Getty Images

FTC Seeks Comment on Breach Notification Rule for Health Data

Stakeholders are being asked to provide comment on the FTC’s breach notification rule, which requires vendors not covered by HIPAA to inform consumers and the FTC of breaches with 60 days.

The Federal Trade Commission is seeking comment from industry stakeholders on breach notification requirements for entities that collect personally identifiable health information but aren’t covered by HIPAA regulations.

As noted by a host of others in the past, including the Department of Health and Human Services, third-party apps chosen by patients are not typically covered by HIPAA.

Instead, the FTC’s breach notification rule, enacted in 2009, requires vendors and related entities not covered by the privacy regulation to inform individuals, the FTC, and the media, in some cases, of breaches of unsecured personally identifiable health data.

HIPAA and the FTC’s breach notification rule requires notifications to occur within 60 days of discovering the breach, and if more than 500 individuals, the FTC must be notified within 10 days.

“[The rule] created certain protections for ‘personal health records’ or ‘PHRs,’ electronic records of identifiable health information that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual,” FTC officials explained.

“Specifically, the Recovery Act recognized that vendors of personal health records and PHR related entities… were collecting consumers’ health information but were not subject to the privacy and security requirements of HIPAA,” they continued. “The [rule requires] these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information.”

The FTC is currently reviewing its Health Breach Notification rule as part of an overall periodic review to ensure the agency “keeps pace with changes in the economy, technology, and business models.” Reviews typically occur every 10 years and includes standard questions around the effectiveness and potential benefits.

The FTC is also reviewing whether the rule itself should be retained, changed, or eliminated and requested stakeholders to provide comment on key issues posed by the rule, such as whether it has resulted in “under-notification, over-notification, or an efficient level of notification.”

Industry leaders can also provide feedback on whether there’s a need to modify the rule to reflect legal, economic, and technological changes, as well as whether the timing requirements and breach reporting methods are adequate. Further, the FTC is asking for insights into possible conflicts between the rule and state, local, or other federal regulations.

The FTC is also seeking insights into enforcement implications “raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools,” along with potential ways the rule should address developments in healthcare products or services tied to COVID-19.

Stakeholders were also asked whether they feel there’s a continuing need for specific provisions of the rule, as well as needed benefits for consumers and evidence to support those asserted benefits. The FTC also requested insights on potentially significant costs imposed on consumers, caused by the rule.

Notably, the agency would also like feedback into whether the rule benefits or hinders the harmonization of the rule with HIPAA, as well as if the rule indeed “accomplishes the Recovery Act’s goal of advancing the use of health information technology while strengthening the privacy and security protections for health information.”

Industry stakeholders will have 90 days to review the request for comment, which will be posted in the Federal Register.

Next Steps

Dig Deeper on Health data access & privacy