Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

Retirement Plan Administrator

Strongpoint Partners
(Remote)

Strongpoint Partners logo

Mergers & Acquisition Specialist

Compass
(Remote / Stratham NH / Hybrid)

Compass logo

Retirement Plan Consultant

July Business Services
(Remote / Waco TX)

July Business Services logo

DC Retirement Plan Administrator

Michigan Pension & Actuarial Services, LLC
(Farmington MI / Hybrid)

Michigan Pension & Actuarial Services, LLC logo

Relationship Manager

Compass
(Remote / Stratham NH / Hybrid)

Compass logo

Managing Director - Operations, Benefits

Daybright Financial
(Remote / CT / MA / NJ / NY / PA / Hybrid)

Daybright Financial logo

Retirement Plan Administration Consultant

Blue Ridge Associates
(Remote)

Blue Ridge Associates logo

Cash Balance/ Defined Benefit Plan Administrator

Steidle Pension Solutions, LLC
(Remote / NJ)

Steidle Pension Solutions, LLC logo

3(16) Fiduciary Analyst

Anchor 3(16) Fiduciary Solutions
(Remote / Wexford PA)

Anchor 3(16) Fiduciary Solutions logo

Combo Retirement Plan Administrator

Strongpoint Partners
(Remote)

Strongpoint Partners logo

Regional Vice President, Sales

MAP Retirement USA LLC
(Remote)

MAP Retirement USA LLC logo

Internal Sales Consultant

EPIC RPS
(Remote / Norwich NY)

EPIC RPS logo

Relationship Manager

Retirement Plan Consultants
(Urbandale IA / Hybrid)

Retirement Plan Consultants logo

ESOP Administration Consultant

Blue Ridge Associates
(Remote)

Blue Ridge Associates logo

Relationship Manager for Defined Benefit/Cash Balance Plans

Daybright Financial
(Remote)

Daybright Financial logo

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile app icon
LinkedIn icon     Twitter icon     Facebook icon

Guest Article

Deloitte logo

(From the May 4, 2009 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)

FTC Proposes Health Breach Notification Rule

Vendors of personal health records and related entities -- although not covered by HIPAA's privacy or security rule -- will soon be required to provide notice to the Federal Trade Commission (FTC) and to affected individuals when personal health records are acquired without the individual's authorization. Personal health records are broadly defined, and include information that relates to the "payment for the provision of health care" (e.g., a database containing names and credit card information), and the mere fact of having an account with a vendor whose products relate to a particular health condition. Further, under FTC proposed regulations, there is a presumption that an "unauthorized acquisition" occurred where there was unauthorized access to the personal health records -- for example, where an employee loses a laptop containing unsecured health information in a public place. 74 Federal Register 17914 (April 20, 2009).

New Breach Notice Requirement Was Enacted with ARRA

The FTC recently proposed regulations to implement the new breach notification requirements that were enacted with the American Recovery and Reinvestment Act (ARRA) of 2009. Breaking new ground, the ARRA requires certain entities that are not covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to nonetheless provide notice when personal health records (PHR) are breached.

As explained by the FTC, the new breach notification requirements are aimed at entities such as web-based applications that help consumers manage medications, websites that offer online personalized health checklists, companies that advertise dietary supplements online, etc. As organized under the regulation, the new notice requirement applies to three types of entities:

  • Vendors of PHR,
  • PHR-Related Entities, and
  • Third-Party Service Providers (together, the "Covered Entities").

The FTC notice requirement does not apply to HIPAA-covered entities or to an entity's activity as a business associate of a HIPAA-covered entity -- since HIPAA governs their obligation to provide notice.

The FTC regulations are proposed to be effective for breaches of security that are discovered on or after September 19, 2009 -- however, the FTC will receive comments up until June 1, 2009, and is specifically asking for comment on: (1) the nature of the entities to which the rules should apply, (2) the particular products and service they offer, (3) the extent to which Covered Entities may be HIPAA-covered entities or business associates, (4) whether some vendors of PHR may have a dual role as a business associate of a HIPAA-covered entity and a direct provider of PHR to the public, and (5) circumstances where a dual role may lead to receipt of multiple breach notices.

Regulations Provide Clarity

The regulations implement ARRA § 13407, which generally requires a Vendor of PHR or a PHR-Related Entity who discovers a breach of security to:

  • Notify each individual who is a citizen or resident of the U.S. whose PHR was acquired by an unauthorized person, and
  • Notify the FTC.

