In the last week of August, the Department of Health and Human Services ("HHS") and the Federal Trade Commission ("FTC") officially published their final rules concerning consumer notification of breaches of protected health information ("PHI"). Congress mandated that both rules be issued under the Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009.
The HITECH Act expanded the reach of the health data breach notification rules to personal health record (PHR) vendors and entities that market devices that allow consumers to upload their own health information. Some examples of these types of devices are body composition analyzers, blood pressure cuffs and pedometers. This marks the first time that federal medical privacy regulations have been applied to organizations that are not "covered entities" or their business associates, and also marks the first time that HHS and the FTC have been directed by Congress to engage in coordinated rulemaking.
The new HHS rule applies to HIPAA-covered entities and their business associates, while the new FTC rule applies to PHR vendors and related entities, and third-party service providers to such entities. The FTC and HHS intend to work together in enforcing the rules. Both rules require that consumers affected by a breach involving unsecured PHI be notified in writing within 60 days following the discovery of the breach, and business associates and service providers to one of these entities must promptly notify the entity of a breach so that it may notify consumers. The FTC rule also formally adopts HHS guidance on methodologies and technologies to render PHI "secured" (unusable, unreadable, or indecipherable to unauthorized parties). The rules specify the method and content of breach notification, both to consumers and to HHS and the FTC, as applicable. An entity whose breach affects 500 or more people must also notify local media outlets.
The new rules will apply to both intentional and unintentional breaches of PHI, ranging from a nurse accidentally faxing a patient's medical test report to the wrong telephone number to a rogue employee improperly selling patients' prescription information to a pharmaceutical marketing company. There is little doubt that the FTC and HHS will be kept quite busy processing breach notifications; by way of example, the California Department of Public Health received more than 800 reports of health data breaches in the first five months after a new state law became effective on January 1, 2009.
The HHS and FTC rules will become effective 30 days after their publication in the Federal Register, or September 24 and 25, respectively. However, both agencies stated that they will use their enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered within 180 days after publication of the rules. Also, HHS is seeking comments on the provisions of its rule (which is technically an "interim final rule ") within 60 days after its publication.
HHS news release:
FTC news release: