FTC and HHS issue proposed rules concerning security of health data

In April 2009, both the Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) issued proposed rules concerning the security of health data. The agencies issued the proposed rules pursuant to the American Reinvestment and Recovery Act of 2009 (ARRA), which includes provisions to advance the use of health information technology (Health IT) as well as to strengthen protections related to the privacy and security of health information.

On April 16, 2009, the FTC released an interim proposed rule regarding personal health record (PHR) security breaches. PHRs are electronic, individually controlled repositories of health and medical information and history, including various online applications that allow tracking and management of particular, customized kinds of health information.

The proposed rule would require vendors of PHR systems and related entities to notify consumers and the FTC when a breach of those consumers’ electronic health information occurs. Third party service providers — entities that provide support services to PHR vendors and related entities — would be required to provide notice upon discovery of such a breach to relevant vendors or related entities.

The proposed rule also contains requirements regarding the timeliness, method, and content of notice to individuals affected by a breach. Further, it requires that notice be given to the FTC as soon as possible (and not later than five business days following discovery of a breach) and to prominent media outlets for breaches involving the unsecured PHR information of 500 or more individuals. If a breach involves less than 500 individuals, PHR vendors and PHR-related entities instead may include the incident in a breach log submitted annually to the FTC.

The FTC rules will not apply to those entities covered by the Health Insurance Portability and Accountability Act (HIPAA) or their business associates; ARRA directs HHS to issue data breach notification rules for those entities, and the FTC and HHS have consulted each other to harmonize their respective rules. Public comments will be accepted through June 1, after which the FTC will issue an interim final rule; the rule is scheduled to become effective on September 18, 2009.

As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of ARRA, on April 17, HHS issued guidance on the technologies and methodologies necessary to secure health information and to prevent harm by rendering such information “unusable, unreadable or indecipherable to unauthorized individuals.” This guidance builds on the rules in HIPAA and provides steps that entities can take to secure personal health information. In particular, the rule specifies two methods for achieving this security: encryption and destruction.

The HIPAA Security Rule sets forth standards for encryption, which involves the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. The guidance notes that encryption processes for data at rest that are consistent with the National Institute of Standards and Technology (NIST) Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, meet this standard, as do those for data in motion that comply with the requirements of Federal Information Processing Standard 140-2.

With respect to destruction of media containing personal health information (PHI), HHS identified two acceptable methods: (1) shredding or destruction of paper, film, or other hard copy media such that the PHI cannot be read or otherwise cannot be reconstructed, or (2) clearing, purging, or destruction of electronic media consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

The guidance was a collaborative effort by the Office of Civil Rights, the Office of the National Coordinator for Health IT, and the Centers for Medicare and Medicaid Services. It sought public comment on a number of issues relating to technologies and methodologies discussed in the guidance, in addition to requesting comments on the breach notification provisions of the HITECH Act. The agency intends to use these comments to inform the breach notification regulations that it must issue within 180 days of ARRA’s enactment, which occurred on February 17, 2009. All public comments were due by May 21.