.1 The Commission issued the and in no case later than ten business
International Validation Branch, FAA, 2200 HBN Rule in 2009, and companies were days’’ after discovery of the breach. The
South 216th St., Des Moines, WA 98198; subject to enforcement beginning in FTC makes available a standard form for
telephone and fax 206–231–3229; email 2010. The Commission now requests companies to use to notify the
[email protected]. comment on the HBN Rule, including Commission of a breach.5 The FTC posts
Issued on May 15, 2020. the costs and benefits of the Rule, and a list of breaches involving 500 or more
Lance T. Gant, whether particular sections should be individuals on its website.6 This list
Director, Compliance & Airworthiness
retained, eliminated, or modified. All only includes two breaches, because the
Division, Aircraft Certification Service. interested persons are hereby given Commission has predominantly
[FR Doc. 2020–10978 Filed 5–21–20; 8:45 am]
notice of the opportunity to submit received notices about breaches
written data, views, and arguments affecting fewer than 500 individuals.
BILLING CODE 4910–13–P
concerning the Rule. Importantly, the Rule does not apply
The HBN Rule, issued pursuant to to health information secured through
section 13407 of the American Recovery technologies specified by the
FEDERAL TRADE COMMISSION and Reinvestment Act of 2009 Department of Health and Human
(‘‘Recovery Act’’ or ‘‘the Act’’),2 became Services (‘‘HHS’’) and it does not apply
16 CFR Part 318
effective on August 25, 2009,3 and to businesses or organizations covered
Health Breach Notification companies were subject to FTC by HIPAA. HIPAA-covered entities and
enforcement beginning on February 22,
AGENCY: Federal Trade Commission. 2010. Section 13407 of the Recovery Act 4 Health Insurance Portability & Accountability
ACTION: Regulatory review; request for created certain protections for ‘‘personal Act, Public Law 104–191, 110 Stat. 1936 (1996).
5 Notice of Breach of Health Information, https://
public comment. health records’’ or ‘‘PHRs,’’ electronic www.ftc.gov/system/files/documents/plain-
SUMMARY: The Federal Trade language/2017_5_2_breach_notification_form.pdf.
1 See current ten-year schedule for review of FTC 6 Breach Notices Received by the FTC, https://
Commission (‘‘FTC’’ or ‘‘Commission’’) rules and guides at 85 FR 20889 (Apr. 15, 2020). www.ftc.gov/system/files/documents/plain-
requests public comment on its Health 2 Public Law 111–5, 123 Stat. 115 (2009).
language/draft_breach_notices_received_by_ftc_
Breach Notification Rule (the ‘‘HBN 3 74 FR 42962 (Aug. 25, 2009). 2015.pdf.
VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 PO 00000 Frm 00024 Fmt 4702 Sfmt 4702 E:\FR\FM\22MYP1.SGM 22MYP1
� 31086 Federal Register / Vol. 85, No. 100 / Friday, May 22, 2020 / Proposed Rules
their ‘‘business associates’’ must instead 2. What benefits has the Rule subject to the Commission’s HBN Rule
comply with HHS’s breach notification provided to consumers? What evidence increase?
rule.7 The FTC has not had occasion to supports the asserted benefits? a. What evidence supports the
enforce its Rule because, as the PHR 3. What modifications, if any, should proposed modifications?
market has developed over the past be made to the Rule to increase the 12. Are there modifications or
decade, most PHR vendors, related benefits to consumers? changes the Commission should make
entities, and service providers have a. What evidence supports the to the Rule to address any developments
been HIPAA-covered entities or proposed modifications? in health care products or services
‘‘business associates’’ subject to HHS’s b. How would these modifications related to COVID–19?
rule.8 However, as consumers turn affect the costs the Rule imposes on 13. Does the Rule overlap or conflict
towards direct-to-consumer businesses, including small businesses? with other federal, state, or local laws or
technologies for health information and 4. What significant costs, if any, has regulations? If so, how?
services (such as mobile health a. What evidence supports the
the Rule imposed on consumers? What
applications, virtual assistants, and asserted conflicts?
evidence supports the asserted costs? b. With reference to the asserted
platforms’ health tools), more 5. What modifications, if any, should
companies may be covered by the FTC’s conflicts, should the Rule be modified?
be made to the Rule to reduce any costs If so, why, and how? If not, why not?
Rule. imposed on consumers?
