Final rule applies to vendors of personal health records and related entities
The HITECH Act requires FTC, in consultation with HHS, to study potential privacy, security and breach notification requirements for vendors of personal health records (“PHRs”) and other entities that are not otherwise covered by HIPAA, and submit a report (the “FTC/HHS Study”) to Congress within one (1) year of enactment of the HITECH Act. Until Congress enacts new legislation resulting from the FTC/HHS Study, the FTC Rule will serve as the FTC’s regulatory framework to enforce the breach notification requirements imposed by the HITECH Act. The FTC Rule does not apply to HIPAA-covered entities or business associates of HIPAA-covered entities, which are covered by the HHS Rule. The HHS Office for Civil Rights will enforce the HHS Rule as part of its enforcement of the HIPAA Privacy and Security Rules. The intent is for the HHS Rule and the FTC Rule to be harmonized so that individuals only receive one (1) notice in the event of a security breach. Both the FTC Rule and HHS Rule provide several helpful examples of situations in which HHS or FTC could have overlapping jurisdiction.
The FTC Rule requires PHR vendors to notify affected customers and the FTC upon discovery of a breach of “unsecured” individually identifiable health information (“IIHI”) contained in a PHR maintained or offered by such vendor. The FTC Rule applies to any business with IIHI of U.S. customers, regardless of whether the entity is located within the U.S. The FTC Rule formally adopted the Guidance of the Secretary of HHS (discussed here: http://www.saul.com/common/publications/pdf_2016.pdf) on the technologies and methodologies that render IIHI in a PHR “secured.” With the release of the HHS Rule, pursuant to the HITECH Act, the updated guidance contained within the HHS Rule now governs the FTC Rule. Importantly, the FTC Rule clarifies that de-identified information is not subject to the FTC Rule, but information contained in a “limited data set” (as defined in HIPAA) may be subject to the FTC Rule if it could be used, either alone or in conjunction with other data, to identify an individual.
While the FTC Rule generally maintains the definition of “breach” from the NPRM, there are certain important changes. First, the FTC Rule retains the presumption that unauthorized “acquisition” has occurred when there is unauthorized access to unsecured IIHI, unless the entity can prove that there has not been, or could not reasonably have been, any unauthorized acquisition of such information. However, the FTC Rule offers an additional way for entities to meet this burden of proof. Where an employee inadvertently accesses such IIHI, no notification is required if the (i) employee follows the entity’s policies by reporting the inadvertent access and affirming that no IIHI was read or shared, and (ii) the entity conducts a reasonable investigation to corroborate the employee’s story. Second, in the explanation accompanying the FTC Rule, the FTC states that “authorization” to acquire IIHI will be assessed based on the entity’s privacy policy and the individual’s reasonable expectations as to how his or her data will be used. Where IIHI will be shared, however, the FTC Rule makes clear that “meaningful” disclosure is required, and that disclosure “buried” in a long privacy policy will not support a claim that access was authorized.
The FTC Rule adopts the NPRM definition of a “PHR related entit[y]” as an entity that: “(1) offers products or services through the website of a vendor of [PHRs]; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals [PHRs]; or (3) accesses information in a [PHR] or sends information to a [PHR].” The FTC Rule identifies a “third party service provider” as an entity that: “(1) provides services to a vendor of in connection with the offering or maintenance of a [PHRs] or to a PHR related entity in connection with a product or service offered by that entity; and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.” However, the FTC Rule clarifies that such entities are only subject to the FTC Rule to the extent that they are a victim of a breach of unsecured IIHI in a PHR.
The FTC Rule states that when unsecured IIHI is breached, notice must be given to affected individuals “without unreasonable delay” and in any event no more than 60 days after discovery of the breach. In a significant change from the NPRM, the FTC Rule states that a breach is “discovered” at the point in time which any person (other than the one committing the breach), who is an employee, officer, or other agent of the vendor knows or “should reasonably have known” that a breach has occurred. The FTC Rule notes that other agent could include a third party service provider, and that the knowledge of such employees, officers or other agents is imputed to the PHR vendor. In addition, the FTC Rule makes clear that entities must maintain reasonable security measures, including breach detection measures, and that a failure to maintain such measures would be a violation of the FTC Rule if an entity fails to provide notification of a breach that the entity “reasonably” would have known if such measures were in place. In another departure from the NPRM, the FTC Rule states that email may be used to deliver breach notification, provided that the individual user is given the opportunity to select notification via first class mail instead.
For a breach involving 500 or more individuals’ information, the FTC must be notified no more than 10 business days from the date of discovery. For a breach involving less than 500 individuals’ information, the vendor may maintain a log of any such breach occurring over the ensuing calendar year and submit the log to the FTC at the end of the year. For 2009, vendors are required to log and submit breach information beginning on the effective date of the FTC Rule. The contents and methods of notification are prescribed in detail in the FTC Rule, and may include a posting on the vendor’s website and notice to “prominent media outlets” for breaches involving more than 500 individuals’ information. The form for submitting breach notifications to the FTC is available here: http://www.ftc.gov/os/2009/08/R911002hbnform.pdf.
In addition to the notification requirements for PHR vendors, the FTC Rule also requires “PHR related entities,” and “third party service providers,” who discover a breach to give timely notice to a designated contact person at the vendor or PHR related entity (where the third party service provider is providing services to such entity), who must acknowledge receipt of the notification for it to be effective. The PHR vendor will then be obligated to provide appropriate notice to affected individuals and to the FTC, as described above, unless the vendor and PHR related entity or third party service provider have contracted otherwise. As detailed in the FTC Rule, in certain limited cases, the FTC would prefer that PHR vendors contract with PHR related entities or third party service providers to provide notice to customers directly.
Similar to HIPAA, the FTC Rule preempts only contrary state laws. A state law that imposes additional- rather than contradictory breach notification requirements is not preempted by the HITECH Act or the FTC Rule. FTC estimates that approximately 900 entities will be subject to the FTC Rule, and that an average of 232,000 consumers per year will receive a breach notification. The FTC Rule is effective on September 24, 2009. Given the changes required to comply, the FTC has stated that it will exercise discretion in enforcement of the FTC Rule for the first 180 days from publication in the Federal Register (i.e. until February 21, 2010). After 180 days, all vendors of PHRs, PHR related entities and third party service providers are expected to be in full compliance.
There are certain issues which the FTC has noted are beyond the scope of the FTC Rule. However, the FTC has suggested that it will provide recommendations to Congress, as required by the HITECH Act, regarding privacy, security and breach notification requirements by February 2010.
The FTC Rule contains many important provisions. Vendors of personal health records and related entities should review the FTC Rule and comments accompanying the FTC Rule carefully, as well as the HHS Rule and the Guidance identified above. Importantly, PHR vendors and related parties should review their information security measures to mitigate, in advance, potential breach issues and be prepared to respond consistent with the FTC Rule’s requirements should a breach occur.
Bruce D. Armon and Scott D. Patterson are partners with Saul Ewing. Evan J. Foster is an associate with Saul Ewing.
—
This publication has been prepared by Saul Ewing LLP’s Health Law Practice Group for information purposes only. The provision and receipt of the information in this publication (a) should not be considered legal advice, (b) does not create a lawyer-client relationship, and (c) should not be acted on without seeking professional counsel who have been informed of the specific facts. Under the rules of certain jurisdictions, this communication may constitute “Attorney Advertising.”
Reprinted with permission of Saul Ewing LLP.
