The Federal Trade Commission has issued a rule that broadens the reach of data breach notification rules covered by the Health Insurance Portability and Accountability Act (HIPAA). The new FTC rule applies to companies that provide an online repository of health information, such as vendors that provide Web-based tools that track and maintain blood pressure readings and other health related data.
Typically, web-based companies that collect health information are not covered under HIPAA. The new FTC rule applies only to these companies and requires vendors of personal health records and their service providers to notify consumers following a data security breach. If the breach involves more than 500 people, the company must give notice to the media, the FTC said.
The FTC said it is attempting to address a new wave of gadgets that enable consumers to upload data into their personal health records on the Internet such as readings from blood pressure cuffs and pedometers. The rule also covers Web-based tools such as HealthVault and Google Health as well as websites such as WebMD, which may collect and retain certain health information.
"Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential," the FTC said in a statement issued Monday.on the final ruling of a breach of electronic health informaiton.
Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009, which strengthened certain areas within HIPAA. The Commission announced the rule in April and had a public commenting period, which expired in June. The Rule will take effect 30 days after publication in the Federal Register and the FTC said it would begin enforcement 180 days after publication.
Under the final FTC breach notification rule for electronic health information:
- "Breach of Security" is defined as the acquisition of unsecured personal health record identifiable health information of an individual in a personal health record without the authorization of the individual. If the data is encrypted, it is considered secure.
- Upon discovery of a breach of security, vendors of personal health records must notify each individual by mail or email promptly and the FTC of the breach.
- A breach of security is discovered as of the first day on which such breach is known or reasonably should have been known to the vendor of personal health records. Unless otherwise outlined in the ruling, companies have up to 60 calendar days to establish notification.
- Law enforcement can delay breach notification if they believe it would impede on an investigation or cause damage to national security
- If the vendor finds contact information out of date for 10 or more individuals, substitute notice may be given by a posting on the vendor website or via major print or broadcast media. The media must be notified if the breach involved 500 or more individuals.
- The FTC must be notified no later than 10 business days following the discovery of a breach if the breach involved more than 500 or more residents of a state or jurisdiction. If the breach involved less than 500 individuals, the vendor must keep a log of the breach and report it to the FTC annually.