Part two of a two-part series (Access part one):
The government took another step last week toward closing a legal loophole in federal privacy and security rules for emerging Health 2.0 information technology applications by issuing proposed rules aimed at covering an estimated 900 companies and organizations offering personal health records and electronic systems connected to them.
The Federal Trade Commission was careful to point out its new interim proposed rule on federal breach notification requirements for the developers of electronic PHR systems did not apply to covered organizations or their business associates as defined by the Health Insurance Portability and Accountability Act of 1996, heretofore the key federal privacy and security regulation. The FTC, operating under new authority given it by the American Recovery and Reinvestment Act of 2009, noted that its new rule seeks to cover previously unregulated entities that are part of a Health 2.0 product mix.
FTC staff estimates that about 200 PHR vendors, another 500 related entities and 200 third-party service providers will be subject to the new breach notification rule. The staffers estimate that the 900 affected companies and organizations, on average, will experience 11 breaches each per year at a total cost of about $1 million per group, per year. Costs include investigating the breach, notifying consumers and establishing toll-free numbers for explaining the breaches and providing additional information to consumers.
Pam Dixon, founder and executive director of the World Privacy Forum, said that this isn't the first involvement of the FTC in healthcare-related regulation, noting the consumer protection agency joined with the Food and Drug Administration in a joint statement on the marketing of direct-to-consumer genetic tests. The FTC also has worked in the field of healthcare competition. She noted the compliance deadline with the FTC's "red flag rules" on provider organizations that provide consumer credit to patients for installment payments for their medical bills also are due to go into effect May 1. With healthcare IT specifically, however, the main thrust of the FTC thus far has medical identity theft. That is about to change.
"I think as companies are starting to move toward monetizing medical data, or moving in that direction, the regulation is moving to the FTC," Dixon said. HHS and the CMS, which have regulatory authority over HIPAA privacy and security rules, respectively, have oft been criticized by privacy advocates for laxity of their approach. In comparison, if past practice is any guide, the FTC will be a far more aggressive enforcer than either HHS or the CMS, which could be a shock to the healthcare system, according to Dixon.
"I think the healthcare industry is not used to the FTC," Dixon said. "They bring a lot of enforcement actions. They're a very active agency, and healthcare may not be accustomed to this, but that doesn't mean they are wrong in their approach."
The federal regulation of electronic health records by covered groups under HIPAA will remain the province of HHS and the CMS, Dixon said, but with the FTC getting into regulation of non-HIPAA organizations, "I think the message is clear, that medical data is going to be regulated one way or the other. And I support that."
Many states followed California's lead in 2003 and passed laws requiring some form of notification to affected persons in the event of a data breach, which includes healthcare information. The stimulus law adds a federal breach-notification requirement to the mix.
The stimulus act says vendors of PHR systems must notify the FTC and "each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security."