Section 13407 of the American Recovery and Reinvestment Act of 2009 (ARRA)1 establishes temporary breach notification requirements for vendors of personal health records (PHRs)2 and other entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and grants the FTC authority to issue interim final regulations governing these entities. Similarly, Section 13402 of ARRA imposes a new duty on entities covered by HIPAA and their business associates to provide notification to individuals when there has been a breach of “unsecured” protected health information (PHI). This latter provision applies to all PHI maintained by covered entities or their business associates, including information in PHRs.
With respect to both of these provisions, the term “unsecured” protected health information refers to PHI that is not secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS) in guidance as rendering the information unusable, unreadable, or indecipherable to unauthorized individuals.3 HHS has recently issued guidance on this issue (the “HHS Guidance”), on which we have submitted separate comments.4 Simultaneous with the issuance of the HHS Guidance, HHS published a request for information (RFI) in advance of its rulemaking to implement the breach notification provisions that apply to HIPAA covered entities and their business associates. We have also submitted comments on the RFI.5
The breach notification provisions in ARRA accomplish two important goals. First, they provide for individuals to receive notice in certain circumstances when their health information is at risk. Second, they create a powerful incentive for custodians of personal health information to adopt strong privacy and security practices in order to avoid a breach.
It is important to recognize the interaction of the rulemaking process being undertaken by FTC and HHS. FTC will promulgate breach notification rules that apply to PHR vendors and related entities. Breach notification rules promulgated by HHS will apply to HIPAA-covered entities or business associates of such entities. However, the rules to be issued by both HHS and FTC will set breach notification standards for PHRs. To avoid creating confusion for consumers, it is critical that PHRs be subject to consistent rules governing how they store and share consumer data.
Our comments below are mainly directed at achieving this consistent regulatory framework. We understand this issue will be broadly addressed in the forthcoming HHS and FTC privacy and security recommendations for PHRs, but we strongly recommend that HHS and FTC take this early opportunity to align policies and make them meaningful to consumers who must be able to navigate their use of PHRs.
In June 2008, Markle Connecting for Health released the Common Framework for Networked Health Information,6 outlining consensus privacy and security policies for personal health records and other consumer access services. This framework — which was developed and supported by a diverse and broad group including technology companies, consumer organizations and HIPAA-covered entities7— was designed to meet the dual challenges of making personal health information more readily available to consumers, while also protecting it from unfair or harmful practices.
A foundational principle of this work is that a consistent and meaningful set of policies for protecting information in personal health records is desirable for consumers, whether the PHR is offered by a HIPAA-covered entity or not. However, this does not imply that it is appropriate to simply extend HIPAA rules in their current form to uncovered entities supplying PHRs or new health information products.
In summary, we urge FTC to:
- Work with HHS to apply consistent information and breach policies to PHRs in order to provide consumers with a reliable framework of protections;
- Ensure that individuals acting in a personal capacity are not considered to be a PHR related entity;
- Maintain its interpretation of the types of data that constitute PHR identifiable information;
- With respect to whether or not data is “identifiable,” rely on HHS’ Guidance8 in determining whether or not data that has been breached is not at risk and acknowledge that the question of identifiability depends on the context;
- Presume that unsecured PHR identifiable information that is accessed by an unauthorized party is deemed to be “acquired”;
- Ensure the breach definition is meaningful to individuals by setting parameters for authorization;
- Protect data in motion as well as at rest (and not just “in the PHR”);
- Add NIST SP 800-66 to the list of potential resources for reasonable security measures;
- With respect to the content of the notice to individuals, adhere to the statutory language and avoid imposing content requirements that could be a roadmap to lead to future breaches;
- Clarify which entities are accountable for notifying consumers in the event of breaches that may involve multiple parties.
- Revise the media notice requirements to specifically incorporate new media;
- Clarify timing issues with respect to notice to the FTC of breaches; and
- Support a study of state breach notification provisions to determine whether the new federal provisions conflict with existing state law, and whether state and federal laws will result in individuals receiving duplicate notices.
Finally, we agree that FTC’s determination that the temporary breach notification provisions in ARRA are an expansion of its authority under Section 5 of the Federal Trade Commission (FTC) Act.
- Pub. L. 111-5, 123 Stat. 115 (2009).
- Defined in the statute as “an electronic record of PHR identifiable health information…on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” Section 13400 of ARRA (emphasis added).
- See Section 13402(h)(2) ARRA.
- See Comments on the Health Breach Requirements
- See Comments on the Health Breach RFI
- See Markle Connecting for Health released the Common Framework for Networked Health Information
- See list of endorsers of the Markle Connecting for Health Common Framework for Networked Personal Health Information.
- “Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under the HITECH Act,” Federal Register/Vol. 74, No. 79/April 27, 2009.