Perhaps most notable is the expansion of scope to any health related apps that are handling unsecured personal data.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

[…]

The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;

Also worth considering is a new notification requirement, which seems to recognize effective breach response team needs.

For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security

That’s a huge difference from the often threatened 72 or even 24 hour rule from lawyers, which risked undermining evidence gathering and therefore deny successful investigations.