FTC Proposes Data Breach Regulations For Personal Health Records, HHS Separately Releases Guidance For HIPAA Covered Entities On New Data Breach Rules

 

The Federal Trade Commission (“FTC”) today (April 17, 2009) proposed rules (the “FTC Regulation”) to govern the implementation of a federal mandate adopted by Congress which will require certain vendors and other entities maintaining or interfacing with personal health records to notify individuals when the security of their individually identifiable health information is breached enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) signed .into law on February 17, 2009.  The FTC Regulation will apply to entities that currently are not considered health care providers, health plans and healthcare clearinghouses (“HIPAA Covered Entities”) subject to the privacy and security standards for protected health information (“PHI”) established by the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”). Interested persons have until June 1, 2009 to review and submit comments on the FTC Regulation.  To review a copy of the FTC Regulation, see http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf.

 The FTC Regulation will to implement one of two new federal health information data breach notification requirements enacted as part of ARRA.  In ARRA, Congress responded to growing concern about the adequacy of the privacy protections afforded for personal health information and other consumer health information collected, accessed, and maintained by various non-HIPAA Covered Entities in online or other electronic applications, by simultaneously mandating that the FTC adopt data breach regulations for these non-HIPAA Covered Entities dealing with personal health records (PHRs) while the FTC and the Department of Health & Human Services (HHS”) study and develop more specific recommendations about the protections necessary for this data.  ARRA requires the FTC and HHS to report back to Congress their joint findings and recommendations within 12 months.  In the meantime, the FTC Rules would implement ARRA data security and data breach notification obligations for non-HIPAA Covered Entities dealing with PHRs. 

 

Concurrent with publication of the FTC Rules, HHS on February 17, 2009 separately published guidance defining when the new data breach notification rules for Covered Entities enacted under the HITECH Act will require HIPAA Covered Entities to provide notification of the occurrence of a breach of the security of “unsecured protected health information” (“UPHI”).  The HHS Guidance outlines the minimum steps that HHS anticipates impending interim regulations will require that Covered Entities take to prevent PHI from being considered UPHI for which the HITECH Act requires notifications of breach be provided.   You can review this new HHS Guidance at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf. 

 

 

 

In addition to these new data breach requirements, the ARRA also tightened the HIPAA privacy and security mandates HIPAA Covered Entities in several other respects including:

•  Broadens the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
• Adds specific obligations upon these entities to provide certain notifications in the event the security of Protected Health Information (“PHI”) is breached;
• Clarifies that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
• Increases criminal and civil penalties for HIPAA Privacy Rules violators;
• Allows State Attorneys General to bring civil damages actions;
• Modifies certain HIPAA use and disclosure and accounting requirements and risks;
• Prohibits sales of PHI without prior consent;
• Tightens certain other HIPAA restrictions on uses or disclosures;
• Tightens certain HIPAA accounting for disclosure requirements;
• Clarifies the definition of health care operations to excludes certain promotional communications; and
• Expands the Business Associates Agreement Requirements

.These and other developments make it imperative HIPAA Covered Entities and non-HIPAA Covered Entities handling or dealing with PHRs immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

 We hope you found this information helpful.  If you or some that you know would like to register to receive these updates and other helpful information on HIPAA and other health care and human resources risk management matters, register  here.  If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or employment laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please Ms. Stamer at Cstamer@CTTLegal.com or telephone her at 214.279.2402.    To learn more about Cynthia Marcotte Stamer and/or access some of her many HIPAA and other publications,  go to CynthiaStamer.com.  For important information concerning this communication, review the About this Publication Page.

 

 

©2009 Cynthia Marcotte Stamer.  All rights reserved. 

Advertisement