Federal Register: August 25, 2009 (Volume 74, Number 163)
DOCID: fr25au09-12 FR Doc E9-20142
FEDERAL TRADE COMMISSION
U.S. Customs and Border Protection
CFR Citation: 16 CFR Part 318
RIN ID: [RIN 3084-AB17]
NOTICE: Part II
DOCUMENT ACTION: Final Rule.
Health Breach Notification Rule
DATES: This rule is effective September 24, 2009. Full compliance is required by February 22, 2010.
The Federal Trade Commission (``FTC'' or ``Commission'') is issuing this final rule, as required by the American Recovery and Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act''). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
Federal Trade Commission
Table of Contents
II. Overview of the Recovery Act, Proposed Rule, and Comments Received
III. SectionBySection Analysis of the Rule
IV. Paperwork Reduction Act
V. Regulatory Flexibility Act
VI. Final Rule
On February 17, 2009, President Obama signed the American Recovery
and Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act'') into
law.\1\ The Act includes provisions to advance the use of health
information technology and, at the same time, strengthen privacy and security protections for health information.
\1\ American Recovery & Reinvestment Act of 2009, Pub. L. No. 1115, 123 Stat. 115 (2009).
Among other things, the Recovery Act recognizes that there are new
types of webbased entities that collect consumers' health information.
These entities include vendors of personal health records and online
applications that interact with such personal health records
(``PHRs'').\2\ Some of these entities are not subject to the existing
privacy and security requirements of the Health Insurance Portability
and Accountability Act (``HIPAA'').\3\ For such entities, the Recovery
Act requires the Department of Health and Human Services (``HHS'') to
study, in consultation with the FTC, potential privacy, security, and
breach notification requirements and to submit a report to Congress
containing recommendations within one year of enactment of the Recovery
Act (the ``HHS report''). Until Congress enacts new legislation
implementing such recommendations, the Recovery Act contains temporary
requirements, to be enforced by the FTC, that such entities notify
individuals in the event of a security breach. The final rule implements these requirements.
\2\ In general, personal health records are online repositories of health information that individuals can create to track their medical visits, prescription information, etc. The terms ``vendor of personal health records'' and ``personal health records'' are defined terms in the FTC's rule; thus, in some instances, the term ``personal health record'' is not abbreviated.
\3\ Health Insurance Portability & Accountability Act, Pub. L. No. 104191, 110 Stat. 1936 (1996).
The Recovery Act also directs HHS to promulgate a rule requiring
(1) HIPAAcovered entities, such as hospitals, doctors' offices, and
health insurance plans, to notify individuals in the event of a
security breach and (2) business associates of HIPAAcovered entities
to notify such HIPAAcovered entities in the event of a security
breach.\4\ HIPAAcovered entities and entities that engage in
activities as business associates of HIPAAcovered entities will be
subject only to HHS' rule and not the FTC's rule, as explained further below.
\4\ The Recovery Act requires HHS to issue its rule within 180 days of enactment of the Recovery Act. Sec. 13402(j).
II. Overview of the Recovery Act, Proposed Rule, and Comments Received
The Recovery Act requires ``vendors of personal health records'' and ``PHR related entities,'' as defined below, to notify their customers of any breach of unsecured, individually identifiable health information. Further, a third party service provider of such vendors or entities that experiences a breach must notify such vendors or entities of the breach, so that they can in turn notify their customers. The Act contains specific requirements governing the timing, method, and contents of the breach notice to consumers. For example, it requires entities to provide breach notices ``without unreasonable delay,'' and in no case later than 60 calendar days after discovering a breach; it requires notice to consumers by firstclass mail or, if specified as a preference by the individual, by email; and it requires substitute notice, through the media or a web posting, if there is insufficient contact information for ten or more individuals. In addition, the Act requires the FTC to adopt a rule implementing the breach notification requirements applicable to vendors of personal health records, PHR related entities, and third party service providers within 180 days of enactment of the Act. It also authorizes the FTC to seek civil penalties for violations.
The Recovery Act contains a similar scheme for HIPAAcovered entities, to be enforced by HHS. HIPAAcovered entities must notify individuals whose ``unsecured protected health information'' is breached. If a business associate of a HIPAAcovered entity experiences a security breach, it must notify the HIPAAcovered entity, which must in turn notify individuals.
