Part two of a two-part series (Access part one):
The government took another step last week toward closing a legal loophole in federal privacy and security rules for emerging Health 2.0 information technology applications by issuing proposed rules aimed at covering an estimated 900 companies and organizations offering personal health records and electronic systems connected to them.
The Federal Trade Commission was careful to point out its new interim proposed rule on federal breach notification requirements for the developers of electronic PHR systems did not apply to covered organizations or their business associates as defined by the Health Insurance Portability and Accountability Act of 1996, heretofore the key federal privacy and security regulation. The FTC, operating under new authority given it by the American Recovery and Reinvestment Act of 2009, noted that its new rule seeks to cover previously unregulated entities that are part of a Health 2.0 product mix.
FTC staff estimates that about 200 PHR vendors, another 500 related entities and 200 third-party service providers will be subject to the new breach notification rule. The staffers estimate that the 900 affected companies and organizations, on average, will experience 11 breaches each per year at a total cost of about $1 million per group, per year. Costs include investigating the breach, notifying consumers and establishing toll-free numbers for explaining the breaches and providing additional information to consumers.
Pam Dixon, founder and executive director of the World Privacy Forum, said that this isn't the first involvement of the FTC in healthcare-related regulation, noting the consumer protection agency joined with the Food and Drug Administration in a joint statement on the marketing of direct-to-consumer genetic tests. The FTC also has worked in the field of healthcare competition. She noted the compliance deadline with the FTC's "red flag rules" on provider organizations that provide consumer credit to patients for installment payments for their medical bills also are due to go into effect May 1. With healthcare IT specifically, however, the main thrust of the FTC thus far has medical identity theft. That is about to change.
"I think as companies are starting to move toward monetizing medical data, or moving in that direction, the regulation is moving to the FTC," Dixon said. HHS and the CMS, which have regulatory authority over HIPAA privacy and security rules, respectively, have oft been criticized by privacy advocates for laxity of their approach. In comparison, if past practice is any guide, the FTC will be a far more aggressive enforcer than either HHS or the CMS, which could be a shock to the healthcare system, according to Dixon.
"I think the healthcare industry is not used to the FTC," Dixon said. "They bring a lot of enforcement actions. They're a very active agency, and healthcare may not be accustomed to this, but that doesn't mean they are wrong in their approach."
The federal regulation of electronic health records by covered groups under HIPAA will remain the province of HHS and the CMS, Dixon said, but with the FTC getting into regulation of non-HIPAA organizations, "I think the message is clear, that medical data is going to be regulated one way or the other. And I support that."
Many states followed California's lead in 2003 and passed laws requiring some form of notification to affected persons in the event of a data breach, which includes healthcare information. The stimulus law adds a federal breach-notification requirement to the mix.
The stimulus act says vendors of PHR systems must notify the FTC and "each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security."
The law also seeks to place vendors of certain PHR systems contracted for by providers, payers and other so-called "covered entities" under the security and privacy rules promulgated in accordance to HIPAA. The stimulus act seeks to make vendors of PHRs subject to HIPAA privacy and security rule coverage by requiring that they sign business associate contracts with covered entities, if the PHR vendor "contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record."
Technology giants Microsoft Corp. and Google both offer PHR platforms, but neither has affirmed that the HIPAA/business associate privacy and security provisions in the new law apply to them.
In March, a Microsoft spokesman said that the company was studying the matter; also that month, a Google representative said that the stimulus act provision did not apply to its PHR offering
Google spokeswoman Missy Krasner said in an e-mail that the company was reviewing the FTC definitions and had no formal comment at this time. A Microsoft public relations representative said the company was working to arrange an interview with a Microsoft official.
Dixon said that as far as PHRs and the FTC breach notification rule is concerned, "I think this touches them, quite definitively. They can wiggle all they want, but they’re in. This rulemaking is very thoughtful and clear on that."
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.