HIT Vendors Subject to Federal Trade Commission (FTC) Health Breach Notification Rule
On August 25, 2009, the Federal Trade Commission (FTC) published a final rule (the Rule) that will require online businesses that provide electronic personal health records (PHR) to alert consumers about security violations that result in the release of identifiable personal health information. The Rule places health information technology (HIT) vendors under breach-notification requirements that the health information privacy law [Health Insurance Portability and Accountability Act (HIPAA)] has imposed on health care providers and their business associates. Online businesses that collect personal health records may need to develop a PHR security and notification compliance plan, review their insurance, and establish a crisis communication plan -- to prepare for possible disclosure of PHR or for class action law suits.
The American Recovery and Reinvestment Act of 2009’s (ARRA’s) recognition of new types of vendors who collect consumers’ health information and are not be subject to HIPAA requirements marks a substantial expansion of privacy and security regulation to potentially entrap the unwary. The rule applies to vendors of PHR that allow consumers to store their own information, as well as to PHR related entities that:
- Offer products or services through the web site of a vendor of PHR;
- Offer products or services through the web sites of HIPAA – covered entities that offer individuals PHR; or
- Access information in a PHR or send information to a PHR.
The obligations of the FTC Rule apply to breaches discovered on or after September 24, 2009 and may be read by clicking here.
The Rule requires each vendor of PHR and PHR related entity to provide specified notification not later than 60 days after discovery except if disclosure is to 500 or more people, in which case FTC requires notification to them within 10 days. The FTC also opens the door to requiring notification to occur with greater speed if the vendor of PHR or PHR related entity deems notice to be urgent because of possible imminent misuse of unsecured PHR identifiable health information. To protect the PHR identifiable health information of consumers and consistent with the HHS rule, the FTC requires vendors and PHR related entities to give notice of a breach of security to the following:
- The individuals named in the PHR;
- The FTC (if more than 500 individuals are affected, notification to the FTC must be as soon as possible and not later than 10 business days of discovery of the breach; otherwise the vendor or entity must record specified information in a log of breaches to be submitted annually within 60 days of the end of the calendar year), and
- The prominent media outlet of affected individuals but only if a breach affects more than 500 individuals in a state or jurisdiction.
The penalties for violating the Rule are steep. Violations are treated as unfair or deceptive acts or practices in violation of federal law and regulation, which translates into the potential for awards of treble damages and attorneys’ fees against vendors of PHR and PHR related entities. This Rule builds in a sunset provision rendering the Rule inapplicable to breaches of security discovered on or after the effective date of regulations implementing any new legislation applicable to vendors of PHR or PHR related entities.