ARRA: Let the NPRMs Begin

The Federal Trade Commission has its ARRA homework well under way. Yesterday it announced its notice of proposed rulemaking (NPRM) on data breach notification.

The American Recovery and Reinvestment Act establishes the first federal requirements on health data breach reporting and notification. It assigns the Department of Health and Human Services to oversee organizations that qualify as covered entities and business associates under HIPAA. It assigns the FTC to oversee everyone else, including vendors of personal health records.

Both HHS and FTC are required to publish final interim regulations by August 16. The provisions become effective 30 days after publication.

According to an FTC press release, the proposed rule:

  • Requires “vendors of personal health records and related entities” to notify consumers of a breach
  • Requires a service provider to a PHR vendor to notify the vendor of a breach, which in turn must notify its customers
  • Defines the triggers for a notice, as well as the timing, method, and content of the notice
  • Requires that entities notify the FTC of a breach, which will in turn post the information on its Web site and share with HHS

The NPRM will appear in the Federal Register shortly, according to FTC.

Public comments on the notice of proposed rulemaking are due by June 1. AHIMA’s commentary will available on this site in advance of that date.

Update April 20: HHS released its required guidance on rendering protected health information unreadable on April 17. The guidance relates to both HHS’s and the FTC’s breach notification regulations. HHS is accepting comments until May 21.

1 Comment

  1. Lisa’s comments are right on, but I would add, and think both the renect incidents we have witnessed as well as the results of the renectly released HIMSS Analytics Study on the Impact of HITECH on Healthcare Privacy and Security would support, that many Business Associates have not stepped up to their responsibility and present a real risk to the Covered Entities they work with. I think the Study cited over 30% of Business Associates interviewed did not even know that HIPAA had been extended to cover them. I know this is something that many have spoken to and written about, but clearly greater outreach to businesses serving the healthcare industry is needed to close this gap. Subcontractors are more at risk as they are by definition one or more layers removed from the Covered Entity and may not have direct interaction. Business Associates will need to ensure their subcontractors receive appropriate notice and education as well.Part of the responsibility for this outreach belongs to the Covered Entities themselves, and many would argue that they alone are in the best position to accomplish this. First because they know who their Business Associates are, and secondly because there is an obligatory relationship garnering the Business Associates attention. They also have a responsibility to identify who their Business Associate and to review those relationships to make sure the proper documentation is in place. In fact, some hospitals have already begun tightening up their processes with venders by including security specifications in RFPs and selection criteria, revising and reissuing Business Associate Agreements to address updated requirements from HITECH, and even formal Security Agreements detailing as part of their contracts to ensure expectations for data privacy and protection are clearly articulated and conveyed.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!