FTC Proposed Rule for Breach Notification Requirements:
On April 16, 2009, the Federal Trade Commission (“FTC”) issued a proposed rule (the “Proposed Rule”) that requires vendors of personal health records, PHR related entities and third party service providers to make notifications and take certain additional actions following the discovery of a breach of security of unsecured “PHR identifiable health information” in a personal health record. The Proposed Rule was issued pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) portion of the American Recovery and Reinvestment Act of 2009 (“ARRA”) signed into law earlier this year. The FTC is seeking comments on the Proposed Rule by June 1, 2009. Once finalized, the rule will be in effect until Congress enacts legislation adopting permanent notification requirements.
Under the Proposed Rule, a “personal health record” is an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. “PHR identifiable health information” is “individually identifiable health information” (as defined by HIPAA) and, with respect to an individual, information that is provided by or on behalf of the individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. A “vendor of personal health records” is an entity (other than a HIPAA covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity) that offers or maintains a personal health record. A “PHR related entity” is an entity (other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity) that (1) offers products or services through the website of a vendor of personal health records; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals personal health records; or (3) accesses information in a personal health record or sends information to a personal health record. Examples of PHR related entities include a web based application that helps consumers manage medications; a website offering an online personalized health checklist; a brick-and-mortar company advertising dietary supplements online; online applications through which individuals connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records; and an online medication or weight tracking program that pulls information from a personal health record. A “third party service provider” is an entity that (1) provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity, and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services. Examples of third party service providers include entities that provide billing or data storage services to vendors of personal health records or PHR related entities.
The Proposed Rule states that upon discovery of a “breach of security” (i.e., when unsecured PHR individually identifiable health information in a personal health record is acquired by an unauthorized person) a vendor of personal health records or PHR related entity must notify the applicable consumer(s) of the breach “without unreasonable delay” and in no event later than 60 days. A third party service provider must inform a “senior official” at the vendor of personal health records or PHR related entity in that same time frame, and must obtain acknowledgement from the senior official that the notice was received. For breaches that involve more than 500 consumers, vendors of personal health records and PHR related entities must also notify media outlets serving the applicable state or jurisdiction, and the FTC. Such notification to the FTC must be made “as soon as possible” and not later than five days after the discovery of the breach. The rule also sets forth requirements regarding the content of a notice provided under the Proposed Rule.
The Proposed Rule applies only to “unsecured” information. Unsecured information does not include information that is protected through the use of a technology or methodology to render protected health information unusable, unreadable or indecipherable to unauthorized users as specified in the guidance issued by the Department of Health and Human Services (HHS) (as discussed in detail below). The Proposed Rule creates a presumption that unauthorized persons have acquired information if the unauthorized persons have access to it. This presumption can be rebutted by reliable evidence showing the information was not or could not reasonably have been acquired.
The Proposed Rule does not apply to HIPAA covered entities, or to any other entity to the extent the entity is engaging in activities as a business associate. Covered entities and business associates are subject to substantially similar requirements that are set forth in the HITECH Act.
The Proposed Rule was published in the Federal Register on April 20, 2009, and is available here.
HHS Technical Guidance on Securing Protected Health Information:
HHS has proposed technical guidance (the “HHS Guidance”) pursuant to the HITECH Act specifying what technologies and methods will render protected health information unusable, unreadable or indecipherable to unauthorized users. The HHS Guidance is important for vendors of personal health records, PHR related entities and third party service providers because the FTC breach notification requirements described in the Proposed Rule apply only with respect to “unsecured” information, which will not include information that has been secured in accordance with the methods and technologies specified in the HHS Guidance. In addition to entities subject to the Proposed Rule, the HHS Guidance applies to HIPAA covered entities and business associates in connection with the breach notification requirements applicable to them as set forth in the HITECH Act.
HHS notes that while entities are not required to use the methods and technologies specified to protect PHI, use of these methods and technologies is the functional equivalent of a “safe harbor” for compliance with the breach notification requirements. The HHS Guidance identifies encryption and destruction as the two means for protecting PHI. The specified methodologies are as follows:
Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices. (ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140–2. These include, as appropriate, standards described in NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800–77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, and may include others which are FIPS 140–2 validated.
(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
74 Fed. Reg. 19006, 19009-19010 (April 27, 2009) (footnotes omitted).
As this is intended to be an exhaustive (and not merely illustrative) list of acceptable protection technologies and methods, HHS is seeking comment to identify additional means of protection that should be included on the list. Additionally, HHS is seeking comment on any other aspects of the breach notification requirements that apply to covered entities and business associates as it prepares to publish interim final regulations regarding such breach notification requirements in compliance with the HITECH Act. The HHS Guidance will apply to breaches 30 days after publication of those interim final regulations. The deadline for comment is May 21, 2009.
The HHS Guidance was published in the Federal Register on April 27, 2009, and is available through the HHS Office for Civil Rights web site and here.