On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.

Over the past decade, the FTC has not brought an enforcement action under the Rule and has only received two notifications of data breaches involving more than 500 individuals.  According to the FTC’s notice, this lack of enforcement is due to the fact that PHR vendors and related entities are often HIPAA-covered entities or business associates, and therefore subject to HIPAA’s Breach Notification Rule.  However, more entities may fall within the scope of the FTC’s Rule as the PHR market expands to include more direct-to-consumer technologies and services, such as mobile health applications, platform health tools, and virtual assistants.

The FTC’s review includes standard questions about the benefits and effectiveness of the Rule and whether it should be maintained, revised, or eliminated.  In addition, the FTC is soliciting comments regarding:

  • whether there has been under-notification, over-notification, or an appropriate level of notification as a result of the Rule;
  • whether the Rule’s definitions should be updated to account for legal, economic, or technological changes;
  • whether the Rule’s timing requirements and reporting methods are sufficient;
  • the possible enforcement implications related to direct-to-consumer services and technologies; and
  • if and how the Rule should consider COVID-19-related developments in health care products or services.

The FTC will be accepting comments for a period of 90 days after the notice is published in the Federal Register.

Tags: Data Breach, Data Security, Digital Health, FTC, HIPAA Breach Notification Rule, Personal Health Records, PHR
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Read more about Anna D. KrausEmail
Show more Show less
Photo of Tara Carrier Tara Carrier

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and…

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and enforcement risk, commercial transactions, and administrative and legislative policy opportunities. Tara also has experience counseling clients on investigations and compliance matters, including implementing and operating under HHS OIG Corporate Integrity Agreements.

Read more about Tara CarrierEmail
Show more Show less