The Federal Trade Commission has announced final changes to the Health Breach Notification Rule, requiring entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and even the media in the event that personally identifiable information is compromised.
The rule will go into effect 60 days after it is published in the Federal Register.
The rule also applies to third-party service providers to vendors of personal health records and their related entities to notify vendors following the discovery of a breach.
Last May, the FTC proposed changes to the HBNR and received 120 comments. After analyzing the comments, the FTC is making changes to the final rule, including:
- Revising definitions. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies”;
- Clarifying breach of security to include an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
- Revising definition of PHR related entity in two ways — making clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records, and only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
- Clarifying multiple sources of PHR identifiable health information;
- Expanding use of electronic notification to mean providing clear and effective notice to consumers of a breach;
- Expanding consumer notice content, requiring the inclusion of the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
- Changing timing requirement so that, in the event of breaches involving 500 or more individuals, the FTC must be notified at the same time notices are sent to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security