By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
On the heels of recent settlements concerning the use of personal and health information, the Federal Trade Commission (FTC) is continuing its push on the healthcare front. The latest action is the finalization of changes to the Health Breach Notification Rule (HBNR). The modifications respond to developments and evolutions in the healthcare and surrounding industry to optimistically provide more insight into events impacting the privacy of more types of data.
What is the HBNR?
The HBNR was initially enacted as a means of covering forms of healthcare information that fell outside the purview of HIPAA. Specifically, the HBNR applies the personal health record (PHR) vendors as well as entities related to the PHR vendor and service providers supporting either of those entities. The PHR component is an important part of the coverage of the HBNR. A PHR is an electronic record of identifiable health information on an individual that may come from more than one source and is managed, shared, and controlled by or primarily for an individual. As the definition should make clear, the thrust of the PHR and in turn the HBNR is on services for an individual as opposed to entities within the traditional healthcare system, which is the approach under HIPAA.
Similar to HIPAA, the HBNR requires disclosure of a data breach when it occurs. The original HBNR only applies to electronic records, so if only paper is involved then a notification will not come. That is an important distinction from HIPAA. In a manner parallel to HIPAA, the breach notifications need to go to impacted individuals, the FTC, and the media. The timing for the notifications does diverge from HIPAA, so that should be part of a response plan.
While there is the possibility of enforcement for failing to comply with the HBNR, the FTC has not been very active on that front.
The Changes
The brief summary of the HBNR shows that it was somewhat limited in scope and application as initially enacted. That arguably was by design when first put into place because HIPAA was felt to sufficiently address what it needed to. The environment has changed though, which necessitates broadening the rule given the gaps that have grown around HIPAA.
Definition Changes
The rule updates some of the definitions in the HBNR to clarify scope as well as insert new definitions for the same purpose. Some of the key changes on that front are for “PHR identifiable health information,” “covered health care provider,” and “health care services or supplies.” The new definition of PHR identifiable health information echoes the definition of PHI under HIPAA. The scope of information covered is quite broad, which is clearly intentional.
The new definition of covered health care provider is meant to explain who needs to comply with the HBNR. The FTC noted that the addition of the word “covered” is really driven by a desire to differentiate from general use of the term health care provider.
The final primary definition change is the addition of a definition of “health care services or supplies.” The definition sets out a wide scope of potential services or supplies included in the HBNR. The key is that it addresses online services, which means it will draw in apps, websites, and other connected tools or services. The FTC responded to concerns that the definition would sweep in too many entities by explaining that a PHR would still need to be created or maintained, so it would be unlikely that general retailers would be accidentally swept in.
Multiple Sources of Identifiable Information
The FTC wanted to clarify what it means for a PHR to draw information from multiple sources. The new rule tweaks the explanation to not just be that the PHR can draw information from multiple sources to the PHR having the technical capacity to draw information from multiple sources. The thrust of the modification is to cover services or tools that can bring in information from a lot of places even if a user does not choose to utilize that capability.
What Breaches are Subject to the HBNR
The FTC recognized that the original HBNR was too limited because it only covered unsecured information being obtained without an individual’s authorization, which did not include a breach of security. Accordingly, the HBNR now defines a breach of security to be an unauthorized acquisition that occurs as a result of a breach or an unauthorized disclosure. The HBNR still includes a rebuttable presumption that the unauthorized acquisition occurred, which again mirrors the presumption of a breach under HIPAA.
The FTC also confirmed its decision to not define the word “authorization” despite that term being used in the definition of breach of security. In considering comments, the FTC restated that determining whether a disclosure was authorized would be fact specific and narrowing down through a definition would have potentially negative ripple effects.
Electronic Notice
How can notice of a breach occur? It is an important question because entities should want to use all reasonable efforts to ensure that impacted individuals can learn about what happened. In particular, the FTC wanted to permit expanded use of “electronic mail” by amending the definition to mean more than just email. Specifically, the newly adopted definition will allow for email in combination with one or more of a text message, in-app message, or electronic banner. Accordingly, email means email plus.
Content of Breach Notice
The FTC considered up to five changes for the content of a breach notice. After considering all of the comments, the FTC did not adopt all of the proposed changes though. The new requirements are: (i) providing the full name or identity of third parties that acquired the PHR identifiable health information unless including that information would pose a risk to affected individuals or the entity providing the notice, (ii) identifying the types of PHR identifiable health information involved in the breach, (iii) describing what the impacted entity is doing to protect affected individuals, and (iv) specifying two or more contact procedures for affected individuals to reach out to the impacted entity.
The new requirements for the notification should be built into a preset template that can be modified for a particular circumstance or built into a breach response plan. Either way, it all goes to being prepared.
Additional Changes
It is also good to note that the new rule includes other changes. All of the new requirements and modifications should be reviewed because compliance will require knowing everything.
Conclusion
The FTC changes to the HBNR are just one in a string of new rules and regulations coming out that impact the healthcare industry. It is essential to stay on top of all the new rules to ensure that operations can remain up to date and aligned with all applicable requirements.
This article was originally published on The Pulse blog and is republished here with permission.