Technologies, Regulatory Gaps Have Evolved Since Rule Went Into Effect a Decade Ago
Several health IT industry groups are urging the Federal Trade Commission to update its health data breach notification rule. That’s because the rule, designed to cover health data not protected under HIPAA, currently applies only to personal health records and related vendors, and it needs to address technological developments and regulatory gaps that have evolved since it was implemented a decade ago.
In May, the FTC – as part of a periodic review of its rules – issued a request for comment on whether the agency’s health breach notification rule’s provisions should be modified (see: FTC Assessing Whether Its Health Data Breach Rule is Stale).
The FTC rule, which was enforced starting in 2010, requires certain companies that provide or service PHRs to notify consumers and the agency of a data breach.
Under the rule, a PHR is defined as an “electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual,” according to the FTC.
Since the FTC rule went into effect, the agency has received only three notifications of health data breaches affecting 500 or more individuals.
By comparison, under the HIPAA Breach Notification Rule that pertains to covered entities and business associates that handle protected health information for treatment, business operations or payment, the Department of Health and Human Services as of Tuesday has received 3,376 reports of breaches impacting 500 or more individuals since 2009.
Responding to the request for comments on the FTC rule, the College of Healthcare Information Management Executives – which represents healthcare CIOs and CISOs, writes: “As currently written, the rule does not provide much benefit to consumers due to the lack of applicability to the real-world use of personal health information.”
CHIME urged the FTC to modify its definition of who is covered under the rule from vendors of PHRs and PHR-related entities to include companies and entities that interact with and/or store electronic health information not currently governed by HIPAA breach notification requirements.
By modifying its definition, “the FTC would be filling the gap left by HIPAA regulations and would assist in supporting the cross-governmental effort to empower patients with their health data,” CHIME writes. “At the same time, this revised definition would ensure third-party application developers and the platforms that host those applications would be able to utilize the new regulatory requirements to their fullest extent, while better protecting individual privacy or health data security.”
A broader definition would give the FTC more jurisdiction to enforce the rule, CHIME argues.
For instance, in July, fitness tracker vendor Garmin had its internal servers compromised by a ransomware attack, CHIME notes. “Under the current version of the FTC rule, Garmin is not required to report this breach, since it is not a PHR vendor.”
If the FTC changed its rule to cover vendors not covered under HIPAA that store electronic health information, “Garmin would be subject to breach notification requirements due to its handling of information from users, such as body weight, body height and heart rate – all data elements that are part of the United States Core Data for Interoperability,” CHIME writes.
“In this new world of API-enabled patient access, does downloading your health data on a mobile telephone such as through Apple’s Health Kit now cause Apple to be a PHR vendor or PHR-related entity?,” CHIME asks. “Similarly, does a product, such as a mobile application like the much talked about contact-tracing apps used to fight COVID-19, fall into the category of a PHR-related entity?”
Without further clarity on who is governed by the FTC rule, those types of entities “fall through the cracks and have no breach notification requirements,” CHIME writes.
In its comments, the American Medical Informatics Association, which represents 5,500 informatics professionals, notes similar concerns and urges the FTC to provide additional guidance and clarification.
“We recommend the FTC take near-term action and develop guidance that explicitly includes usernames/passwords maintained by a non-HIPAA covered entity as being considered PHR identifiable health information, thus subject to the FTC rule if breached,” AMIA writes.
AMIA also urges the FTC to “expand on the concept of ‘unauthorized access’ under the definition of ‘breach of security,’ to be presumed when a PHR or PHR-related entity fails to adequately disclose to individuals how user data is accessed, processed, used, reused and disclosed.”
Mobile App Gaps
Meanwhile, the American Health Information Management Association, which represents medical records managers and others who work with health data, says the FTC needs to provide guidance on how its breach notification rule applies to mobile apps.
“To improve understanding by stakeholders as to whether the … rule applies to mobile apps, we recommend the guidance be updated and clarified to account for these technologies and related standards,” AHIMA writes.
The American Medical Association also calls for the FTC to clarify how the rule pertains to mobile health app and similar vendors. “For many patients, the mobile nature and ease of use of third-party apps make them more attractive than traditional PHRs as a way to manage their health records,” the AMA writes.
“The AMA expects patients will continue to shift from PHRs to mobile health apps or PHR-health app hybrids going forward. Absent clear guardrails around how entities like app developers use data, public trust will crumble in the face of repeated scandals and undermine the potential for digital health to facilitate an era of more accessible, coordinated and personalized care.”
AHIMA as well as some other groups – including the American Dental Association – warned the FTC against expanding the scope of its breach notification rule to include HIPAA-covered entities and their business associates. Doing that “would be duplicative and unduly burdensome given that the HIPAA Breach Notification Rule already imposes similar breach notification provisions to such entities,” AHIMA writes.
To help prevent unnecessary confusion in notification requirements under HIPAA and the FTC rule, the ADA says it recommends that the FTC and HHS work closely together to assess the extent to which vendors of PHRs, PHR-related entities and third-party service providers may be HIPAA-covered entities or business associates.
“Coordination between the FTC and HHS to come up with the requirements is essential in order to avoid circumstances in which consumers may receive multiple, duplicative breach notices over the same incident,” the ADA writes.
“Overly burdensome, costly requirements may act as a disincentive for widespread PHR and electronic health records adoption and use.”
The ADA also urged the FTC to consider the impact of state laws and regulations that may overlap with the agency’s requirements. “Overlapping and conflicting laws and regulations risk leading to confusion on the part of dentists as well as their patients,” the ADA writes.
The AMA writes that the FTC needs to take in consideration patients’ concerns about the privacy of their health data, including regulatory gaps around the use of consumer-facing technologies.
“Recent events have highlighted not only how critical it is to have clear rules of the road with respect to data use, but also the lost opportunities for progress absent such rules,” the AMA writes.
“For example, we are currently experiencing unprecedented reliance on remote care technologies like telehealth to help people avoid leaving their homes during the COVID-19 pandemic. But both patients and clinicians are justified in questioning how platforms will secure and protect the information exchanged during the virtual visits.”