The Federal Trade Commission’s (“FTC”) Health Breach Notification Rule (“Rule”) requires vendors of “personal health records” (“PHR vendors”) to notify consumers and the FTC in the event that the security of personally identifiable health information in a PHR maintained by the PHR vendor is breached. 16 C.F.R. § 318.3(a). Compliance with the Rule is required by February 22, 2010. 74 Fed. Reg. 42,962, 42,962 (Aug. 25, 2009).
A question has arisen as to whether these new requirements would apply to a property and casualty insurer when it collects medical information to process insurance claims. Based on our review of the issue and our discussion of the issue with FTC staff, we conclude that a property and casualty insurer using medical records for claims adjustment or similar business purposes should not be considered to be a PHR vendor.
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Pub. L. No. 111-5, 123 Stat. 226 (2009), “require[s] [PHR] vendors and entities offering products and services through a PHR vendor’s website, upon discovery of a breach of security of unsecured [personally identifiable] health information, to notify the individuals impacted and the FTC.” H.R. Rep. No. 111-16 at 498 (2009) (Conf. Rep.). The HITECH Act directs the FTC to make rules regarding security breach notifications for PHR vendors. See Pub. L. No. 111-5, at § 13407, codified at 42 U.S.C. § 17937.
The term PHR is defined as an electronic health record that is “managed, shared, and controlled by or primarily for the individual.” Pub. L. No. 111-5, at § 13400, codified at 42 U.S.C. § 17921. Congress clarified further that “PHRs include the kinds of records managed by or for individuals, but [do] not include the kinds of records managed by or primarily for commercial enterprises, such as life insurance companies that maintain such records for their own business purposes. By extension, a life insurance company would not be considered a PHR vendor under this subtitle.” Conf. Rep. 111-16 at 490 (emphasis added). In the Supplementary Information to the final Rule, the FTC “emphasize[d] that PHRs are managed, shared, and controlled ‘by or primarily for the individual,’” and reiterated the Congressional finding that PHRs “do not include the kinds of records managed by or primarily for commercial enterprises, such as life insurance companies that maintain such records for their own business purposes.” 74 Fed. Reg. at 42,967, n.61.
Although the legislative history and FTC Supplementary Information refer only to life insurers, and not to property and casualty insurers, this appears to be a distinction without a difference. Life insurers are provided only as an illustrative example of commercial enterprises that might maintain health records for their own business purposes.
In addition, we have spoken with the FTC staff with responsibility for administering and enforcing the Rule, who have informed us that they have no reason to conclude that property and casualty insurers should be treated differently than life insurers. According to the FTC staff, as long as the medical records are being managed by or for the insurer, and not the individual, the analysis would be the same. The staff cautioned that their comments are informal and not binding on the Commission.