To fulfill the Recovery Act requirements, on April 20, 2009, the
Commission issued a Notice of Proposed Rulemaking (``NPRM''). The
proposed rule contained in the NPRM adhered closely to the requirements
of the Recovery Act.\5\ The Commission received approximately 130
comments.\6\ Some general comments are summarized below, and an
analysis of comments addressing particular sections of the proposed rule follows.
\5\ 74 FR 17,914.
\6\ Comments are available at (http://www.ftc.gov/os/comments/ healthinfobreach/index.shtm). The Commission also reviewed the comments HHS received in response to its Request for Information on its forthcoming breach notification rule. 74 FR 19,006. However, the specific comments addressed in this Notice are those that were filed in response to the FTC's NPRM.
First, commenters that addressed the issue generally agreed that
FTC and HHS should work together to ensure that their respective breach
notification rules are harmonized and that stakeholders know which rule
applies to which entity.\7\ Some of these commenters recognized that
some entities that operate in different roles may be subject to both rules, and that
it is therefore important for the rules to be similar.\8\ The Commission agrees and has consulted with HHS to harmonize the two rules, within the constraints of the statutory language. Further, as explained below, for some entities subject to both the HHS and FTC rules, compliance with certain HHS rule requirements shall be deemed compliance with the corresponding provisions of the FTC's rule. \7\ See, e.g., American Council of Life Insurers (``ACLI'') at 1; American Benefits Council (``ABC'') at 2; American Insurance Association (``AIA'') at 1; Center for Democracy & Technology, Markle Foundation, Childbirth Connection, Health Care for All, National Partnership for Women & Families, SEIU (hereinafter ``CDT/ Markle'') at 45; Dossia at 5; HealthITNow.org at 12; National Association of Chain Drug Stores (``NACDS'') at 4; WebMD at 3. \8\ See, e.g., HealthITNow.org at 2; WebMD at 3.
A second and related point that many commenters raised was that, to
the extent possible, consumers should receive a single notice for a
single breach.\9\ These commenters pointed out that receiving multiple
notices for the same breach would confuse consumers and convey an
exaggerated sense of risk.\10\ Receiving a barrage of notices also
could cause consumers to become numb to such notices, so that they may
fail to spot or mitigate the risks being communicated to them.\11\ Some
commenters noted that consumers could receive multiple notices because
of inadvertently overlapping requirements between HHS and FTC
rules.\12\ As described below, the Commission has taken steps to ensure
that its rule does not overlap with HHS' and that consumers do not receive multiple notifications.
\9\ See, e.g., American Legislative Exchange Council (``ALEC'') at 6; HealthITNow.org at 2; Software Information Industry
Association (``SIIA'') at 3; Statewide Parent Advocacy Network, Inc. at 1; United Health Group (``UHG'') at 2.
\10\ See, e.g., ALEC at 7; HealthITNow.org at 2.
\11\ See, e.g., Blue Cross/Blue Shield at 4; SIIA at 67. \12\ See, e.g., American Health Information Management Association (``AHIMA'') at 2; American Medical Association (``AMA'') at 2.
Third, several commenters raised privacy and security concerns
about PHRs generally.\13\ For example, one commenter asked the FTC to
establish comprehensive privacy and security standards, and supported
the creation of a private right of action for a violation of these
standards.\14\ The Commission notes that, although general privacy and
security issues are beyond the scope of the current rulemaking, the
Commission will take these comments into account when it provides input on the HHS report described above.
\13\ See, e.g., Electronic Privacy Information Center (``EPIC'') at 11; Flagler, Hoerl, Hosler.
\14\ EPIC at 11.
Fourth, several individual commenters expressed concerns about
electronic health records in general.\15\ Some of these commenters
questioned the costsavings that would result;\16\ others strongly
supported patients' right to opt out of such records.\17\ In response,
the Commission notes that this rule addresses only breach notification
with respect to PHRs voluntarily created by individuals; it does not
address electronic health records more generally, such as those created for patients by hospitals or doctors' offices.\18\
\15\ See, e.g., Blair, Coon, Flagler.
\16\ See, e.g., JonesFord, Rogalski, Serich,
\17\ See, e.g., Amidei, Baxter, Blair, Coon.
\18\ Section 13400(5) of the Recovery Act defines ``electronic health record'' as an electronic record of healthrelated
information on an individual that is ``created, gathered, managed, and consulted by authorized health care clinicians and staff.'' In contrast, section 13400(11) defines ``personal health record'' as an electronic record ``on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.''
