FTC as Enforcer: Proposed Data Breach Notification Rule for Personal Health Records

The Federal Trade Commission (FTC) issued on April 16 an interim proposed health breach notification rule relating to personal health records (Proposed Rule) establishing federal breach notification requirements for the developers of electronic personal health record¹ (PHR) systems and “PHR related entities.”² Issued pursuant to the February 2009 American Recovery and Reinvestment Act³ (Recovery Act), the Proposed Rule was the result of a collaborative effort by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), the Office of the National Coordinator for Health Information Technology, and the Centers for Medicare and Medicaid Services. The public comment period on the Proposed Rule is open through June 1. The effective date of the Proposed Rule is Sept. 18, 2009.

FTC as the new enforcer in town

To date, the FTC has not played a prominent role in enforcing health care privacy and security laws. Rather, it has focused on privacy as the central element in its consumer protection mission. The FTC has been active in educating consumers and businesses about the importance of the security and privacy of personal information.

Historically, the FTC, under the authority of the FTC Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act, has acted to protect consumer privacy in general; guard against unfairness and deception by enforcing companies’ privacy promises regarding their collection, use and security of consumers’ personal information; implement rules relating to financial privacy and safeguards on personal information; and protect consumers against pretexting and the like.

In the last few years, however, it appears that the issue of health care privacy and security slowly has been finding its way into the FTC’s overall consumer protection mission.⁴ Most recently, the FTC issued charges against CVS Caremark for its failure to take reasonable and appropriate security measures for the protection of sensitive medical and financial information of its customers and employees.

The FTC began its investigation upon receiving reports of CVS pharmacies throwing trash with highly personal financial and health related information into open trash bins. The trash included: pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information with consumers’ personal information; employment applications that included Social Security numbers; payroll information; and credit card and insurance information, including in some cases, account numbers and driver’s license numbers.

In addition to the failure to implement reasonable and appropriate procedures for handling such information, the FTC allegations also included unfair and deceptive practices in violation of the FTC Act based on CVS’s statements to consumers that “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.”⁵

HHS, through OCR, also opened an investigation at the same time based on the disposal of health information protected under the Health Insurance Portability and Accountability Act (HIPAA). This was the first instance where OCR coordinated an investigation and resolution of a case with the FTC.⁶

Ultimately, the matter was settled and the FTC issued an order that requires CVS Caremark to:
(1) establish, implement and maintain a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees; (2) obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order; (3) be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance; and (4) refrain from future misrepresentations with respect to the company’s security practices.

The HHS settlement also placed various requirements on CVS pharmacies to: (1) establish and implement policies and procedures for disposing of protected health information; (2) implement a training program for handling and disposing of such patient information; (3) conduct internal monitoring; and (4) engage an outside independent assessor to evaluate compliance for three years. Under the HHS terms of settlement, CVS also will pay HHS $2.25 million to settle the matter.⁷

Now, the Recovery Act and the Proposed Rule expand the scope of the FTC’s authority to specifically include enforcement of health care privacy and security matters. In fact, the Recovery Act and the Proposed Rule provide that a violation of the breach notification requirements will be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. § 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

The Recovery Act calls the FTC and HHS to action

The Recovery Act includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. (Davis Wright Tremaine has issued two previous advisories on the Recovery Act: “Carrots and Sticks: The Stimulus Package Promotes Health Information Technology " and "Economic Stimulus Package Ratchets up Privacy and Security for Health Information.")

The Recovery Act recognizes that there are newer types of Web-based entities that collect consumers’ health information, including vendors of PHRs (PHR vendors) and online applications that interact with such PHRs. Some of these entities are not subject to the privacy and security requirements of HIPAA.⁸
 
For entities not covered by HIPAA, the Recovery Act requires HHS to study, in consultation with the FTC, potential privacy, security and breach notification requirements and submit a report to Congress containing recommendations (HHS/FTC Report), which is due in February 2010. Until Congress enacts new legislation implementing any recommendations contained in the HHS/FTC Report, the Recovery Act contains temporary requirements, to be enforced by the FTC, that such entities notify customers in the event of a security breach. The Proposed Rule implements these requirements.

The Recovery Act also directs HHS to promulgate interim final regulations requiring: (1) HIPAA-covered entities, such as hospitals, doctors’ offices and health insurance plans, to notify individuals in the event of a security breach; and (2) business associates of HIPAA-covered entities to notify such covered entities in the event of a security breach. To the extent that FTC-regulated entities engage in activities as business associates of HIPAA-covered entities, such entities will be subject only to HHS’s rule requirements and not the FTC’s Proposed Rule.
 
Many of the breach notification requirements applicable to FTC-regulated entities under the Proposed Rule are the same as the breach notification requirements applicable to HHS-regulated entities. Section 13407 of the Recovery Act states that the statutory requirements for timeliness, method and content of breach notifications contained in section 13402 (the section applicable to HHS-regulated entities) shall apply to FTC-regulated entities “in a manner specified by” the FTC. Thus, the FTC is consulting with HHS to harmonize its Proposed Rule with HHS’s proposed rule.
 
Organizations subject to the Proposed Rule
 
The Proposed Rule would apply to the following three types of organizations:

1.  PHR vendors – entities, other than HIPAA-covered entities or business associates of a HIPAA-covered
     entity (when acting in such capacity), that offer or maintain a PHR.

2. PHR-related entities – entities, other than HIPAA-covered entities or entities to the extent that they
    engage in activities as a business associate of a HIPAA-covered entity, that:

• Offer products or services through the Web site of a PHR vendor.
• Offer products or services through the Web sites of covered entities that offer individuals PHRs.
• Access information in a PHR or send information to a PHR.

3. Third-party service providers – entities that:

• Provide services to a PHR vendor in connection with the offering or maintenance of a PHR or to a PHR-related entity in connection with a product or service offered by that entity; and
• Access, maintain, retain, modify, record, store, destroy, or otherwise hold, use or disclose unsecured PHR identifiable health information as a result of such services.

The Proposed Rule will apply to any of the above-described entities regardless of whether they would be subject to enforcement by the FTC under the FTC Act. The Proposed Rule does not apply to HIPAA-covered entities or to an entity’s activities as a business associate of a HIPAA-covered entity.

What constitutes a breach?

The Proposed Rule defines “breach of security” as the acquisition of “unsecured” PHR identifiable health information of an individual in a PHR without the authorization of the individual.

With respect to individuals, the Proposed Rule defines “PHR identifiable health information” as “individually identifiable health information,” as defined in HIPAA: (1) that is provided by or on behalf of the individual; and (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. This definition of “PHR identifiable health information” is key to the determination of what constitutes a breach.

The FTC notes that first, because the definition of “PHR identifiable health information” includes information that relates to the “past, present, or future payment for the provision of health care to an individual,” the Proposed Rule covers breaches of such information. Thus, the Proposed Rule extends to breaches of billing information that contains a person’s name and credit card information even if no other information, such as medical diagnosis or treatment, was accessed.

Second, because the definition includes information that relates to “the health or condition” of the individual, it would include the fact of having an account with a PHR vendor or PHR-related entity, where the products or services offered by such vendor or related entity relate to particular health conditions. By way of example, the theft of a PHR member list of an AIDS affinity group would constitute a breach under the Proposed Rule.

Third, if there is no reasonable basis to believe that information can be used to identify an individual, then the information is not “PHR identifiable health information,” and a breach notification need not be provided.

As noted, the notification requirements apply only to “unsecured” PHR identifiable health information. This means that the information is not protected through the use of a technology or methodology specified by HHS in guidance. HHS recently issued Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals for Purposes of Breach Notification Requirements Under the Recovery Act.

In some cases, determining whether a breach occurred will be fairly easy. Examples noted by the FTC in the Proposed Rule include: the theft of a laptop containing unsecured PHRs; the theft of hard copies of such records; the unauthorized downloading or transfer of such records by an employee; and the electronic break-in and remote copying of such records by a hacker. In other cases, however, although there may be unauthorized access to data, it may be unclear, without further investigation, whether the PHR identifiable health information also has been acquired.

The Proposed Rule creates a presumption that if an unauthorized person has access to PHR identifiable health information, then such person will be deemed to have acquired that information. The Proposed Rule puts the burden on the entity where the breach has occurred to rebut the presumption that access is equivalent to acquisition. To assist in establishing a rebuttal, organizations should take the following steps after a breach:

• Review access logs
• Interview employees and contractors
• Conduct forensic analysis of the computer or system involved

Providing notice of a breach

Notification of a breach must be made “without unreasonable delay” but in no event later than within 60 calendar days of learning of the breach. PHR vendors and PHR-related entities must provide notice to each individual who is a citizen or resident of the United States whose unsecured PHR identifiable information was acquired by an unauthorized person as a result of such breach of security and to the FTC.⁹ Third-party service providers must provide notice of a breach of security to a senior official at the applicable PHR vendor or PHR-related entity. The notice must comply with the following requirements:

• Notice may be made by first-class mail, e-mail (if express affirmative consent is given) or telephone communications. If 10 or more affected individuals could not be reached by these methods, then a vendor or PHR-related entity must post a notice of the breach on its Web site for six months or in the print and broadcast media where individuals affected are likely to reside.
• Media notices must be accompanied by a toll-free number an individual may call to determine if his or her records were breached. In addition, the media must be contacted if the breach involves 500 or more individuals.
• Notices must include a brief description of how the breach occurred and what type of information was involved, such as whether it involved people's names, Social Security numbers, dates of birth, addresses and account numbers.
• Notices should include what steps individuals might take to prevent harm as a result of the breach and what the PHR vendor or other entity is doing to investigate the breach, prevent further occurrences and mitigate losses.
• Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, Web site or postal address.

The entity responsible for providing the notice has the burden of proof to demonstrate the notice was provided in accordance with the Recovery Act and the Proposed Rule.

FOOTNOTES

1 The Proposed Rule defines "personal health record" as an "electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual."

2 16 C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009 available on the FTC’s Web site.

3 American Recovery & Reinvestment Act of 2009, Pub.L. 111-5, ____Stat.____.

4 In 2002, Eli Lilly and Company settled FTC Charges concerning a security breach where the company disclosed e-mail addresses of 669 subscribers to its Prozac reminder service. In 2000, the FTC settled charges relating to prescriptions promoted with false medical claims and collection of medical and financial data with false privacy assurances against operators of a group of online pharmacies. Please see case materials and press releases.

5 Press Release, Federal Trade Commission, CVS Caremark Settles FTC Charges: Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations, Feb. 18, 2009.

6 News Release, HHS Press Office, CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Feb. 18, 2009.

7 Press Release, Federal Trade Commission, supra.

8 Health Insurance Portability and Accountability Act, Pub.L. 104-191, 110 Stat. 1936 (1996).

9 Notice to the FTC must be provided as soon as possible and in no case later than five business days where the breach involves the health information of 500 or more individuals. If fewer than 500 individuals were involved, PHR vendors and PHR related entities may, in lieu of immediate notice, maintain a breach log and submit that log annually to the FTC.