FTC Releases Breach Notification Rule
Yesterday HHS published its breach notification rule for HIPAA covered entities. Today the Federal Trade Commission’s rule appeared in print, making it official also. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010.
FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.
As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.
The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address.
Entities must notify the FTC, also. They must report breaches involving more than 500 people within 10 business days of discovery. This doubled the amount of time in the proposed rule. Commenters expressed concern that 5 days may not be enough time to properly investigate the incident prior to reporting it. That change may get attention in California, where state law requires healthcare entities to notify both consumers and the state of breaches within 5 days.
The final page of the Federal Register notice includes a form that PHR vendors may use to file breach reports.
The FTC rule does not apply to HIPAA-covered entities or to “any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” However, there could be instances where a company serves as both a business associates of a HIPAA-covered entity and a vendor of PHRs to the public. That entity could be subject to both the HHS and FTC. The final rule provides several examples.
The rule defines a PHR as an “electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The rule offers further definition of what information constitutes PHR identifiable health information.
Paper PHRs are not covered by the rule, because ARRA legislation specified a rule on electronic records only.
FTC defines a ‘‘PHR related entity’’ as an entity that “(1) offers products or services through the Web site of a vendor of personal health records; (2) offers products or services through the Web sites of HIPAA-covered entities that offer individuals PHRs; or (3) accesses information in a personal health record or sends information to a personal health record.”
The final rule adopts the definition of breach provided in the proposed rule: “the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual.”
Preemption of state law does apply, with FTC clarifying that the final rule preempts only contrary state laws.
A state law is contrary if it would be impossible to comply with both state and federal requirements or if the state law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives’’ of the federal requirements.
The rule does not preempt state laws imposing additional—as opposed to contradictory—breach notification requirements.