[Med-privacy] FTC Issues Final Health Breach Notification Rule

Sat, 29 Aug 2009 14:49:39 -0700

FTC Issues Final Health Breach Notification Rule
==============================================================

The Federal Trade Commission issued a final rule requiring breach
notification by vendors of medical records and related entities.
The American Recovery and Reinvestment Act of 2009 establishes
provisions for advancing the health information technology while
strengthening privacy and security protections for medical data.
Recognizing that some web-based entities that collect consumers'
health information are not subject to the existing the Health
Insurance Portability and Accountability Act, the Recovery Act
required the Department of Health and Human Services to study,
in consultation with the Federal Trade Commission, potential
privacy, security and breach notification requirements and submit a
report to the Congress. Until Congress enacts a new legislation
implementing the recommendations, the FTC final rule will regulate
the requirements. The proposed rule published in April called for
public comments.

In June, EPIC submitted comments to the FTC on the rule. EPIC commented
that the proposed regulation was not broad enough, and should be
modified to ensure that all entities handling electronic health records
be subject to the regulation so that the privacy interests of citizens
are protected. EPIC also advised that entities report all breaches to
the FTC via some centralized means because redundant breach messages
will be less likely. The FTC modified the rule in support of EPIC's
advice, but exempted all federal agencies.

EPIC had also suggested that the FTC establish comprehensive privacy
and security standards, and create a private right of action for
violation of the rule. EPIC further recommended that information
"accessed" be treated as "acquired" and substitute media notices like
text messaging and social networking be used to notify individuals of
breaches. Other suggestions included verification of data breach
notices, creation of minimum security standards, assessing penalties
for violations. EPIC opposed the creation of "safe-harbors" for
de-identified data due to uncertainties and privacy risks associated
with such information.

The final rule, 16 CFR Part 318, defines "breach of security" as
acquisition of unsecured electronic health information without
authorization. The rule also defines other terms such as "business
associate," "HIPAA-covered entity," "personal health record," "PHR
identifiable health information," "PHR related entity," "state," "third
party service provider," "unsecured" PHR and "vendor of personal health
records."

The rule requires each vendor of personal health records to notify both
the individual affected by the breach as well as the FTC following the
discovery of a "breach of security" of unsecured PHR. Third party
service providers are required to notify designated officials or a
senior official at the vendor of personal health records, and obtain an
acknowledgement from such official that the notice was received. The
rule requires the breach notifications be sent without unreasonable
delay and no later than 60 calendar days after the discovery of the
breach. However, a law enforcement official is entitled to determine
if a notification would impede a criminal investigation and delay the
notice.

The Health Breach rule also prescribes different methods of individual
notices; media notices; as well as notice to the FTC. The notice must
contain a brief description of what happened including the date of
breach and the date of discovery, description of types of unsecured
health information that were involved in the breach, steps that should
be taken by the individual, a brief statement of action taken by the
entity following the breach, and contact procedures for individuals
affected by the breach in case they wanted to ask questions or learn
additional information.

The rule becomes effective 30 days after the publication in the Federal
Register and sunsets on the effective date of legislation, if enacted,
establishing requirements for notification for health data breaches.
The FTC Health Breach notification rule does not apply to HIPAA-covered
entities or to any entity's activities as a business associate of a
HIPAA-covered entity.

FTC Health Breach Notification Rule:
      http://www.ftc.gov/os/2009/08/R911002hbn.pdf

EPIC's Comments to the FTC on the Health Breach Notification Rule:
      http://epic.org/privacy/medical/Comments_on_FTC_EHR-EPIC.pdf

FTC Issues Final Breach Notification Rule for Electronic Health
Information:
      http://www.ftc.gov/opa/2009/08/hbn.shtm

FTC Page on Health Data Breach:
      http://www.ftc.gov/healthbreach/

FTC Page - Privacy Initiative (Health Breach Notification Rule):
      http://www.ftc.gov/healthbreach/

FTC Health Breach Notification Form:
      http://www.ftc.gov/os/2009/08/R911002hbnform.pdf

The American Recovery and Reinvestment Act of 2009:
      http://epic.org/redirect/022309_Stimulus_Act.html

EPIC - Identity Theft:
      http://epic.org/privacy/idtheft

EPIC - Medical Privacy:
      http://epic.org/privacy/medical

[EPIC]