Finally, many commenters expressed concerns about particular
statutory requirements governing breach notification. For example, some
commenters stated that entities should be required to provide breach
notification for paper, as well as electronic, information;\19\ others
expressed concerns about requiring media notice.\20\ Because these
requirements come directly from the language of the Recovery Act, the
Commission cannot change its final rule in response to these comments.
Nevertheless, the Commission will take these comments into account when it provides input on the HHS report.
\19\ See, e.g., IDExperts at 12; National Association for Information Destruction (``NAID'') at 34, Ohio State University Medical Center at 1, Statewide Parent Advocacy Network, Inc. at 2. \20\ See, e.g., IDExperts at 23; Identity Theft 911 at 3. III. SectionbySection Analysis
Section 318.1: Purpose and Scope
Proposed section 318.1 set forth the relevant statutory authority
for the proposed rule; stated that the proposed rule would apply to
vendors of personal health records, PHR related entities, and third
party service providers; and clarified that the proposed rule would not
apply to HIPAAcovered entities or to an entity's activities as a
business associate of a HIPAAcovered entity. The Commission received several comments on this section as follows.
A. Application of Rule to NonProfits and Other Entities Beyond the FTC's Traditional Jurisdiction
In its NPRM, the Commission noted that the proposed rule applied to entities beyond the FTC's traditional jurisdiction under section 5 of the FTC Act, such as nonprofits (e.g., educational institutions, charities, and 501(c)(3) organizations), because the Recovery Act does not limit the FTC's enforcement authority to its enforcement jurisdiction under section 5. Indeed, section 13407 of the Recovery Act expressly applies to ``vendors of personal health records and other nonHIPAA covered entities,'' without regard to whether such entities fall within the FTC's jurisdiction under section 5.
The Commission received several comments in support of this
requirement. One commenter stated that it was reasonable for the FTC's
rule to apply to nonprofits.\21\ Another commenter suggested applying
the rule to as broad a range of entities as possible.\22\ Yet another
commenter stated that the rule should apply to all entities that handle
PHRs.\23\ Thus, the Commission retains its interpretation and modifies
the proposed rule to clarify that it applies to vendors of personal
health records and PHR related entities, ``irrespective of any
jurisdictional tests in the Federal Trade Commission Act.''\24\ \21\ CDT/Markle at 1415.
\22\ IDExperts at 1.
\23\ See, e.g., EPIC at 3.
\24\ The rule will not apply to federal agencies. The Commission notes that federal agencies already follow breach reporting requirements established by the Office of Management and Budget (``OMB''). See OMB Memorandum for the Heads of Executive Departments and Agencies re Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007, available at (http://www.whitehouse.gov/OMB/memoranda/fy2007/m0716.pdf). B. Application of the FTC's Rule to HIPAACovered Entities and Business Associates of HIPAACovered Entities
As noted above, the Commission received many comments about the
need to harmonize the HHS and FTC rules to simplify compliance burdens
and create a levelplaying field for HIPAA and nonHIPAA covered
entities.\25\ Several commenters agreed with the statements in the
FTC's NPRM that (1) HIPAAcovered entities should be subject to HHS'
breach notification rule and not the FTC's rule; and (2) business
associates of HIPAAcovered entities should be subject to HHS' breach
notification rule, but only to the extent they are acting as business
associates.\26\ Accordingly, the FTC adopts as final the provision that
the rule ``does not apply to HIPAAcovered entities, or to any other
entity to the extent that it engages in activities as a business
associate of a HIPAAcovered entity,'' but provides further guidance in response to specific comments received on the issue.
\25\ See supra note 7.
\26\ See, e.g., Dossia at 5; UHG at 2; WebMD at 2.
1. Application of the FTC's Rule to HIPAACovered Entities
Although the FTC's proposed rule made clear that it did not apply
to HIPAAcovered entities, one medical association urged the Commission
to exclude doctors explicitly from the FTC rule, even if they are
involved with PHRs.\27\ The Commission agrees that, because health care
providers such as doctors are generally HIPAAcovered entities, the
FTC's rule does not apply to them in such capacity. Thus, if a doctor's
medical practice offers PHRs to its patients, neither the doctor nor
the medical practice is subject to the FTC's rule.\28\ However, if the
doctor creates a PHR in a personal capacity, there may be circumstances
under which the FTC's rule would apply. For example, a nonpracticing
doctor may create and offer PHRs to the public as part of a startup
business venture. In this circumstance, the doctor is not acting in his
or her capacity as a HIPAAcovered entity, and thus, the FTC's rule would regulate the PHRs.
