FTC Seeks Comments on Health Breach Notification Rule

The Federal Trade Commission (FTC) recently announced a review and open comment period for the Health Breach Notification Rule, 16 C.F.R. Part 318 (the “Rule”), which requires vendors of personal health records (PHR) and related entities that aren’t covered by HIPAA to provide notice for breaches of personally identifiable health data.  Since its adoption by the FTC in 2009, the Rule has been largely overshadowed by HIPAA and its implementing regulations.  The FTC is now considering whether the Rule should be updated, or even pared back, to keep up with the times.  The public comment period will extend until August 20, 2020.

Given the patchwork of data breach laws now in place in every state, an expansion of the Rule could very well add to the already difficult task that is data breach notification analysis for companies operating in the healthcare sector.

Overview of the Rule

The Rule, which was issued pursuant to the American Recovery and Reinvestment Act of 2009 and became effective on August 25, 2009, applies to vendors of PHRs; PHR-related entities who interact with vendors of PHRs by offering products or services through such vendors; and third-party service providers for vendors of PHRs or related entities.  PHRs are typically collected from multiple traditional healthcare institutions and are managed, shared, and controlled by or primarily for the individual.  The Rule requires vendors of PHRs and PHR-related entities to report a “breach of security” involving PHRs to the FTC, the media (in some cases), and directly to consumers.  Service providers to such entities that assist in the processing of PHRs (like billing or data storage companies) also have notice obligations to report such breaches to their business customers.  Under the rule, “breach of security” is defined as the acquisition of unsecured identifiable health information that is in a PHR without the authorization of the individual.  Notice is required no later than 60 days of discovering the breach, unless more than 500 people are impacted (in which case the FTC must be notified within 10 days).

In many cases, the companies and their vendors that offer products or services involving collection and aggregation of such PHRs on behalf of a consumer may not be subject to HIPAA as covered entities or business associates.  Similarly, such PHRs are often not considered HIPAA-covered information once the records are no longer created or maintained by or on behalf of a hospital, pharmacy, insurance plan, or other HIPAA covered entity.

For example, a company that offers consumers an online platform to automatically consolidate their medical records from multiple care providers using the consumer’s login information for each separate care provider (which may be a covered entity under HIPAA), would typically not be required to give notice of a breach pursuant to HIPAA, but rather would be subject to the notification requirements set forth in the Rule.

History and Future of the Rule

Interestingly, the FTC has never brought an enforcement action for a violation of the Rule, and only two companies have notified the FTC about breaches affecting more than 500 people (as are published online by the FTC).

The FTC acknowledges that, while the Rule may have fallen into disuse, it may yet become relevant once again, and the FTC is open to comments both about the continued need for the Rule and about proposed modifications. In calling for comments, the FTC notes that more companies might be subject to the Rule, and perhaps the rumors of its demise have been exaggerated.  For example, an increasing number consumers are seeking out and using direct-to-consumer healthcare data solutions that reside outside of the traditional HIPAA-regulated spaces, such as mobile health applications, virtual assistants, and other online health tools designed to empower consumers’ control over and the data portability of their health records.  The FTC noted that it is also interested in hearing from the public about developments in healthcare products or services related to COVID-19 that should be addressed in the Rule.

As new technologies develop, and as health data becomes increasingly more valuable and in demand, this latest call for comments aligns with other federal efforts that emphasize the importance of protecting consumers’ rights in relation to their own health data.  As covered in our recent client alert, the Department of Health and Human Services Office for Civil Rights has indicated that it is prioritizing patient access rights, including taking steps to remove fees and other barriers to third-party platforms accessing and aggregating PHI on behalf of patients.  The Office of the National Coordinator for Health Information Technology (ONC) has similarly been working to advance the interoperability of health data APIs, in part to help individuals access their electronic health records across multiple sources.

Comments to the Rule are being accepted until August 20, 2020.  The regulatory review action and request for public comment are available online here.