The American Recovery and Reinvestment Act of 2009 (ARRA, commonly known as the “Economic Stimulus Package”) required both the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) to address the problem of securing an individual’s private health information from security breaches. On April 17 HHS responded by issuing guidance on this subject and on April 20 the FTC responded by issuing proposed regulations.
The HHS guidance under the Health Insurance Portability and Accountability Act’s (HIPAA’s) administrative simplification provisions will affect “covered entities” and the FTC’s proposed regulations will affect other entities not defined by HIPAA as “covered entities”.
The HHS guidance identifies technologies and methodologies to make protected health information (PHI) in paper or electronic form unusable, unreadable, or indecipherable to unauthorized individuals. The guidance identifies encryption and destruction as the two methods that will satisfy the requirements, and notes that these methods are exhaustive and not merely illustrative. The guidance specifies encryption and destruction processes or technologies that meet the required standards. Implementing these processes will create a “safe harbor” for covered entities, allowing them to avoid the notification requirements in the event of a security breach. The guidance will apply to breaches that occur 30 or more days after HHS issues interim final breach notification regulations.
The FTC’s proposed regulations apply to vendors of personal health records (PHRs) and related entities, and would require them to notify affected individuals and the FTC when a security breach is discovered. The regulations contain most of the same defined terms as the ARRA and clarify some of them. For example, a “breach” involves unauthorized “acquisition” of PHR information and not necessarily simply unauthorized access to the information. Examples of PHR information include a database containing names and credit card information even when no personal medical information is included.
Under the regulations the notification requirements extend beyond vendors of PHR to their third-party service providers and other “related entities.” These entities must provide notification of a security breach “without unreasonable delay” and in any event within 60 calendar days after the discovery of the breach. Depending on the nature and scope of the breach, notification must be made to the affected individuals, to media outlets and to the FTC and the notification must include steps affected individuals can take to minimize any harm resulting from the breach of the PHR information. The proposed regulations would apply to breaches discovered on or after September 18, 2009.
HHS and the FTC are requesting public comment on the proposed regulations. The HHS guidance is at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf and the FTC’s proposed regulations are at http://edocket.access.gpo.gov/2009/pdf/E9-8882.pdf