In addition to PHR vendors, the proposed interim rule also would apply to "PHR-related entities," including companies or organizations not covered under HIPAA. The rule defines three classes of related entities, those that:
- Offer products or services through the Web site of a vendor of personal health records.
- Are not covered entities (as defined by HIPAA) and that offer products or services through the Web sites of covered entities that offer individuals personal health records.
- Are not covered entities and that access information in a personal health record or send information to a personal health record.
The proposed interim rule extensively defines what constitutes notice of a breach. The definition includes first-class mail, e-mail or telephone communications. If 10 or more affected individuals could not be reached by these methods, then a vendor or other PHR-related entity must post a notice of the breach on its Web site or in the print and broadcast media where individuals affected are likely to reside.
Media notices must be accompanied by a toll-free number an individual may call to determine if his or her records were breached. In addition, the media must be contacted if the breach involves 500 or more individuals. Breach notices must include a brief description of how the breach occurred and what type of information was involved, such as whether it involved people's names, Social Security numbers, dates of birth, addresses and account numbers. The required notices also should include what steps individuals might take to prevent harm as a result of the breach and what the PHR vendor or other entity is doing to investigate the breach, prevent further occurrences and mitigate losses.
The notifications must be made within 60 days of learning of the breach.
The FTC document noted that the ARRA authorizes the agency to go beyond its traditional jurisdiction, including regulating not-for-profit PHR providers and "non-profit, third-party service providers."
Dixon said the FTC rule "creates a presumption" that if an unauthorized person has access to personally identifiable healthcare information that they will have acquired that information. The rule puts the burden on the entity where the breach has occurred to rebut the presumption that access is equivalent to acquisition. Rebuttal can be by various means, including reviewing access logs, interviewing employees or performing forensic analysis of the computer or system involved, affected computer.
"This will really clamp down on internal access control on healthcare data when it is in the hands of these third parties and that is a very good outcome," Dixon said. "Providers are already aware of this and do a pretty good job, but with some of these business associates, this isn't drilled into them."
The rule also extends to breaches of information about healthcare payment, involving such billing information that contains a person's name and credit card information even if no other information, such as medical diagnosis or treatment, was compromised. The theft of a PHR member list of an AIDS affinity group was an example the FTC gave to illustrate this point. On the other hand, a breach of adequately de-identified data would not trigger the notification requirement, the FTC said.