FTC Assessing Whether Its Health Data Breach Rule Is StaleCommission Is Seeking Comments About Potential Changes to Notification Requirements
The Federal Trade Commission is assessing whether to make changes to a seldom-used, decade old health data breach notification rule for personal health record vendors and other companies that do not fall under the umbrella of HIPAA.
The FTC is asking for comments on whether the rule's definitions of a PHR-related entity, third-party service provider or vendor of personal health records should be modified in light of changing technological and economic conditions, such as the proliferation of mobile health applications, virtual assistants offering health services, and platforms' health tools.
The FTC also asks whether technological changes, "such as the increased use of in-app messaging, text messages and platform messaging," warrant any changes to the rule. The agency is examining whether the rule:
- Should be modified to address any developments in healthcare products or services related to COVID-19;
- Should take into consideration issues raised by direct-to-consumer technologies and services, such as mobile health apps, virtual assistants and platform health tools;
- Has resulted in under-notification, over-notification or an efficient level of notification;
- Needs to have its various definitions - such as for "PHR identifiable health information" - modified to reflect legal, economic and technological changes;
- Contains adequate timing requirements and methods for reporting a breach.
In a request for public comment that FTC plans to issue in the Federal Register, the agency says it is seeking comments for 90 days.
In a Friday statement, the FTC says that as part of its "periodic review" of its rules, it's seeking comments on potential changes to the regulation, which went into effect in 2009 and requires certain companies that provide or service personal health records to notify consumers and the commission of a data breach.
Under the rule, a personal health record is defined as an "electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual," according to the FTC.
PHRs were heavily marketed a few years back, but interest in the technology has since died down and many product offerings have been withdrawn.
"The FTC regularly reviews its regulations and guidance materials on a 10-year schedule to ensure that they continue to be relevant by keeping up with changes in the marketplace and meet the needs of the public," notes privacy attorney David Holtzman of the security consultancy CynergisTek.
"The current review is particularly timely due to the explosion of technologies that allow consumers and industry to create, assemble and share collections of personally identifiable information of all types. With respect to individually identifiable health information, consumers are allowing much of this data to be handled or maintained by tech companies whose privacy practices are shrouded in opaque, complex notices that users do not understand."
Few Major Breach Reports
Under the FTC's health breach notification rule, companies that sell PHRs - and related entities that are not covered under HIPAA - must notify individuals, the FTC, and, in some cases, the news media of a breach of unsecured personally identifiable health data.
"Currently, the rule requires such entities to provide notifications within 60 days after discovery of the breach. If more than 500 individuals are affected by a breach, however, entities must notify the FTC within 10 business days," the FTC notes.
But in the last decade, the commission says it has only received notifications of two breaches impacting 500 or more individuals, with most notifications dealing with smaller breaches (see FTC: No Major PHR Breaches So Far).
The two major breach reports were:
- A hacker incident affecting nearly 570,000 individuals reported by personal health record vendor NoMoreClipboard that was discovered in May 2015 and exposed consumers names, addresses, dates of birth, Social Security numbers and personal health record information;
- A misdirected automated email confirmation incident impacting 2,094 individuals reported by financial software vendor Intuit that was discovered in September 2010 and involved health insurance information.
While the FTC has only received two reports of breaches affecting 500 or more, the Department of Health and Human Services' HIPAA Breach Reporting Tool shows at least 3,237 such incidents reported in compliance with the HIPAA Breach Notification rule since it went in effect in September 2009.
PHRs Didn't Catch On
The FTC's rule likely has not resulted in many major breach reports because of the low adoption rates for personal health records.
"Historically, there have been a limited number of successful personal health record vendor platforms, as the public has not flocked to such technology," says privacy attorney Adam Greene of the law firm David Wright Tremaine. Some of the largest tech companies, including Google and Microsoft, created PHR applications but have since ended the projects.
But new iterations of PHRs could emerge, Greene says.
New health IT interoperability requirements from HHS include support for application programming interfaces to allow patients easier access to their health data using mobile applications and similar products, he points out.
"New API requirements may expand the market for PHR applications, creating a greater need for this FTC rule in the future," Greene says. "While I think it's good for the FTC to regularly review its rule, I don't know think that any fundamental changes to the rule are needed."
But Holtzman says the FTC review should extend beyond the issue of "breaches" of health data "into a broader examination" of how companies collect and process individually identifiable health information.
"These issues are of particular significance to consumers with the recent adoption of the [HHS] information blocking regulation, which promotes consumers to use APIs to access or download their health information from healthcare providers and payers, but not requiring that the API technology include privacy and security controls," he notes.
"For example, if patients access their health data - some of which is likely sensitive - through a smartphone, patients should have protections that prevent the app developers from selling or sharing that data with third parties without the permission of the consumer."
Room to Grow?
Privacy attorney Kirk Nahra of the law firm WilmerHale says it's not clear whether the FTC has much wiggle room for substantial changes to its health breach notification rule.
"This current FTC rule applies in a limited context and generally works well in that limited context," he says. "Other than creating a risk assessment idea like [the breach assessment provision] in the HIPAA rule, there doesn't seem to be all that much the FTC can do under this relatively limited statutory provision."
The FTC rule is meant to fill in "some gaps" pertaining to personal health record vendors that are not covered by HIPAA. "Congress decided to fill some of this gap in relation solely to breach notification and personal health records .... but it didn't address any other part of the gap, such as more general standards for non-HIPAA situations," Nahra notes.
How About Changing HIPAA?
So, could any breach-related regulatory gaps be closed with potential changes to HIPAA, rather than changes to the FTC's rule?
"Modifications to HIPAA that would address the advances in technologies that make it easier for consumers and industry create, assemble and share collections of personally identifiable information would require legislative action by Congress," Holtzman says.
"It is not likely that there is much opportunity or interest in taking this on while there are debates about how to address privacy concerns in the response to the COVID-19 pandemic, as well as the debate of how an overarching federal law addressing privacy of personally identifiable information would treat data about healthcare."