\27\ American Medical Association at 12.
\28\ Some doctors or other health care providers, however, may not be HIPAAcovered entities because they do not participate in ``covered transactions'' under HIPAA regulations, such as submitting health care claims to a health plan. See 45 CFR 160.103. In such cases, these doctors or health care providers are subject to the FTC's rule if they offer PHRs or related services. Similarly, some commenters asked whether the FTC's rule applies to education records covered by the Family Educational Rights and Privacy Act
(``FERPA''), 20 U.S.C. 1232g (i.e., records of educational institutions such as public schools and universities). See Ohio State University Medical Center at 1; Statewide Parent Advocacy Network at 34. If school nurses or physicians' offices within these institutions are not HIPAAcovered entities, they are subject to the FTC's rule if they offer PHRs or related services.
In addition, one commenter asked whether the FTC's rule would cover
PHRs that a HIPAAcovered entity offers to its employees.\29\ Because
the FTC's rule does not apply to HIPAAcovered entities, it does not
apply to PHRs that such entities offer their employees. However, if a
HIPAAcovered health care provider or group health plan offers PHRs to
employees because they also are patients of such health care provider
or enrollees of such group health plan, then HHS' rule would apply to the PHRs.
\29\ Ohio State University Medical Center at 1.
2. Application of the FTC's Rule to Business Associates of HIPAA Covered Entities
In its NPRM, the Commission recognized that, in many cases, business associates of HIPAAcovered entities that also offer PHRs to the public could be subject to both the HHS and FTC breach notification rules. If they experience a breach, they could be required to provide direct breach notification to their individual customers under the FTC's rule. At the same time, under HHS' rule, they could be required to notify HIPAAcovered entities to whom they provide services, so that the HIPAAcovered entities could in turn notify individuals. In some cases, as discussed further below, this potential overlap could lead to consumers' receiving multiple notices for the same breach.
The Commission asked for examples of vendors of personal health
records that may have a dual role as a business associate of a HIPAA
covered entity and as a direct provider of PHRs to the public, and how
the rule should address such a dual role. Commenters provided several
useful examples,\30\ all of which the Commission believes can be
addressed within the framework provided in the rule. Most commenters
that addressed the issue stated, and the Commission agrees, that
regardless of the circumstances, consumers should receive a single
breach notice for a single breach.\31\ In addition, the Commission
agrees with the commenters that stated that the breach notice should come from the entity with whom the consumer has a direct
relationship.\32\ Indeed, the Commission believes that consumers are more likely to pay attention to a notice provided by an entity known to the consumer, and that consumers may ignore or discard notices provided by unknown entities.\33\
\30\ See, e.g., Dossia at 23; UHG at 3; WebMD at 3.
\31\ See supra note 9.
\32\ See, e.g., CDT/Markle at 12; Dossia at 5.
\33\ See, e.g., Statement of Basis and Purpose, Affiliate Marketing Rule, 72 FR 62910 (Nov. 7, 2007) (requiring that optout notices come from entity with whom the consumer has a relationship).
For these reasons, it may be desirable in some circumstances for a
vendor of personal health records to provide notice directly to
consumers even when the vendor is serving as a business associate of a
HIPAAcovered entity. For example, a consumer that obtained a PHR
through a HIPAAcovered entity may nevertheless deal directly with the
PHR vendor in managing his or her PHR account, and would expect any
breach notice to come from the PHR vendor. Similarly, where a vendor of
personal health records has direct customers and thus is subject to the
FTC's rule, and also provides PHRs to customers of a HIPAAcovered
entity through a business associate arrangement, it may be appropriate
for the vendor to provide the same notice to all such customers. In the
latter situation, the Commission believes that the vendor of personal
health records should be able to comply with one set of rule
requirementsthose promulgated by HHSgoverning the timing, method,
and content of notice to consumers. Thus, in those limited
circumstances where a vendor of personal health records (1) provides
notice to individuals on behalf of a HIPAAcovered entity, (2) has
dealt directly with these individuals in managing the PHR account, and
(3) provides such notice at the same time that it provides an FTC
mandated notice to its direct customers for the same breach, the FTC
will deem compliance with HHS requirements governing the timing,
method, and content of notice to be compliance with the corresponding FTC rule provisions.\34\
\34\ For direct customers, the vendor of personal health records still must comply with all other FTC rule requirements, including the requirement to notify the FTC within ten business days after discovering the breach. The Commission notes also that the above analysis would apply equally to a PHR related entity, as defined below, that deals directly with the public and acts as a business associate in providing services.
