This article was co-authored by Shane M. Duer, an associate at Nelson Mullins.
Although the HIPAA privacy and security rules went into effect in 2003 and 2005, it was not until 2009 that Congress directed the U.S. Department of Health and Human Services to create the HIPAA Breach Notification Rule, which outlines the obligations reporting requirements for HIPAA-covered entities and business associates that are found to have impermissibly used or disclosed patients’ protected health information.
However, because HIPAA applies only to PHI maintained by covered entities and business associates, it does not protect all individually identifiable health-related information. Recognizing the need to safeguard health information outside the scope of HIPAA and to strengthen privacy and security protections for health information processed by a growing number of personal health record (PHR) providers and related companies, Congress separately directed the Federal Trade Commission to issue the Health Breach Notification Rule.
In 2009, a PHR was widely understood to be a patient-owned and controlled repository of their health information, including records created by different providers and the patient. The rule defines a PHR as an electronic record of an individual’s “PHR identifiable health information.” [IHI] that can be drawn from multiple sources and is managed, shared and controlled by or primarily for the individual.”
The rule requires PHR providers, PHR-related entities, and third-party service providers (similar to business partners) to report any PHR IHI “security breaches,” which occur when an individual’s PHR IHI is acquired without the authorization of the individual. .
After discovering a breach, the provider or entity must notify the FTC and each individual whose PHR IHI was acquired by an unauthorized person. Similar to HIPAA business associate breach notification obligations, third-party service providers must notify a security breach to the PHR provider or related entity, including the identity of each customer whose PHR IHI unsecured was, or it is reasonably believed to have been. , acquired through default.
How and when to report a breach
Reporting timelines and notification methodologies generally reflect those of the HIPAA Breach Notification Rule. Under the rule, all notices of non-compliance must be sent without undue delay and in no case more than 60 days after the non-compliance is discovered.
Written notification must be sent by first class mail or email to each individual whose PHR IHI was acquired by an unauthorized person. If the contact information for 10 or more people is out of date, the entity may provide substitute notice by posting prominently on the home page of its website for 90 days or by posting in major print or broadcast media. The substitute notice must include a toll-free telephone number that individuals can call to determine if their PHR IHI was included in the breach.
Security breaches involving the PHR IHI of 500 or more individuals within a state or jurisdiction must be reported to the FTC within 10 business days (much less than HIPAA’s 60-day requirement) as well as to the media. communications notables serving the state or jurisdiction (reporting period not specified).
If a breach involves the records of fewer than 500 individuals, entities may maintain a record of all such violations for a calendar year and submit the record to the FTC within 60 days of the end of the year in which the violation occurred.
Potential impact of proposed changes
Unlike the HIPAA breach notification rule, which has been applied with increasing frequency since its inception, not a single enforcement action emerged under the rule until February 2023. Three months later, in response to the prevalence growing number of mobile health and wellness apps and direct-to-consumer health technologies, most of which are not subject to HIPAA, the FTC proposed numerous significant changes to the proposed rule to clarify that the rule applies directly to such apps and technologies.
By creating new definitions and revising others, the proposed rule addresses health and wellness technology companies operating outside of HIPAA and qualitatively expands the scope of what constitutes a PHR or PHR provider well beyond the original prototype of a PHR as a patient-controlled repository. of health information. The following are important features of the proposed rule.
Application to health applications and similar technologies not covered by HIPAA. The proposed rule adds a definition of “health care provider” to include an “entity that provides health care services or supplies.”
Such services or supplies would include “any online service, such as a website, mobile application or Internet-connected device that provides mechanisms for tracking diseases, health conditions, diagnoses or diagnostic tests, treatments, medications, vital signs, symptoms, functions body, fitness, fertility, sexual health, sleep, mental health, genetic information, diet or that provides other health-related services or tools.”
Under these new definitions, health and wellness app developers would be considered “healthcare providers,” which would subject them to the rule and make them analogous to health care providers who are HIPAA-covered entities. Similarly, mobile health apps would be PHRs and app developers would become PHR providers. As a result, these entities would be subject to regulatory enforcement in the event of a security breach. Because of the broad definition of “health care services or supplies,” the rule would protect a much broader range of health-related information than PHI.
The scope of conduct that can be considered a “security breach” is extraordinarily broad. As defined by the rule, a security breach is an acquisition of PHR IHI without the individual’s authorization. This is problematic because the FTC does not define what constitutes an individual’s authorization.
Unlike HIPAA, which specifies what uses and disclosures of PHI are permitted or required without authorization, the limited circumstances under which an individual’s authorization is required to use or disclose his or her PHI, and the required content of an authorization, the proposed rule would require an individual’s authorization whenever the use of PHR IHI is inconsistent with “the entity’s disclosures and the individuals’ reasonable expectations.”
Health technology companies must guess whether such authorizations must be in writing, require an individual to do more than click a button indicating their agreement, or contain electronic signatures; how long such authorizations must be maintained; and whether entities should enter into business associate-type agreements or audit third parties with whom they share PHR IHI to ensure that PHR IHI is not used in a manner inconsistent with the entity’s disclosures and the reasonable expectations of individuals.
Additionally, unlike HIPAA, the proposed rule does not suggest de-identification of PHR IHI as a legitimate way to prevent a security breach, nor does it provide exceptions to what constitutes a “security breach” or a risk assessment framework to help entities to determine whether an incident rises to the level of a reportable security breach.
Effect on technology companies and consumers
Before issuing the proposed rule, the FTC had already begun taking enforcement actions against health app developers and other entities under the rule. If finalized, the proposed rule changes would eliminate any prior uncertainty about whether the rule applies to such entities and would dramatically increase the likelihood that a use or disclosure of consumer health-related information for which an authorization is not obtained specific individual results in a warranty. non-compliance that requires notification and potentially results in law enforcement activity.
At the same time, the FTC’s proposed updates create substantial uncertainty for health and wellness technology companies. Guidance on some or all of these concepts in a final rule would likely allow such companies to focus on identifying what health-related information they maintain and use and how to appropriately protect that information from improper use or disclosure.
In the absence of such guidance, organizations covered by the Rule may believe that they are required (and may) issue noncompliance notices in a wide range of circumstances in which they should not reasonably be required. This could be costly and time-consuming for covered entities and cause “compliance fatigue” for consumers. In any case, companies that process consumer health information should view the proposed amendments as a warning of future increased enforcement of the law.
Consumers, on the other hand, may feel safer sharing their health-related information with health and wellness technologies due to increased regulatory scrutiny. Despite the potential for “noncompliance fatigue,” an expanded rule combined with greater enforcement should lead to greater consumer protection. Both health technology companies and consumers will have to wait for the final rule, which is expected to be issued in the coming months, to better understand what their application will look like.
Trish Markus is a partner at Nelson Mullins. She represents healthcare providers and technology companies in regulatory compliance, reimbursement, licensing and operations matters, with a focus on privacy and security.