FTC Wants Feedback on Requiring Non-HIPAA Covered Entities to Comply With the Breach Notification Rule

The U.S. Federal Trade Commission (FTC) would like to get comments on its breach notification requirements for non-HIPAA-covered entities collecting personally identifiable health data.

In 2009, the FTC launched the Health Breach Notification Rule along with the American Recovery and Reinvestment Act (ARRA). The rule took effect on August 22, 2010 but FTC started its enforcement activities on February 22, 2010.

Under the Health Insurance Portability and Accountability Act (HIPAA), any healthcare data generated, saved, or transmitted by covered entities which include healthcare organizations, health plans, healthcare clearinghouses, and business associates of covered entities is viewed as protected health information (PHI).

The FTC’s Health Breach Notification Rule pertains to personal health records (PHRs), or electronic records which include personally identifiable health information that is retained, shared and managed by or mostly for a specific individual. The FTC rule covers PHR vendors and PHR-associated entities, which are organizations that transmit information to PHRs, offer products and services through PHR sites, or access particular information in PHRs.

All entities under the rule of FTC’s Health Breach Notification Rule need to issue breach notification letters to the FTC and impacted persons without unreasonable delay and no later than 60 days after discovering the breach. The FTC must know about a breach in 10 days after its discovery if there are 500 or more people affected. A service provider that experiences a breach needs to notify the PHR company. The FTC website publishes updates on data breaches that affected 500 or more persons.

The FTC normally reviews the rules every 10 years. In the last 10 years since the rule took effect, the FTC published only 2 breaches on its website, because most breach reports only indicated under 500 records. The FTC at the same time reports that compliance enforcement was not necessary since the rule is only applicable to a few entities.

Plenty of PHR vendors and associate entities, which are either HIPAA-covered entities or business associates of those entities, should be in compliance with the HIPAA Breach Notification Rule. However, the FTC points out that more entities may be covered by its rule.

When people utilize direct-to-consumer technological innovations (such as mobile health applications, virtual assistants, and health devices), with their health information and other medical services, more organizations will have to follow the FTC’s regulation.

The COVID-19 pandemic prompted the usage of many of these communication platforms as the HHS momentary stopped penalizing entities that employ non-HIPAA-compliant programs when providing telehealth services. The FTC rule might subsequently be more appropriate today compared to 10 years ago.

The FTC needs feedback on a number of questions with regards to the effectiveness, merits, and importance of its rule to find out what to do next. Should it keep the rule as is, discard it, or update it to enhance its added benefits on consumers.

The Federal Register is accepting feedback for up to 90 days since the announcement of the rule. Anyone interested can get a copy of the request for public comment on Bloomberg Law.