Federal Trade Commission Issues Proposed Breach Notification Rule
Health Law Update 04/23/09 Sarah E. Coyne, Melody A. Emmert
On April 16, 2009, the Federal Trade Commission ("FTC") announced that it is seeking comments on a proposed rule requiring vendors of personal health records (i.e., medical records allowing patient input and management) and other related entities to notify consumers of a breach in the security of their health information.
As explained in our recent health law update, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA") on February 17, 2009. ARRA requires the FTC to issue rules requiring vendors of personal health records ("PHRs") and certain related entities to notify individuals when the vendor discovers a breach of unsecured PHR data. ARRA recognizes that there are web-based entities that collect consumers' health information, and some of those entities are not subject to the requirements of the Health Insurance Portability and Accountability Act ("HIPAA"). With respect to such entities, ARRA requires the Department of Health and Human Services ("HHS") to study, in consultation with the FTC, potential privacy, security and breach notification requirements and to submit a report to Congress, detailing their recommendations in these areas within one year of the enactment of ARRA. Following that report, Congress may enact new legislation implementing some or all of the joint recommendations contained in the required HHS/FTC report. In the meantime, ARRA contains temporary requirements that such entities must notify customers of security breaches.
Note: The proposed rule does not apply to HIPAA-covered entities or to other entities to the extent that those entities engage in activities as business associates of HIPAA-covered entities. Instead, the proposed rule applies to vendors of electronic personal health records (i.e., entities that offer or maintain PHRs), PHR-related entities (i.e., entities that offer products or services through web sites of a vendor or HIPAA-covered entity or that access or send information to a PHR) and third-party service providers (i.e., entities that provide services to vendors of PHRs or PHR-related entities). However, to the extent that an entity otherwise subject to the FTC's proposed rule engages in activities as a business associate of a covered entity, such entity will be subject to HHS rules, as opposed to the FTC rule.
A breach occurs when unsecured identifiable health information in an individual's personal health record is acquired without the authorization of the individual. The information is "unsecured" when it is not protected through technology or methods approved by the Secretary of the Department of Health and Human Services. For additional direction regarding properly securing identifiable health information, please see the guidance document issued by HHS on April 17, 2009 (the "Guidance") and Quarles & Brady LLP's client update on the Guidance. While the Guidance does relate to covered entities and business associates, its instruction with respect to securing health information applies in this context, because a PHR that is properly secured will not be subject to the FTC's proposed rule.
Under the proposed rule, vendors of PHRs and PHR-related entities, following the discovery of a security breach of unsecured health information that is in a PHR, must notify each individual whose information is breached and must also notify the FTC.
Third-party service providers serving vendors of PHRs or related entities must provide notice of a breach to a senior official at the vendor or related entity to which it provides services. Such notification must include the identification of each individual whose unsecured health information has been, or is reasonably believed to have been, acquired during such breach.
Timing of Notice
All required notifications must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach of security. A breach of security shall be treated as discovered as of the first day on which such breach is known to a vendor, PHR-related entity or third-party service provider, respectively, or should reasonably have been known to such entity.
Vendors and PHR-related entities must also provide notice to the FTC following the discovery of a breach of security. If the breach involves the unsecured health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than five business days following the date of discovery of the breach. If the breach involved the unsecured PHR identifiable health information of fewer than 500 individuals, the vendor of PHRs or PHR-related entity may maintain a log of any such breach occurring over the ensuing 12 months and submit the log to the FTC documenting breaches from the preceding year.
Method of Notice
Vendors and PHR-related entities must provide notice via first-class mail to the individual (or next of kin, if the individual is deceased) at the last known address of the individual or next of kin or, if the individual provides express consent, by electronic mail. In any "urgent" case, due to possible imminent misuse of unsecured health information, the entity may provide information to individuals by phone or other means, in addition to the required written notice. If the entity discovers that the individual's mailing address or email address is insufficient or out-of-date, it may attempt to provide a substitute form of notice. If more than 10 individuals cannot be contacted via the methods outlined above, the entity must provide notice through a conspicuous posting, for a period of six months, on the home page of its web site or in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.
If the breach involves 500 or more residents, vendors and PHR-related entitles must provide notice to prominent media outlets serving the state or jurisdiction of those residents.
Content of Notice
A notice of a breach of security shall include the following:
(a) a brief description of how the breach occurred, including the date of the breach and the date of the discovery of the breach, if known;
(b) a description of the types of unsecured health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number or disability code);
(c) steps individuals should take to protect themselves from potential harm resulting from the breach;
(d) a brief description of what the entity is doing to investigate the breach, to mitigate losses and to protect against any further breaches; and
(e) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
The proposed regulation will apply to breaches of security that are discovered on or after September 18, 2009.
Comments on the proposed rule must be received on or before June 1, 2009, after which a final rule will be issued.
* * *
If you have any questions about this or other aspects of ARRA and HITECH, please contact Sarah Coyne at (608) 283-2435 / [email protected], Melody Emmert at (602) 229-5315 / [email protected] or your Quarles & Brady attorney.