On August 18, 2009, the Federal Trade Commission released its final Health Breach Notification Rule, as required by the American Recovery and Reinvestment Act of 2009 ("ARRA"). The Rule applies to personal health record ("PHR") vendors, PHR related entities and third party service providers. The Rule does not apply to HIPAA-covered entities or business associates of HIPAA-covered entities. Those entities will be covered under the separate health breach notification rule released on August 19, 2009, by the Department of Health and Human Services ("HHS").
The Final Rule will take effect 30 days after it is published in the Federal Register. However, in response to commenters who expressed concern that 30 days would not allow entities sufficient time to implement processes to comply with the Rule, the FTC stated that it would "use its enforcement discretion" and would not bring enforcement actions for failure to comply with the required notifications for breaches discovered during the 180-day period after the Final Rule is published in the Federal Register.
The FTC issued a Notice of Proposed Rulemaking on April 20, 2009, after which it received approximately 130 comments from the public, which it considered when drafting the Final Rule. The Final Rule requires PHR vendors, PHR related entities, and third party service providers who experience a breach of unsecured PHR identifiable health information to notify (a) the individuals whose information was breached; and (b) the FTC or, in the case of third party service providers, the affected PHR vendor or related entity. "Breach" is defined as the acquisition of unsecured PHR identifiable health information without the authorization of the individual. Notice must be provided as follows:
Timeliness of Notice - Notice must be made to individuals “without unreasonable delay” and in no case later than 60 calendar days after discovery of the breach. If the breach affects more than 500 individuals, notice must be made to the FTC within 10 business days after discovery of the breach. If fewer than 500 individuals are affected, the entity may maintain a log of smaller breaches and submit the log annually to the FTC no later than 60 days following the end of the calendar year.
Methods of Notice to Individuals - Notice to individuals must be sent to the individual's last known address via first-class mail, or by email if the individual did not choose to receive first-class mail. If the contact information for ten or more individuals is found to be outdated or insufficient, the entity must provide substitute notice in one of the following forms:
Conspicuous posting on the home page of its website for a period of 90 days; or
In major print or broadcast media, including in the areas where the affected individuals likely reside. Such notice must include toll-free phone number where individuals can call and learn whether they are affected by the breach. The phone number must remain active for at least 90 days. Notice to Media - If the breach affects more than 500 or more residents of a particular state or jurisdiction, the entity must also notify "prominent media outlets" of the state or jurisdiction of the breach.
Content of Notice - Notices sent to individuals shall be "in plain language" and include the following:
- A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known;
- A description of the types of unsecured PHR identifiable health information that was compromised;
- Steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the entity is doing to investigate the breach, mitigate harm, and protect against future breaches; and
- Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, an email address, website, or postal address.
In cases where the notification requirements of the FTC Rule conflict with the notification requirements of a particular state data breach notification statute, the FTC Rule takes precedence under the preemption clause included in the ARRA. However, entities subject to state laws imposing additional but non-conflicting breach notification requirements must comply with those requirements as well.