The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) have both issued data breach notification rules. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information.
The HHS interim final breach rule was issued August 26, 2009 and requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Notification need not be provided if the information was secured through methodologies and technologies specified by HHS in recent Guidance. Importantly, the HHS breach rule introduces a risk of harm standard under which notification is not required if a breach does not pose a significant risk of financial, reputational, or other harm to an individual. Limited exceptions are also provided for certain internal disclosures and breaches involving limited health information. Under the Rule, business associates are required to provide notice to covered entities following the discovery of a breach of unsecured PHI at or by the business associate. The Rule specifies timing, method, and content of notification requirements. The Rule is effective on September 23, 2009. HHS is accepting comments on the provisions of the Rule until October 23, 2009.
The FTC also issued its final breach rule, the Health Breach Notification Rule. The Rule applies to vendors of personal health records (“PHR vendors”), PHR-related entities, and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method, and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice to the agency of smaller breaches can be done on annual basis. The Rule which was issued on August, 17, 2009 has an effective date of September 24, 2009.
Both HHS and the FTC have decided to delay enforcement of their rules until 180 days after publication of their respective rules in the Federal Register. Full compliance with both rules will likely be required by February 22, 2010.