Based on the comments received, the Commission has developed the
following examples to illustrate situations of dual or overlapping coverage under the FTC and HHS rules.
a. Example 1: Vendor with a Dual Role as Business Associate and Provider of PHRs to the Public
PHR Vendor provides PHRs to the public through its own Web site. PHR Vendor also signs a business associate agreement with ABC Insurance (a HIPAAcovered entity) to offer PHRs to customers of ABC Insurance. ABC Insurance sends a message to its customers offering free PHRs through PHR Vendor and provides a link to PHR Vendor's Web site. Several patients of ABC Insurance choose to create PHRs through PHR Vendor. A hacker remotely copies the PHRs of all of PHR Vendor's users.
Under the FTC's rule, PHR Vendor is a vendor of personal health records that must provide breach notice to members of the public to whom it offers PHRs directly. It is not acting as a business associate to anyone in providing these PHRs. However, because it is acting as a business associate to ABC Insurance by providing PHRs for ABC Insurance's patients, it is not required to provide direct notice to ABC Insurance's customers under the FTC's rule. Rather, under the Recovery Act, in its capacity as a business associate, it must notify ABC Insurance so that ABC Insurance can in turn notify its customers.
PHR Vendor therefore must maintain a list of its own customers and a
separate list of ABC Insurance's customers so that it can fulfill its obligations under the Recovery Act to provide notice to its own customers, as well as a separate notice to ABC Insurance. If PHR Vendor has similar business associate agreements with other entities, it must maintain separate customer lists for each such entity.
In this example, however, because PHR Vendor has a direct
relationship with all of the individuals affected by the breach
(including the patients of ABC Insurance), PHR Vendor may contract with
ABC Insurance to notify individuals on ABC Insurance's behalf.\35\ The
Commission encourages such contractual arrangements because they would
(1) satisfy both PHR Vendor's and ABC Insurance's obligation to notify
individuals; (2) ensure that consumers receive a single notice from an
entity with whom they have a direct relationship; and (3) simplify the
notification process so that PHR Vendor can provide direct notice to those affected at the same time.\36\
\35\ PHR Vendor still must comply with the Recovery Act requirement to notify ABC Insurance of the breach.
\36\ As explained above, if PHR Vendor were to send individual notices on behalf of ABC Insurance, it could send all of its breach notices, including notices to its direct customers, in accordance with HHS rules requirements governing the timing, method, and content of notice.
b. Example 2: Addressing Portable PHRs
As in Example 1, PHR Vendor offers PHRs directly to the public. It also offers PHRs to enrollees of various health insurance companies, including ABC Insurance and XYZ Insurance, through business associate agreements with those companies. Sally is a patient of ABC Insurance. ABC Insurance offers Sally the use of PHR Vendor's product, and Sally creates her PHR. Years later, Sally moves, changes jobs, switches to XYZ Insurance, and keeps her PHR with PHR Vendor. If PHR Vendor's records are breached at this point, under HHS' rule, PHR Vendor, as a business associate of XYZ Insurance, must notify XYZ Insurance that Sally's record has been breached, and XYZ Insurance must provide Sally with a breach notice. Alternatively, if Sally had moved to an insurance company with whom PHR Vendor did not have a business associate agreement, PHR Vendor would not be subject to HHS' rule with respect to Sally; it must treat her as its own customer and provide Sally with breach notice directly.
In this scenario, PHR Vendor has an additional obligation to
address the potential portability of PHRs. To fulfill such obligation,
PHR Vendor must maintain lists tracking which customers belong to which
HIPAAcovered entity, and must update such information regularly.
Without such an updating system, PHR Vendor might keep Sally on its
list of ABC Insurance's customers, but when Sally leaves ABC Insurance,
that company may no longer have an obligation to notify her of a
breach, and she may never receive a notice.\37\ Alternatively, if PHR
Vendor does not properly update its customer lists, Sally potentially
could receive up to three noticesone from PHR Vendor, one from ABC Insurance, and one from XYZ Insurance.
\37\ PHR Vendor's failure to send Sally a notice in this situation would constitute a violation of the FTC's rule.