II. Rule Review a. What evidence supports the B. Specific Issues
proposed modifications? 1. What evidence exists that the Rule
The Commission periodically reviews
b. How would these modifications has resulted in under-notification, over-
all of its rules and guides. These reviews
affect the benefits provided by the Rule? notification, or an efficient level of
seek information about the costs and
benefits of the Commission’s rules and 6. What benefits, if any, has the Rule notification?
guides and their regulatory and provided to businesses, including small 2. Section 318.1 provides that the
economic impact. The information businesses? What evidence supports the Rule does not apply to HIPAA-covered
obtained assists the Commission in asserted benefits? entities or to any other entity to the
identifying those rules and guides that 7. What modifications, if any, should extent that it engages in activities as a
warrant modification. Therefore, the be made to the Rule to increase its business associate of a HIPAA-covered
Commission solicits comments on, benefits to businesses, including small entity. Has this limitation helped to
among other things, the economic businesses? harmonize the Commission’s HBN Rule
impact and benefits of the Rule; possible a. What evidence supports the with HHS’s rule? Why or why not?
proposed modifications? 3. Do the definitions set forth in
conflict between the Rule and state,
b. How would these modifications § 318.2 of the Rule accomplish the
local, or other federal laws or
affect the costs the Rule imposes on Recovery Act’s goal of advancing the
regulations; and the effect on the Rule
businesses, including small businesses? use of health information technology
of any technological, economic, or other
c. How would these modifications while strengthening the privacy and
industry changes.
affect the benefits to consumers? security protections for health
III. Questions Regarding the HBN Rule 8. What significant costs, if any, information?
including costs of compliance, has the 4. Are the definitions in § 318.2 clear
The Commission invites members of
Rule imposed on businesses, including and appropriate? If not, how can they be
the public to comment on any issues or
small businesses? What evidence improved, consistent with the Act’s
concerns they believe are relevant or
supports the asserted costs? requirements?
appropriate to the Commission’s review
5. Should the definition of ‘‘PHR
of the HBN Rule, and to submit written 9. What modifications, if any, should
identifiable health information’’ in
data, views, facts, and arguments be made to the Rule to reduce the costs
§ 318.2(d) be modified in light of
addressing the Rule. All comments imposed on businesses, including small
technological advances in methods of
should be filed as prescribed in the businesses?
de-identification and re-identification?
ADDRESSES section of this document, a. What evidence supports the If so, how, consistent with the Act’s
and must be received by August 20, proposed modifications? requirements?
2020. If your comment proposes any b. How would these modifications 6. Should the definitions of ‘‘PHR
modifications to the Rule, please also affect the benefits the Rule provides to related entity’’ in § 318.2(f), ‘‘Third
address whether your proposed consumers? party service provider’’ in § 318.2(h), or
modification may conflict with the 10. What evidence is available ‘‘Vendor of personal health records’’ in
statutory provisions of the Recovery Act concerning the degree of industry Section 318.2(j) be modified in light of
and, if so, whether you propose seeking compliance with the Rule? changing technological and economic
legislative changes to the Recovery Act. 11. What modifications, if any, should conditions, such as the proliferation of
The Commission is particularly be made to the Rule to account for mobile health applications (‘‘apps’’),
interested in comments addressing the changes in relevant technology, virtual assistants offering health
following questions: economic conditions, or laws? For services, and platforms’ health tools? If
A. General Issues example, as the healthcare industry so, how, consistent with the Act’s
adopts standardized application requirements?
1. Is there a continuing need for programming interfaces (‘‘APIs’’) to help 7. Section 318.4 sets out the timing
specific provisions of the Rule? Why or individuals to access their electronic requirements for notification. Are these
why not? health information with smartphones requirements clear and appropriate? If
and other mobile devices (as required by not, how can they be improved,
7 HIPAA Breach Notification Rule, 45 CFR
rules implementing the 21st Century consistent with the Act’s requirements?
164.400–414, available at https://www.hhs.gov/
hipaa/for-professionals/breach-notification/
Cures Act 9), will the number of entities 8. Section 318.5 sets out the
index.html. requirements for the method of notice of
8 Id. 9 45 CFR parts 170 and 171. a breach. Are these requirements clear
VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 PO 00000 Frm 00025 Fmt 4702 Sfmt 4702 E:\FR\FM\22MYP1.SGM 22MYP1
� Federal Register / Vol. 85, No. 100 / Friday, May 22, 2020 / Proposed Rules 31087
and appropriate? Do technological state identification number, or foreign EXECUTIVE OFFICE OF THE
changes, such as the increased use of in- country equivalent; passport number; PRESIDENT
app messaging, text messages, and financial account number; or credit or
platform messaging, warrant any debit card number. You are also solely Office of National Drug Control Policy
changes to this section, consistent with responsible for making sure that your
the Act’s requirements? comment does not include any sensitive 21 CFR Part 1401
9. Section 318.6 sets out the health information, such as medical RIN 3201–AA01
requirements for the content of notice of records or other individually
a breach. Are these requirements clear Freedom of Information Act
identifiable health information. In
and appropriate? If not, how can they be
addition, your comment should not AGENCY: Office of National Drug Control
improved, consistent with the Act’s
requirements? include any ‘‘trade secret or any Policy.