A Third-Party Service Provider who discovers a breach is required to notify the Vendor of PHR or the PHR-Related Entity which it serves -- who, in turn is required to notify the individual and the FTC. The FTC is required to notify the Department of Health and Human Services of the breach notifications it receives.

The regulations provide considerable clarity on how the new requirements apply.

  • Definitions. Key terms are:

    • Vendors of PHR. This means an entity -- other than a HIPAA-covered entity or business associate -- that offers or maintains a personal health record. A personal health record is an electronic record of identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.
    • PHR-Related Entities. This means an entity -- other than a HIPAA-covered entity or business associate -- that offers products or services through the website of a Vendor of PHR or through a HIPAA-covered entity, or that accesses information in a PHR or sends information to a PHR. For example, this would include online applications by which individuals connect their blood pressure cuffs, blood glucose monitors, etc., so the results could be tracked through their PHR.
    • Third-Party Service Provider. This means an entity that provides services to a Vendor of PHR or to a PHR-Related entity, and which accesses, maintains, uses, stores, or discloses PHR as a result of its services. For example, this would include entities that provide billing or data storage services to Vendors of PHR.

    For the most part, the terms are defined consistent with their definition under HIPAA (e.g., business associate, HIPAA-covered entity) or the ARRA (e.g., personal health record). Two definitions that were noted under the FTC's preambles to the Health Breach Notification Rule are:

    • Breach of Security. This term is defined under ARRA as "the acquisition of unsecured PHR identifiable health information without the authorization of the individual." However, the FTC breach notification regulations expand this definition to presume unauthorized acquisition where there is unauthorized access. For example, where an employee loses a laptop containing unsecured health information in a public place, the information is accessible to unauthorized persons and unauthorized acquisition is presumed. The presumption can be rebutted, however, by forensic analysis showing that the files were never opened.

    • PHR Identifiable Health Information. The term is as defined under ARRA, but the preambles point out that it includes information that relates to the "past, present or future payment for the provision of health care." Therefore, the breach notification requirements would apply to a breach of security of a database containing names and credit card information even if no other information was included. The notice requirements would also apply to the fact of having an account with a Vendor of PHR where the products or services offered by the vendor relate to particular health conditions.
  • Breach Notification. A breach is discovered on the first day it is known or should reasonably have been known. Notification of the breach must be given "without unreasonable delay" and in no case later than 60 days after discovery of the breach. In some cases, it may be unreasonable to wait 60 days. The burden is on the Covered Entity to prove it provided appropriate breach notification.
  • Manner of Notice. Third-Party Service Providers must provide notice to a senior official of the Vendor of PHR or the PHR-Related Entity and must obtain an acknowledgment from the official. The notice must contain the specific information identified in the regulation. Notice from the Vendor of PHR or the PHR-Related Entity to the affected individuals must be provided in writing by first class mail or, where urgent, by telephone or other means in addition to first class mail. If ten or more individuals cannot be reached through those methods, notice must be given either through posting on the Vendor of PHR or PHR-Related Entity's website homepage for a period of six months, or in major print or broadcast media reasonably calculated to reach the affected individuals. Where 500 or more residents of a state are affected by a breach, the Vendor of PHR or PHR-Related Entity must provide notice to prominent media outlets serving the state.
  • FTC Notice. Vendors of PHR or PHR-Related Entities must provide notice to the FTC following discovery of a breach. Where 500 or more individuals are involved, the FTC must be notified as soon as possible and in no case later than five business days after the discovery. Where less than 500 individuals are involved, a log may be maintained by the Vendor of PHR or PHR-Related Entity to report breaches that occurred over a 12-month period.
  • Notice Content. The notice to individuals must describe how the breach occurred (including the date of the breach and date of discovery), the types of unsecured PHR identifiable health information that was involved, the steps individuals should take to protect themselves from harm, a description of the steps the entity is taking to mitigate the breach, and contact information for the individuals including a toll-free number, e-mail address, website, or postal address.

The regulation and further information is available on the FTC website at: www.ftc.gov/opa/2009/04/healthbreach.shtm.

Deloitte logoThe information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations.

If you have any questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact: Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Mary Jones 202.378.5067, Stephen LaGarde 202.879-5608, Erinn Madden 202.572.7677, Bart Massey 202.220.2104, Mark Neilio 202.378.5046, Tom Pevarnik 202.879.5314, Sandra Rolitsky 202.220.2025, Deborah Walker 202.879.4955.

Copyright 2009, Deloitte.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.