Breach reporting requirements for businesses that collect, use, or disclose health data have changed this season depending on whether your business or a portion of your business is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Prior to the FTC’s recent enforcement actions, many healthcare businesses such as telehealth provider, pharmacies, hospitals, and many, other digital health businesses, as well as employers through their group health plans, were only worried about their breach reporting obligations under HIPAA. However, any business not subject to HIPAA or to the extent not covered by HIPAA are required to notify the FTC, individuals and potentially media in the event sensitive personal information such as health data under the FTC’s breach notification rule (HBNR) is disclosed without the consent of the individual to which it pertains.
Postmeds, also known as Truepill, a prescription fulfillment business recently reported a data breach to the U.S. Department of Health and Human Services (HHS) affecting 2.3 million patients. Although this report likely satisfies Postmeds' breach reporting obligations under HIPAA, it may not be sufficient for other covered entities and/or digital health businesses in the supply chain conducting business with Postmeds that may or may not be regulated by HIPAA, because their breach reporting obligations may be different. Covered entities under HIPAA are required to notify HHS no later than 60 days after they discover a breach of unsecured protected health information, while business associates, aka service providers of covered entities, are required to notify their covered entity within this time frame or more likely within the time frame agreed to in their business associate agreement. Other businesses not subject to HIPAA could potentially fall under the FTC’s authority, and potentially have additional breach reporting obligations under state breach notification laws as well.
Now is likely a good time to determine whether your business might have breach reporting obligations under HIPAA and/or under other federal and state law requirements. It is important that businesses at minimum understand what regulatory requirements might be applicable to their business regardless of its current breach obligations. To do that, they must know what data they collect, use and/or discloses as a part of their business. Only then can they understand whether they are collecting protected health information (PHI) under HIPAA, sensitive personal information (SPI) pursuant to the FTC’s breach notification rule, consumer health data under state-specific health privacy laws, or sensitive data under comprehensive state privacy law, and determine whether they have corresponding obligations under any of these regulatory regimes concerning health data. Breaches of any data are particularly problematic, but breaches of health data will bring regulatory eyes to your business and that of your vendors. Businesses would do well to determine whether:
- the business or some portion of its business is subject to HIPAA?
- the business in the past or currently is sharing personal data with Postmeds or any other similar vendors in the healthcare supply chain?
- the personal data that is shares could be considered sensitive health data based on the context of the collection, use or disclosure?
- the business has an incident response plan in place?
Finally, businesses should make sure internal privacy practices align with their public privacy promises.
Postmeds recently told federal regulators in a legally required notice that 2.3 million individuals had their personal information stolen in the breach. The company began sending written notices to affected individuals in early November.