10. What are the implications (if any) commercial or financial information ACTION: Proposed rule.
for enforcement of the Rule raised by which . . . . is privileged or
direct-to-consumer technologies and confidential’’—as provided by section SUMMARY: The Office of National Drug
services such as mobile health apps, 6(f) of the FTC Act, 15 U.S.C. 46(f), and Control Policy (ONDCP) is updating its
virtual assistants, and platforms’ health FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— Freedom of Information Act (FOIA)
tools? including in particular competitively implementing regulation to comport
sensitive information such as costs, with the FOIA Improvement Act of 2016
IV. Instructions for Submitting and best practices. The proposed rule
Comments sales statistics, inventories, formulas,
describes how to make a FOIA request
patterns, devices, manufacturing
You can file a comment online or on with ONDCP and how the Office of
processes, or customer names. General Counsel, which includes the
paper. For the Commission to consider
your comment, we must receive it on or Comments containing material for ONDCP officials authorized to evaluate
before August 20, 2020. Please write which confidential treatment is FOIA requests, processes requests for
‘‘Health Breach Notification Rule, 16 requested must be filed in paper form, records. The proposed rule also states
CFR part 318, Project No. P205405’’ on must be clearly labeled ‘‘Confidential,’’ ONDCP’s Privacy Act Policies and
the comment. Because of the public and must comply with FTC Rule 4.9(c). Procedures. The proposed rule describes
health emergency in response to the In particular, the written request for how individuals can find out if an
COVID–19 outbreak and the agency’s confidential treatment that accompanies ONDCP system of records contains
heightened security screening, postal the comment must include the factual information about them and, if so, how
mail addressed to the Commission will and legal basis for the request, and must to access or amend a record. ONDCP
be subject to delay. We strongly identify the specific portions of the seeks comments on all aspects of the
encourage you to submit your comment comment to be withheld from the public proposed rule and will thoroughly
online through the https:// record. Your comment will be kept consider all comments that are
www.regulations.gov website. To ensure confidential only if the General Counsel submitted on time.
the Commission considers your online grants your request in accordance with DATES: Send comments on or before
comment, please follow the instructions the law and the public interest. Once June 30, 2020.
on the web-based form provided by your comment has been posted publicly ADDRESSES: You may send comments,
regulations.gov. Your comment, at www.regulations.gov, we cannot identified by RIN number 3201–AA01
including your name and your state, redact or remove your comment unless and/or docket number ONDCP–2020–
will be placed on the public record of 002, by any of the following methods:
you submit a confidentiality request that
this proceeding, including the https:// • Federal eRulemaking Portal: http://
meets the requirements for such
www.regulations.gov website. www.regulations.gov. Follow the
If you file your comment on paper, treatment under FTC Rule 4.9(c), and
instructions for submitting comments.
please write ‘‘Health Breach Notification the General Counsel grants that request. • Email: [email protected].
Rule, 16 CFR part 318, Project No. Visit the Commission website at Include docket number ONDCP–2020–
P205405’’ on your comment and on the https://www.ftc.gov to read this 002 and/or RIN number 3201–AA01 in
envelope, and mail your comment to the document and the news release the subject line of the message.
following address: Federal Trade describing it. The FTC Act and other • Mail: Executive Office of the
Commission, Office of the Secretary, laws that the Commission administers President, Office of National Drug
600 Pennsylvania Avenue NW, Suite permit the collection of public Control Policy, 1800 G Street NW, 9th
CC–5610 (Annex B), Washington, DC comments to consider and use in this Floor, Washington, DC 20006.
20580, or deliver your comment to the proceeding as appropriate. The Instructions: All submissions received
following address: Federal Trade Commission will consider all timely must include the agency name and
Commission, Office of the Secretary, docket number or Regulatory
and responsive public comments that it
Constitution Center, 400 7th Street SW, Information Number (RIN) for this
receives on or before August 20, 2020.
5th Floor, Suite 5610 (Annex B), rulemaking. All comments received will
For information on the Commission’s be posted without change to http://
Washington, DC 20024.
Because your comment will be placed privacy policy, including routine uses www.regulations.gov including any
on the public record, you are solely permitted by the Privacy Act, see personal information provided.
responsible for making sure that your https://www.ftc.gov/site-information/ ONDCP strongly recommends using
comment does not include any sensitive privacy-policy. electronic means for submitting
or confidential information. In By direction of the Commission. comments. Due to COVID–19,
particular, your comment should not April J. Tabor, comments submitted through
include any sensitive personal conventional mail delivery services may
Acting Secretary.
information, such as your or anyone not be received in a timely manner.
[FR Doc. 2020–10263 Filed 5–21–20; 8:45 am]
else’s Social Security number; date of FOR FURTHER INFORMATION CONTACT:
birth; driver’s license number or other BILLING CODE 6750–01–P Questions concerning this notice should
VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 E:\FR\FM\22MYP1.SGM 22MYP1
