FTC and HHS Issue Healthcare Notice of Breach Rules Under The American Recovery and Reinvestment Act of 2009
On August 17, 2009 the Federal Trade Commission (FTC) issued its final rule and on August 19, 2009 the Department of Health and Human Services (HHS) issued its interim final rule, both relating to notification of individuals when their health information is breached. The regulations are the result of requirements under the American Recovery and Reinvestment Act of 2009 (ARRA), with the HHS more specifically required under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a part of ARRA. The HHS regulations apply to covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates. The FTC's rule, the Health Breach Notification Rule (Health Breach Rule), applies to both vendors of personal health records (PHR) – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records.
The FTC Health Breach Rule applies to foreign and domestic vendors of PHRs, PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act and preempts state law as specified in Section 13421 of ARRA. Breach is deemed to occur if there is unauthorized access to "unsecured" PHR identifiable health information of an individual.. The FTC cites to the Guidance issued by HHS to determine when the PHR information is unsecured. A PHR is defined as an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. PHR related entities are defined as an entity, other than HIPAA-covered entities or their business associates, that i) offers products or services through the website of a vendor of PHRs; ii) offers products or services through the websites of HIPAA-covered entities that offer individuals PHRs; or iii) accesses information in a PHR or sends information to a PHR. It will take some time to sort through the breadth of these definitions.
In the event of a breach, the Health Breach Rule requires the vendor of PHRs and PHR related entities to notify the affected individuals and the FTC. If a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The notice must be made within 60 days of "discovery" of the breach, which is defined as the first day it is known or should have been known. The specific means to notify and the content of the notice is also specified in this Rule. Similar, but not identical to the HHS interim final rule, the Health Breach Rule requires notification of the media within a state if more than 500 individuals in that state are affected. For breaches affecting less than 500 individuals, the notice to the FTC can be recorded in a log and reported annually. For more information, see www.ftc.gov/opa/2009/08/hbn.shtm.
The HHS interim final rule requires notification if there is a breach of "unsecured" protected health information (PHI). The regulations were developed by the HHS Office for Civil Rights (OCR). A "breach" is defined as acquisition, access, use or disclosure of PHI that "compromises the security or privacy" of the PHI, which is defined as posing a significant risk of financial, reputational, or other harm to the individual. The interim final rule provides specific exemptions from this definition of compromise. In the event of a breach of unsecured PHI, prompt notification to affected individuals of the breach is required and, if more than 500 individuals are involved, notice to the HHS Secretary and the media is also required. Breaches affecting fewer than 500 individuals still require notification of the individuals, but are only reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
Because the HHS interim final rule provides a safe harbor if the PHI is "secured" in compliance with HHS guidance, HHS also issued its updated Guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. For electronic PHI, the Guidelines require specific encryption processes approved by NIST for data at rest and data in transit. The Guidelines also address the necessary secure methods for retention of the key to the encryption. Specific destruction methods are indicated for media on which PHI is stored (both paper and electronic). For more information on the HHS interim final rule, see www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html.