Share this article on:
The U.S. Federal Trade Commission (FTC) is seeking comment on its breach notification requirements for non-HIPAA-covered entities that collect personally identifiable health information.
The FTC’s Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The rule took effect on August 22, 2010 and the FTC started actively enforcing compliance on February 22, 2010.
Healthcare data collected, maintained, or transmitted by healthcare providers, health plans, healthcare clearinghouses (HIPAA-covered entities) and their business associates is covered by the Health Insurance Portability and Accountability Act (HIPAA) and is classed as protected health information (PHI).
The FTC’s Health Breach Notification Rule applies to personal health records (PHRs), which are electronic records containing personally identifiable health information that are managed, shared, and controlled by or primarily for the individual. The FTC rule applies to vendors of personal health records and PHR-related entities, which are companies that offer products and services through PHR websites, send information to PHRs, or access some of the information in PHRs.
All entities covered by the FTC’s Health Breach Notification Rule are required to issue notifications to affected consumers and the FTC without unreasonable delay and no later than 60 days from the date of discovery of a breach. The FTC must be notified within 10 days of discovery of a breach if it impacts 500 or more individuals. If a breach is experienced by a service provider, the service provider is required to notify the PHR company. The FTC publishes notices of data breaches affecting 500 or more individuals on its website.
The FTC routinely reviews rules every 10 years. In the 10 years since the rule was passed, only 2 breaches have been published on the FTC website, as most breaches reported to the FTC have involved fewer than 500 records. The FTC also reports that it has not needed to enforce compliance, as the entities to which the rule applies are somewhat limited.
Most PHR vendors and related entities are either HIPAA-covered entities or business associates of those entities and are therefore required to comply with the HIPAA Breach Notification Rule; however, the FTC explains that its rule may soon apply to a greater number of entities.
“As consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.”
The COVID-19 pandemic has increased use of these communication platforms following the move by the HHS to temporarily refrain from imposing financial penalties for use of non-HIPAA-compliant platforms in relation to the provision of telehealth services. The FTC rule may therefore be more relevant today than it was 10 years ago when the rule was introduced.
The FTC is seeking answers to specific questions about its rule in relation to its effectiveness, benefits, and relevance to determine whether the rule should remain as it is, should be scrapped, or updated to increase the benefits to consumers.
Comment is being accepted for 90 days from the date of publication in the Federal Register. You can view a copy of the request for public comment on Bloomberg Law.