Security Update
The Federal Trade Commission (FTC) released proposed regulations entitled the “Health Breach Notification Rule” (the Rule) on April 16. At this time we are concerned with the FTC’s broad interpretation of PHR related entities and PHR identifiable health information. Hopefully these terms will be more strictly defined in the Final Rule as the FTC addresses comments submitted by interested parties. The proposed regulations are avaliable here: Proposed PHR Security Beach Notification Rule. The official annoucement is avaliable at http://www.ftc.gov/opa/2009/04/healthbreach.shtm.
Generally the regulations implement new breach notification requirements for Personal Health Records (“PHRs”). The Rule was promulgated pursuant to section 13407(g)(1) of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”). The FTC Rule applies to vendors of personal health records and related entities not covered directly by HIPAA. The FTC’s Rule likely will parallel regulations that Department of Health and Human Services (“HHS”) will promulgate for entities covered by HIPAA no later than August 17.[1] Public comments on the FTC’s proposed Rule are due by June 1, 2009. Comments can be submitted online at https://secure.commentworks.com/ftc-healthbreachnotification/. The Final Rule will apply to security breaches on or after September 18, 2009. Table 1 (below) provides a summary of the new regulations for your reference. Details of particular note, including the broad application of the Rule, are discussed at length below.
Table 1 – Summary of PHR Breach Notification Rule
|
16 CFR 318, et sq. |
Section & Description | Summary |
| 318.1 – Purpose and scope. | The Rule applies to vendors of Personal Health Records, PHR related entities, and third party service providers. The Rule does not apply to HIPAA-covered entities or to an entity’s activities as a business associate of a HIPAA-covered entity. | |
| 318.2- Definitions. | Defines breach of security, personal health record, PHR identifiable health information, PHR related entity, third party service provider, unsecured, and vendor of personal health records. | |
| 318.3 – Breach notification requirement. | Defines the scope of notice when under the Rule and when a breach is treated as discovered. | |
| 318.4 – Timeliness of notification. | Notification must be made without unreasonable delay and in no case later than 60 days following Discovery. Defined burden of proof for delay beyond 60 days where requested by law enforcement. | |
| 318.5 – Methods of notice. | First class mail generally, but other methods may be indicated in certain scenarios including media, posting on website, etc. | |
| 318.6 – Content of notice to individuals | Notice should include a description of the incident, what information was compromised and guidance on how to protect against identity theft including resources available to the individual to assist mitigation of the security risk. | |
| 318.7 – Enforcement | Non-compliance is treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. § 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. | |
| 318.8 – Effective date. | September 18, 2009. | |
| 318.9 – Sunset | Rule will sunset on the effective date of regulations implementing new legislation from Congress addressing PHR breach notification requirements. |
Of particular note the Proposed Regulations expand the traditional scope of the FTC’s enforcement authority:
The Commission also notes that the proposed rule applies to entities beyond the FTC’s traditional jurisdiction under Section 5 of the FTC Act, since the Recovery Act does not limit the FTC’s enforcement authority to its enforcement jurisdiction under Section 5. Indeed, section 13407 of the Recovery Act expressly applies to “vendors of personal health records and other non-HIPAA covered entities,” without regard to whether such entities fall within the FTC’s enforcement jurisdiction. Thus, the proposed rule would apply to entities such as non-profit entities that offer personal health records or related products and services, as well as non-profit third party service providers.
(Health Breach Notification Rule pp 6-7)
The definition breach of security follows the basic framework as state based security breach notification laws. Section 318.2 defines “breach of security” as the acquisition of unsecured PHR identifiable health information of an individual without the authorization of the individual. This definition is identical to the definition of “breach of security” found in section 13407(f)(1) of the Recovery Act. Of significant note the term “acquisition”, according to the FTC, “suggests that the information is not only available to unauthorized persons, but in fact has been obtained by them.” (Health Breach Notification Rule at 8).
The FTC describes a scenario where a technical security breach may have occurred without acquisition of health information, however the breach does in this scenario not meet the definition of “breach of security” under the Rule. The scenario – when an employee inadvertently accesses a database, but realizes that it was not the one he or she intended to view, and logs off without reading, using, or disclosing anything — there has no been breach of security. (Health Breach Notification Rule at 9). However, there is a presumption that a breach involves an acquisition of health information however:
[T]his presumption can be rebutted with reliable evidence showing that the information was not or could not reasonably have been acquired. Such evidence can be obtained by, among other things, conducting appropriate interviews of employees, contractors, or other third parties; reviewing access logs and sign-in sheets; and/or examining forensic evidence.
(Health Breach Notification Rule at 9)
The PHR related entity and PHR related entity are key to understanding the scope of the Rule. Section 318.2(f) defining PHR related entities follows the same definition set forth in clauses (ii), (iii), and (iv) of section 13424(b)(1)(A) of the Recovery Act. PHR related entities include (non-HIPAA covered entities) “that access information in a personal health record or send information to a personal health record.” (16 CFR 318(f)).
The term PHR identifiable health information needs clarification. PHR identifiable health information is
“individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) that is provided by or on behalf of the individual; and (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(16 CFR 318.2(e)).
The FTC broadly interprets the term identifiable health information as including “the fact of having an account with a vendor of personal health records or related entity, where the products or services offered by such vendor or related entity relate to particular health conditions.” (Health Breach Notification Rule at 12) Examples that under the FTC’s interpretation where breach notification would be required even where no specific health information is disclosed include “the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness.” (Health Breach Notification Rule at 12)
PHR related entity excludes HIPAA-covered entities and business associate of HIPAA-covered entities. However PHR related entities include any entity who offers products or services through the website of a PHR vendor, who offers products or services through the websites of a HIPAA-covered entity that also offers individuals PHRs and any entity that accesses information in a PHR or sends information to a PHR. (16 CFR 318.2(f)). Many organizations will unexpectedly be covered by the FTC’s rather broad interpretation of PHR related entities and PHR identifiable health information if these terms cannot be more strictly defined through the public comment process.
Of particular note a breach will be treated as discovered “as discovered as of the first day on which such breach is known to a vendor of personal health records, PHR related entity, or third party service provider, respectively, including any person (other than the individual committing the breach) (16 CFR 318.3(c)). Notice must be provided without unreasonable delay but no later than 60 days, however, the FTC must be notified within 5 business days where the breach involves more than 500 individuals. (16 CFR 318.4) Where a breach involves less than 500 individuals a PHR related entity must report such incidents in a yearly report to the FTC.
Finally, section 318.9 clarifies that the Rule will sunset when Congress enacts new legislation affecting PHR related entities and third party vendors of PHR vendors.
[1] HIPAA Covered Entities include health care providers, payors and clearinghouses. Under the HITECH Act Business Associates of Covered Entities will also be covered by security breach notification requirements.