Send FTC Your Comments on the Health Breach Notification Rule

The U.S. Federal Trade Commission (FTC) wants to get some feedback on its breach notification requirements intended for non-HIPAA-covered entities that gather personally identifiable health data.

The FTC introduced the Health Breach Notification Rule in 2009 together with the American Recovery and Reinvestment Act of 2009 (ARRA). The regulation became effective on August 22, 2010 and so the FTC began its active enforcement of compliance on February 22, 2010.

Healthcare information collected, stored, or transmitted by covered entities under the Health Insurance Portability and Accountability Act (HIPAA) including healthcare providers, healthcare clearinghouses and health plans, as well as business associates of covered entities is considered as protected health information (PHI).

The FTC’s Health Breach Notification Rule is applicable to personal health records (PHRs), or electronic records that contain personally identifiable health data that are kept, shared and controlled by or mainly for a particular person. The FTC rule is applicable to vendors of personal health records and PHR-associated entities, which are firms that send data to PHRs, provide products and services via PHR websites, or access certain data in PHRs.

All entities governed by the FTC’s Health Breach Notification Rule should send breach notifications to affected people and the FTC with no unreasonable delay and within 60 days from the time the breach was discovered. The FTC should be informed within 10 days of discovering a breach when it affects 500 or more people. When a service provider encounters a breach, the service provider needs to alert the PHR firm. The FTC website posts notices of data breaches impacting 500 or more people.

Every 10 years, the FTC typically evaluates the rules. Within the 10 years since the rule was first passed, the FTC website only published 2 breaches, because the majority of breach reports involved less than 500 records. The FTC additionally reports that enforcement of compliance was not needed because there were limited entities to which the regulation is applicable.

A lot of PHR vendors and associated entities are required to comply with the HIPAA Breach Notification Rule because they are either HIPAA-covered entities or business associates of those entities. Nevertheless, the FTC clarifies that a greater number of entities may soon be subjected to its rule.

As people make use of direct-to-consumer technologies (for instance mobile health apps, virtual assistants, and health tools), for their health data and services, more companies might need to follow the FTC’s Rule.

With the COVID-19 pandemic, the use of these communication platforms has increased considering the HHS temporary refrain from issuing financial penalties on entities that use non-HIPAA-compliant platforms in connection with the rendering of telehealth services. The FTC rule may consequently be more applicable now than 10 years ago.

The FTC wants to get feedback on certain questions concerning the effectiveness, advantages, and relevance of its rule to know whether to keep the rule as it is, scrap it, or update it to improve its benefits on consumers.

The Federal Register will accept comments for 90 days from the date of the rule’s publication. A copy of the request for public comment is available on Bloomberg Law.