HHS and FTC Issue Breach Notification Rules

On August 17, 2009, the Federal Trade Commission (FTC) issued its final rule requiring vendors of “personal health records” to notify consumers when the security of their electronic health information is breached.  On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued its interim final rule requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These rules were issued pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), which is part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH required FTC and HHS to collaborate on development of the breach notification rules.  The FTC’s press release and a link to its Breach Notification Rule is available here.  The HHS press release and Breach Notification Rule is available here.  HHS published the Breach Notification Rule in the Federal Register on August 24, 2009.


It is important to note that these Rules do not address privacy and security per se but rather are focused on notification of consumers and patients when there is unauthorized access to their health information.  The FTC Rule applies to electronic, unsecured personal health information (not paper). The HHS Rule applies to electronic, paper or oral unsecured protected health information.

The FTC explicity states that its rule does not apply to HIPAA covered entities even if the HIPAA covered entity offers a personal health record to its employees who are neither patients or insureds of the HIPAA covered entity. On the other hand, a Business Associate of a HIPAA covered entity may to be subject to both the FTC Rule and the HHS Rule when the Business Associate provides a personal health record to individuals, through the HIPAA covered entity, who are not insureds or patients of the HIPAA covered entity. 

Additionally, coordinating the responsibility for providing notification to consumers and patients as between a HIPAA covered entity and a personal health record vendor who do business with one another will be critical and should be covered in the written business associate agreement between the parties.  Accordingly, reviewing and updating BA agreements to address the new breach notification requirements may be in order for many HIPAA covered entities and their business associates. In addition, vendors of personal health records must maintain lists tracking which customers belong to which HIPAA-covered entity and must update such information regularly.

What’s up next?  The ARRA requires HHS, in consultation with FTC, to conduct a study and report (“HHS Report”) by February 17, 2010 on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. Privacy and security of personal health records, and breach notification involving paper records, are among the items that FTC expects the HHS Report to address.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.