Last August, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) issued complementary final rules mandating notification of breaches involving unsecured personal health information as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The two security breach notification rules dramatically expand data security compliance obligations, not only for traditional HIPAA-covered entities like health insurers, but also for a broad array of other organizations.
Under the HHS and FTC rules, HIPAA-covered entities like health care providers and health plans, as well as vendors of personal health records (PHR's) and related entities that interface with PHR's, must promptly notify affected individuals, the HHS and FTC (as applicable) and, in some cases, major media outlets, upon discovering a breach involving the unauthorized acquisition of personally identifiable health information. Business associates of HIPAA-covered entities and third-party service providers of PHR vendors and PHR related entities must promptly notify these organizations so they can comply with their own notice requirements in a timely fashion.
The HHS security breach notification rule applies to HIPAA-covered entities and business associates, while the FTC rule applies to domestic and foreign PHR vendors, PHR-related entities and third-party service providers which are not subject to the HHS rule. For example, the FTC rule would cover a bank that offers products or services through a PHR vendor's website as well as a life insurance company that accessed information in a PHR or sent information to a PHR.
Under the FTC security breach notification rule, a PHR is defined as an electronic record of individually identifiable health information on an individual that is managed, shared or controlled by or primarily for the individual. PHR related entities are those that offer products or services through a PHR vendor's website, offer products or services through the websites of HIPAA-covered entities that offer PHR's of individuals, or access information in a PHR or send information to a PHR. This expansive definition includes everything from Google Health to personal fitness management sites and any other Web-based application or business with a Web presence that accesses, or exports information to PHR's or even advertises on the sites of entities offering PHR's. The requirements applicable to service providers of PHR vendors and PHR related entities widen the compliance net still further. Indeed, the FTC rule applies to entities like non-profit organizations that previously did not fall within the FTC's jurisdiction.
Data security breach definitions
Under the HHS rule, subject to certain exceptions, a breach is defined as the unauthorized acquisition, access, use or disclosure of protected health information (PHI) in a manner that violates the HIPAA Privacy Rule. The FTC rule defines a security breach as the unauthorized acquisition of an individual's unsecured PHR-identifiable health information. The HIPAA breach notification rule from HHS, however, provides that an unauthorized use or disclosure of PHI is a breach only if it "poses a significant risk of financial, reputational, or other harm to the individual." This triggers the need for a risk assessment considering certain factors prescribed by the HHS (among others), including: the type, amount and sensitivity of PHI involved, the identity of the unauthorized user or recipient of the PHI, immediate mitigating steps taken by the covered entity, and whether improper access of improperly disclosed PHI took place.
On the other hand, the FTC rule presumes that unauthorized acquisition of PHR information will result from improper access, unless the covered entity rebuts this presumption with "reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information." Despite this opportunity for rebuttal, covered entities should consider the threshold for notification under the FTC rule lower, and the need for notification more automatic, than under the HHS rule.
The security breach notification requirements in the both the HHS and FTC rules apply only to breaches involving unsecured data. Unsecured data is data that has not been protected through the use of a technology or methodology specified by HHS to render the information "unusable, unreadable, or indecipherable to unauthorized individuals." Accordingly, the HHS interim final regulation document includes updated guidance on what encryption technologies and other methodologies qualify for this safe harbor from the notification requirements.
Security breach notification deadlines
Generally, under both the HHS and FTC rules, notification of affected individuals must take place without reasonable delay (but no later than 60 days) following discovery of a breach of unsecured health information. Notifications to individuals under both rules must be in plain language (i.e., not legalese) and must include a brief description of the breach event, the specific health information involved and protective measures the affected individuals should take. If a breach involves 500 or more individuals, HHS and the FTC, as applicable in each situation, must also be notified (within 10 business days of discovery, in the case of the FTC, and contemporaneously with the notice to individuals, for the HHS). If the breach involves fewer than 500 people, notifications to the regulatory agencies are to be made on an annual basis. Notifications to the FTC must be made using a form and pursuant to instructions on the FTC website.
Under both the HHS and FTC rules, prominent media outlets serving the jurisdictions where the affected individuals are located must also be notified if a breach involves 500 or more people. Violations of the breach notification rules are sanctionable by enforcement proceedings, fines and penalties. Of particular note for financial services organizations, violations of the FTC breach notification rule are considered unfair or deceptive acts or practices under the FTC Act. Banking regulators, not the FTC, have typically been the ones to sanction financial firms for unfair and deceptive practices in advertising.
The timing of the "discovery" of a breach under both security breach notification rules presents a compliance issue that requires careful management of business associates and third-party service providers. According to the HHS rule, a breach is discovered on the first day it is known, or would have been known through reasonable diligence, to a "workforce member or agent" of a HIPAA-covered entity (or an "employee, officer, or other agent" of a business associate).
The FTC rule takes the same approach: a PHR vendor, PHR related entity or third-party service provider will be deemed to know about and to have discovered a breach on the first day it is known, or "reasonably should have been known," to an "employee, officer, or other agent" of the vendor, PHR related entity or third-party service provider. Workforce members, employees and agents can include low-level or temporary personnel as well as contractors, and this, together with the fact that such persons will be deemed to actually know whatever they "should have known," creates a very real possibility that a regulatory notification requirement may be triggered, and start the clock running, long before senior management finds out about the breach (if they find out about it at all).
Accordingly, organizations subject to these rules need to make sure their information security programs contain early warning systems so all data breaches and suspicious circumstances must be immediately reported up the chain to designated employees. All employees and on-site contractors must be trained and retrained in this policy periodically (the HHS guidance particularly stresses the importance of training). The emphasis on reporting suspicious circumstances -- for example, unusual database usage patterns -- is key, since "discovery" does not require actual knowledge of a breach, but only the existence of information that should put workforce members on alert.
Expanded data security compliance requirements
The HHS and FTC security breach notification rules represent a significant extension of data security compliance obligations, in the latter case to a broad category of organizations that have not come within the HIPAA security framework. Since the financial costs of investigating a data breach and notifying affected individuals can be significant, and the requirement to notify the media of breaches involving 500 or more people is sure to generate adverse publicity, organizations subject to either of these rules should evaluate whether or not business necessity dictates holding large amounts of unencrypted personally identifiable health information. For example, de-identifying the data, destroying it so that it cannot be read or reconstructed, or securing it through an encryption method approved by the HHS will remove the data from the rules' coverage.
If this is not practical, organizations subject to the rules should implement and test a data breach incident response plan and have a written information security program in which all employees and on-site contractors with potential access to personal health information are regularly trained. Regulated financial institutions are already required by applicable guidance and industry best practices to maintain these safeguards, but whereas such measures may have previously focused on personally identifiable financial information of consumers and customers, they now must be expanded and adapted to cover health information and the specific requirements of the HHS and FTC breach notification rules.
Lastly, agreements with business associates and third-party service providers should be updated, to require strict compliance with the notification and timing requirements of the HHS and FTC rules. In addition to litigation-related costs, the investigative and notification costs of breaches occurring at third parties, as well as regulatory enforcement costs, should be shifted onto these parties via carefully drafted contractual indemnification clauses.
The proliferation of health care databases and electronic health records holds great promise for cost reduction and advancements in personal health. As is often the case, however, tougher compliance standards and the costs associated with them are the price we pay for progress.
About the author:
Andrew M. Baer is an attorney with extensive experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at firstname.lastname@example.org.