FTC final rule requires quick PHR breach notification

The Federal Trade Commission weighed in last week with new rules to protect the privacy and security of personally identifiable healthcare information stored on personal health-record systems offered by companies not covered by federal privacy rules under the Health Insurance Portability and Accountability Act of 1996.

The FTC rulemaking on breach notification by vendors of PHRs comes under the authority of the American Recovery and Reinvestment Act of 2009.

Broadly, the new FTC rule calls for customer notification in the event of a breach of identifiable health information. Notification must occur “without unreasonable delay” but no later than 60 days after the breach is discovered.

The FTC estimates that about 200 PHR vendors, 500 “PHR-related entities” and 200 service providers will be covered by the rule. Of these, the FTC estimated there will be 11 breaches a year that will require notification to an estimated 232,000 PHR customers, with a total cost of compliance at $795,000.

The FTC interim final rule said the stimulus law “recognizes there are new types of Web-based entities that collect consumer's health information,” including “vendors of personal health records and online applications that interact with such” PHRs that additionally “are not subject to the existing privacy and security requirements” of HIPAA.

The stimulus law requires HHS, in consultation with the FTC, to study these entities and submit to Congress recommendations on rules for privacy, security and breach notification by February 2010. Until Congress acts on those recommendations and creates new legislation to regulate these non-HIPAA groups, the stimulus law authorizes the FTC to enforce those “temporary” breach notification requirements spelled out in the law.

The stimulus law gave the FTC 180 days to draft the interim final rule.

The 24-page final rule, initially released Aug. 17 but not officially published in the Federal Register until Aug. 25, implements those requirements. It becomes effective in 30 days. It was a follow-up to an April 20 notice of proposed rulemaking to which the commission reported it had received about 130 formal comments. A significant portion of the text of the interim final rule addressed those comments.

Generally speaking, notifications regarding breaches of patient information by hospitals, physician offices and other so-called “covered entities” as defined by HIPAA will be covered by the HHS rules, not those produced and enforced by the FTC. The HHS interim final rule was released Aug. 19.

There are circumstances, however, with businesses associated with covered organizations, where they could be regulated by both the HHS and the FTC breach notification rules, the FTC rule said. In those cases, the FTC said, to avoid possibly confusing consumers with multiple notices for the same breach, the commission determined only one notice was necessary.

For example, “where a vendor of personal health records has direct customers and thus is subject to the FTC's rule, and also provides PHRs to customers of a HIPAA-covered entity through a business associate arrangement, it may be appropriate for the vendor to provide the same notice to all such customers.” The FTC said the breach notice would best serve consumer interests if it came “from the entity with whom the consumer has a direct relationship.”

Thus, the customer of a PHR vendor that is providing services to patients under a business associate agreement with a covered group “may nevertheless deal directly with the PHR vendor in managing his or her PHR account, and would expect any breach notice to come from the PHR vendor,” the FTC said.

When a breach occurs and a PHR vendor has dual sets of customers—those of its PHR service sold directly to its individuals and those patients or customers to which the PHR vendor provides services through a contract with a covered group—the FTC said the PHR vendor could comply with the new rule by notifying both its individual customers and the covered entity with which it has a business associate agreement.

Another way the FTC would approve of handling the same situation would be for the PHR vendor to contract with the covered entity for notification services. Then, if the PHR vendor experiences a breach, it would be obliged to notify the covered entity's patients as well as its own direct customers.

The provision takes dead aim at companies that provide PHRs to the public on their own, but that also enter into agreements to provide PHRs to patients of hospitals and physician offices and other HIPAA “covered entities.” For example, the FTC says the rule applies to a health system that facilitates the offer of a PHR from a noncovered entity by placing on the health system's Web sites' links to the PHR supplied by a vendor that is not a covered group under HIPAA.

The FTC example apparently describes—without specifically naming them—the arrangements between several high-profile healthcare systems and PHR service providers, such as Microsoft Corp. and Google.

The FTC also attempts to prohibit PHR vendors from covering their legal liabilities under the breach disclosure rule by using broad language in the fine print of their privacy policies. Disclosure by a vendor of consumer information to improve an “individual's experience with their PHR” would be permitted if spelled out in a privacy policy “as long as such use is consistent with the entity's disclosures and individual's reasonable expectations.” For example, communication of information to the consumer, or disclosures for data processing and Web design are permissible, the FTC rule said.

But beyond such routine administrative uses, the commission warned that PHR vendors and their “related entities” should limit the sharing of consumers' information, “unless consumers exercised meaningful choice in consenting to such sharing.”

“Buried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice,' ” the FTC rule said.

What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.