Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Information Technology
August 31, 2009 01:00 AM

FTC final rule requires quick PHR breach notification

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    The Federal Trade Commission weighed in last week with new rules to protect the privacy and security of personally identifiable healthcare information stored on personal health-record systems offered by companies not covered by federal privacy rules under the Health Insurance Portability and Accountability Act of 1996.

    The FTC rulemaking on breach notification by vendors of PHRs comes under the authority of the American Recovery and Reinvestment Act of 2009.

    Broadly, the new FTC rule calls for customer notification in the event of a breach of identifiable health information. Notification must occur “without unreasonable delay” but no later than 60 days after the breach is discovered.

    The FTC estimates that about 200 PHR vendors, 500 “PHR-related entities” and 200 service providers will be covered by the rule. Of these, the FTC estimated there will be 11 breaches a year that will require notification to an estimated 232,000 PHR customers, with a total cost of compliance at $795,000.

    The FTC interim final rule said the stimulus law “recognizes there are new types of Web-based entities that collect consumer's health information,” including “vendors of personal health records and online applications that interact with such” PHRs that additionally “are not subject to the existing privacy and security requirements” of HIPAA.

    The stimulus law requires HHS, in consultation with the FTC, to study these entities and submit to Congress recommendations on rules for privacy, security and breach notification by February 2010. Until Congress acts on those recommendations and creates new legislation to regulate these non-HIPAA groups, the stimulus law authorizes the FTC to enforce those “temporary” breach notification requirements spelled out in the law.

    The stimulus law gave the FTC 180 days to draft the interim final rule.

    The 24-page final rule, initially released Aug. 17 but not officially published in the Federal Register until Aug. 25, implements those requirements. It becomes effective in 30 days. It was a follow-up to an April 20 notice of proposed rulemaking to which the commission reported it had received about 130 formal comments. A significant portion of the text of the interim final rule addressed those comments.

    Generally speaking, notifications regarding breaches of patient information by hospitals, physician offices and other so-called “covered entities” as defined by HIPAA will be covered by the HHS rules, not those produced and enforced by the FTC. The HHS interim final rule was released Aug. 19.

    There are circumstances, however, with businesses associated with covered organizations, where they could be regulated by both the HHS and the FTC breach notification rules, the FTC rule said. In those cases, the FTC said, to avoid possibly confusing consumers with multiple notices for the same breach, the commission determined only one notice was necessary.

    For example, “where a vendor of personal health records has direct customers and thus is subject to the FTC's rule, and also provides PHRs to customers of a HIPAA-covered entity through a business associate arrangement, it may be appropriate for the vendor to provide the same notice to all such customers.” The FTC said the breach notice would best serve consumer interests if it came “from the entity with whom the consumer has a direct relationship.”

    Thus, the customer of a PHR vendor that is providing services to patients under a business associate agreement with a covered group “may nevertheless deal directly with the PHR vendor in managing his or her PHR account, and would expect any breach notice to come from the PHR vendor,” the FTC said.

    When a breach occurs and a PHR vendor has dual sets of customers—those of its PHR service sold directly to its individuals and those patients or customers to which the PHR vendor provides services through a contract with a covered group—the FTC said the PHR vendor could comply with the new rule by notifying both its individual customers and the covered entity with which it has a business associate agreement.

    Another way the FTC would approve of handling the same situation would be for the PHR vendor to contract with the covered entity for notification services. Then, if the PHR vendor experiences a breach, it would be obliged to notify the covered entity's patients as well as its own direct customers.

    The provision takes dead aim at companies that provide PHRs to the public on their own, but that also enter into agreements to provide PHRs to patients of hospitals and physician offices and other HIPAA “covered entities.” For example, the FTC says the rule applies to a health system that facilitates the offer of a PHR from a noncovered entity by placing on the health system's Web sites' links to the PHR supplied by a vendor that is not a covered group under HIPAA.

    The FTC example apparently describes—without specifically naming them—the arrangements between several high-profile healthcare systems and PHR service providers, such as Microsoft Corp. and Google.

    The FTC also attempts to prohibit PHR vendors from covering their legal liabilities under the breach disclosure rule by using broad language in the fine print of their privacy policies. Disclosure by a vendor of consumer information to improve an “individual's experience with their PHR” would be permitted if spelled out in a privacy policy “as long as such use is consistent with the entity's disclosures and individual's reasonable expectations.” For example, communication of information to the consumer, or disclosures for data processing and Web design are permissible, the FTC rule said.

    But beyond such routine administrative uses, the commission warned that PHR vendors and their “related entities” should limit the sharing of consumers' information, “unless consumers exercised meaningful choice in consenting to such sharing.”

    “Buried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice,' ” the FTC rule said.

    What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    2015_01_29_EHR_stock_getty_doctor hands touching tablet_i.jpg
    Navigating data guidelines and regulations
    Needle in a haystack: Providers find the value in patient-generated health data
    Needle in a haystack: Providers find the value in patient-generated health data
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing