By Charles Stellar
Much can change in a decade, which is why the Federal Trade Commission (FTC) earlier this year put out a request for comments regarding the Health Breach Notification Rule.
Not many people outside health care likely are aware of the FTC breach notification rule, which sets parameters for data breaches in areas not regulated by HIPAA, including personal health records (PHRs), PHR-related entities, and third-party service providers.
Since the rule went into effect in 2009, just three companies have submitted FTC health breach notifications that affected a total of 570,000 records. Compare that with the HIPAA breach portal maintained by the Office of Civil Rights within Health and Human Services. During September 2020 alone, 81 reports were listed that affect 9.2 million patient records.
But protecting both patient health data through HIPAA and consumer health care through the FTC are critical considerations to keep data private.
The past decade has seen an explosion of healthlike apps such as smartwatches, blood pressure cuffs, scales, EKG mobile devices, and more that transmit biometric data. More consumer and medical health applications are being connected through application programming interfaces (APIs) that, if not adequately secured, can be the point of entry for cybercriminals. It’s also important to align FTC regulations with HIPAA guidelines and to reduce confusion in the industry over which entity governs what piece of consumer/patient data.
Expand Company Types That Fall Under FTC Mandates
As more medical devices and health monitoring apps become connected to the internet, the lines continue to blur between what’s regulated through HIPAA and what falls under the purview of the FTC.
Obviously, wireless pacemakers and other wireless-enabled medical implants fall under HIPAA regulations. At the same time, fitness trackers that may transmit patient data to EHRs and practice management systems through APIs don’t qualify. As the sophistication of wearables increases, however, those devices may remain outside of the HIPAA protections.
The 21st Century Cures Act includes regulations to create standardized APIs that consumers can use to access their health information on smartphones and mobile devices. However, most third-party software developers are not governed by HIPAA or the FTC under the latter agency’s current definition of a third party. That definition should be expanded to encompass vendors, application developers, electronic storage, and other entities that aren’t currently covered under HIPAA guidelines but do handle consumer health information.
Eliminate Confusion, Uncertainty Between Regulations
Any patient who has visited a physician, an imaging center, a hospital, or another health care provider is at least passingly familiar with HIPAA privacy regulations. But few outside affected industries know about the FTC guidelines, a situation that creates confusion in the market. Consumers may have no idea that information they are storing or transmitting in apps isn’t already covered under HIPAA and may or may not be covered by the FTC breach notification rule.
In addition to expanding the types of companies that develop and sell consumer health information, the rule should include other types of non–HIPAA-covered entities that use, access, or disclose health information.
The FTC rule acknowledges the importance of providing regulatory protections to non–HIPAA-regulated entities while at the same time ensuring the rule does not interfere with the existing HIPAA framework for covered entities and their business associates. That distinction is crucial to differentiating between the two and should be retained.
Level the Playing Field, Where Possible
Aligning HIPAA regulations with the FTC Health Breach Notification Rule could bring clarity to both rules. For example, the FTC could align its regulatory requirements to those imposed on companies and business associates covered by HIPAA.
The notification requirements of a breach differ widely between the regulations, while state laws might have yet another set of rules. Under HIPAA, notification of a breach of more than 500 records must occur within 60 days of discovery, while companies that experience a breach of fewer than 500 records can wait as many as 60 days after year-end. The FTC rules are more stringent, requiring notice within 10 business days of a breach in excess of 500 records and 60 days for fewer than 500.
Many states require more timely reporting, as does the European Union’s General Data Protection Regulation, which requires notification within 72 hours. For consumer protection and confidence, the FTC is on the right track to make sure it modernizes regulations based on what is occurring with technology today. Overall, HIPAA-covered entities should not face stricter notification standards than those imposed on entities covered by the FTC rule.
As companies devise new apps and devices to help consumers take control of their health care data, consumers naturally believe the same privacy and security protections that cover health care data cover the other healthlike apps and devices they use. But those in health care are abundantly aware of the significant differences between the two.
To level the playing field and encourage innovation, entities covered by HIPAA should not have to adhere to stricter standards than other companies that collect, use, and disclose consumer health information. WEDI appreciates that the FTC is taking another look at its regulations to consider the changing market environment, the proliferation of devices, and the desire to protect the privacy and data security of consumers.
— Charles Stellar is CEO at WEDI, the nation’s leading nonprofit authority on the use of HIT to create efficiencies in health care information exchange and a statutory advisor to Health and Human Services.