On August 18, 2009, the FTC released the final rule with respect to certain breaches of unsecured health care data. The rule will come into effect 30 days after publication in the Federal Register, and the FTC will expect full compliance within six months of publication. While many of the notification requirements associated with a data incident will be familiar to those following the state breach-notice rules, the scope of the FTC's rule still applies only to vendors of personal health records, their related entities, and service providers. It does not apply to "covered entities" under HIPAA.
The FTC's Health Breach Notification Rule (Final Rule) has its origins in the American Recovery and Reinvestment Act of 2009. One of the administration's priorities is the expansion of personal health records (PHRs), while trying to maintain the privacy and security of these electronic health files. Vendors of PHR systems were recognized as falling outside the scope of HIPAA even though the data stored within a PHR may be no different from that covered in another context by HIPAA's privacy and security requirements. The FTC's rule implements the statutory instruction that PHRs be subject to breach-notice obligations even if the more detailed data security rules from HIPAA do not apply.
The Final Rule specifies that notice of a breach must be made without unreasonable delay but, in no event, no more than 60 days from discovery. It also details the method and content of notification as well as a humbling notice to media if an incident affects more than 500 people. Entities covered by the Final Rule also must notify the FTC regardless of the number of people affected, which may portend greater agency enforcement activity.
At a practical level, there likely will be continued debate as to when a breach has occurred. The FTC's definition of breach is "acquisition... without the authorization of the individual." Notably, acquisition is presumed in the event of unauthorized access. This unauthorized access need not be from an external actor. The FTC points to the recently released HHS rule and the associated standards promulgated by the National Institute of Standards and Technology to determine when the health data is "unsecured."
While it may appear that the impact of the FTC's Final Rule is small because it focuses on vendors of PHRs, the Final Rule also applies to related entities of the PHR vendor and any service providers supporting PHRs. Microsoft, Google, hospitals and health systems are increasingly offering PHRs to consumers. Furthermore, a "vendor" of PHRs need not sell a service to be caught within the scope of the Final Rule: Even a PHR system developed by one or more companies for their own employees would be covered. The FTC's commentary on jurisdiction also makes clear that PHR systems outside the United States but holding health data of U.S. residents are subject to the notification requirements. Thus, the extraterritorial march of breach-notice regulations continues.
The full text of the 88-page Final Rule is available from the FTC's Web site.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.