FTC Issues Final Rule on Breach Reporting by Personal Health Record Providers
On Aug. 17, 2009, the Federal Trade Commission (FTC) released its final breach notification rule. Read the FTC press release here: http://www.ftc.gov/opa/2009/08/hbn.shtm. The rule goes into effect 30 days after it is published in the Federal Register. The FTC states that it will not bring enforcement actions until 180 days after publication, while regulated entities come into full compliance with the rule. Violations are treated as unfair or deceptive trade practices under the FTC Act.
The rule implements the personal health record (PHR) breach notification requirements of the American Recovery and Reinvestment Act of 2009. A companion regulation for HIPAA-covered entities and business associates was issued by the Department of Health & Human Services (HHS) on Aug. 19. These rules are similar to the consumer notification laws enacted in most states, but broader than many state laws because the federal rules cover breaches of any individually identifiable health information, not just electronic information, and they are not limited to social security numbers and financial account information.
The FTC rule requires PHR vendors to notify U.S. citizen or resident consumers and the FTC of security breaches involving the unauthorized acquisition of unsecured identifiable health information. Businesses that offer products or services through PHRs—called PHR related entities—have the same obligations.
Notification to consumers must be made without unreasonable delay and no later than 60 calendar days after discovery (which is deemed to occur when the breach is known or should reasonably have been known). Notification may be delayed if a law enforcement official determines that it would impede a criminal investigation or damage national security.
If a breach involves 500 or more people, the local media must also be notified within the 60-day period. The FTC must always be notified of a breach: if the breach involves 500 or more people, notice must be provided to the FTC within 10 business days of discovery. The PHR vendor or related entity may maintain an annual log of breaches involving fewer than 500 people and submit the log to the FTC within 60 calendar days following the end of the year.
Third-party service providers must notify the PHR vendor or related entity of a breach, including identification of customers whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, acquired during the breach. Third-party service providers must provide notice of a breach to PHR vendors and related entities without unreasonable delay and no later than 60 calendar days after discovering the breach. The PHR vendor or related entity must then provide notice to the consumer.
The notice must be in plain language, describe what happened (including the date of the breach and the date of discovery), provide a description of the types of information involved, steps individuals should take to protect themselves, a brief description of what the entity is doing to investigate the breach, mitigate harm and protect against further breaches, and include contact procedures and information for people to follow up with questions.
Notice must be given by first-class mail, or by email if the individual is given a clear, conspicuous and reasonable opportunity to receive notice by first-class mail, and does not exercise that choice. If there are 10 or more individuals for whom the PHR vendor or related entity does not have current contact information, it must provide substitute notice either by posting notice for 90 days on the home page of its Web site, or by publishing it in major print or broadcast media. Any media or Web posting must include a toll-free phone number, which is to remain active for at least 90 days, for individuals to call to learn more information.
The final rule largely follows the proposed rule the FTC issued on April 16, 2009. Read Davis Wright Tremaine’s advisory on the proposed rule. Noteworthy changes and points of clarification in the final rule include:
- The rule expressly adopts the HIPAA pre-emption rule—it pre-empts contrary state notification laws, but if it is possible to comply with both laws, PHR vendors and related entities must do so.
- The rule requires PHR vendors and related entities notify their third-party service providers that the service providers are subject to the rule.
- The rule omits the definition of “unsecured” information that appeared in the proposed rule, referring instead to HHS’ recently issued Guidance on the topic.
- The rule clarifies that a PHR entity or service provider is deemed to have knowledge of a breach if the breach is known, or reasonably should have been known, to any person (other than the person committing the breach), who is an employee, officer, or agent of the PHR entity or service provider.
- The period for which Web site postings must be maintained for individuals whose contact information is insufficient or out of date is shortened from six months to 90 days.
- The time for PHR vendors and related entities to provide notice to the FTC of breaches involving 500 or more people has been extended from five to 10 business days following the date of discovery of the breach.
- There is no prescribed content for notices to the media (the proposed rule would have required all the content provided to individuals).
- The final rule adds that the notice of a security breach must be in “plain language.” As an illustration of plain language, the rule now requires the notice to say “what happened,” rather than “how the breach occurred.”