FTC Issues Proposed Rule Addressing Data Breaches of Electronic Health Information — Broad Range of Companies Likely Affected

On April 16, 2009, the Federal Trade Commission (FTC) announced that it is soliciting comments on a proposed rule that would require entities to notify consumers when their electronic health information has been subject to a data breach. As with the FTC’s Red Flag rules, a consideration of the present text is the potentially broad range of companies that may be unaware of how the rule regulates them. Comments are due to the FTC by June 1, 2009.

While the rule will not apply to covered entities or business associates regulated by HIPAA, the draft requirements will directly affect vendors of personal health record (PHR) systems, their related entities, and their “service providers.” The rule’s true impact will be felt by the broadly defined set of “PHR related entities” as this may include a firm that accesses information in a PHR or that markets to consumers through a PHR Web site. Service providers would encompass Web site hosts, data storage services, and billing services. Employers that are not already covered by HIPAA may be swept in if they facilitate employee access to a corporate-sponsored PHR.

The FTC rule would require that PHR vendors and their related entities notify consumers following a data breach. Any service provider supporting a PHR vendor must notify its client in the event of a breach. Similar to existing state breach-notice laws, the proposed rule sets thresholds for triggering the notice requirement as well as parameters for the timing, content, and method of notification. Significantly, the rule also would mandate that the FTC be informed of any breaches.

The FTC’s proposed rule has been issued pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA) signed by President Barack H. Obama in February 2009. Beyond encouraging the development and use of health information technology, the ARRA was intended to strengthen the privacy and security protections for consumers’ health data. While the ARRA directs the U.S. Department of Health & Human Services (HHS) to develop breach-notice rules applicable to covered entities and business associates, the FTC’s jurisdiction will apply to non-HHS regulated entities. (The FTC and HHS are collaborating toward harmonized breach-notice requirements.) 

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following:

Peter F. McLaughlin
Boston, Massachusetts
617.502.3265
[email protected]