As in Example 1, the Commission encourages vendors like PHR Vendor to include provisions in their business associate agreements stating that they will send breach notices on behalf of the entities to whom they are providing business associate services. In Example 2, such a contractual provision would simplify the notification process; it also may help avoid a situation in which consumers like Sally, who may move around frequently, receive multiple notices, or even worse, no notice. c. Example 3: PHRs Offered to Families
Sally is employed by ABC Widgets, which has a HIPAAcovered group
health plan. ABC Widgets' group health plan offers PHRs to employees
and employees' spouses through PHR Vending, a business associate of ABC
Widgets' group health plan. Sally gets a PHR; her husband John is
separately insured, but he decides to get a PHR through PHR Vending as
well. If PHR Vending experiences a breach, Sally may get a notice from
ABC Widgets' group health plan under HHS' rule, and John must get a
notice from PHR Vending under the FTC's rule. Alternatively, ABC
Widgets and PHR Vending may, through their business associate
agreement, choose to have PHR Vending send breach notices to all customers, as explained above.
C. Application of the FTC's Rule to Entities Outside the United States
One commenter suggested that the Commission clarify whether its rule applies to foreign businesses that have U.S. customers.\38\ The Commission agrees and has determined that foreign entities with U.S. customers must provide breach notification under U.S. laws. Accordingly, it adds language to the final rule stating that it ``applies to foreign and domestic vendors of personal health records, PHR related entities, and third party service providers . . . that maintain information of U.S. citizens or residents.''
\38\ World Privacy Forum at 12.
The Recovery Act supports this interpretation. Section 13407(e) of
the Act states that a violation of the FTC's breach notification
provisions ``shall be treated as an unfair and deceptive act or
practice in violation of a regulation under section 18(a)(1)(B) of the
Federal Trade Commission Act. . .'' Section 18(a)(1)(B) allows the
Commission to issue regulations that define ``with specificity acts or
practices which are unfair or deceptive acts or practices'' under the
FTC Act.\39\ The term ``unfair or deceptive acts or practices'' is in
turn defined to include those acts or practices ``in foreign commerce''
that ``cause or are likely to cause reasonably foreseeable injury
within the United States'' or ``involve material conduct occurring
within the United States.''\40\ Thus, the Recovery Act's references to
the ``unfair or deceptive acts or practices'' section of the FTC Act,
which has extraterritorial reach, supports the interpretation that the
FTC's rule applies to foreign vendors of personal health records,
related entities, as well as third party service providers, to the extent that they deal with U.S. consumers.
\39\ 15 U.S.C. 57a.
\40\ 15 U.S.C. 45.
D. Preemption of State Law
Several commenters discussed state breach notification requirements that could potentially conflict with the FTC's rule requirements.\41\ Several of these commenters raised concerns that such conflicting requirements could increase compliance burdens on businesses.\42\ Some also raised concerns that entities would be required to send consumers multiple notices to comply with both state laws and the FTC's rule.\43\ \41\ See, e.g., America's Health Insurance Plans (``AHIP'') at 7; AIA at 1; Dossia at 1011; Molina Healthcare at 56; NACDS at 3 4; National Association of Mutual Insurance Companies (``NAMIC'') at 78; SIIA at 23; Sonnenschein at 12; UHG at 912; WebMD at 57. \42\ See, e.g., AIA at 1; Dossia at 10; Molina Healthcare at 5 6.
\43\ See, e.g., AHIP at 8; AIA at 2.
The Commission notes that, under section 13421 of the Recovery Act,
the preemption standard set forth in section 1178 of the Social
Security Act, 42 U.S.C. 1320d7 applies also to the FTC's rule. That
section, which contains the preemption standard for HIPAA and its
implementing regulations, states that federal requirements supersede any
contrary provision of State law.\44\ To clarify that the same standard applies here, the Commission has added language to the final rule stating that, ``[t]his Part preempts state law as set forth in section 13421 of the American Recovery and Reinvestment Act of 2009.'' \44\ Section 1178 also sets forth some exceptions to this standard, none of which applies here. Of most relevance, one exception states that federal requirements will not necessarily preempt contrary state laws that, ``subject to section 264(c)(2)'' of HIPAA, relate to the ``privacy of individually identifiable health information.'' Although the FTC's rule relates to ``privacy of individually identifiable health information,'' HHS interprets this exception as applying only to the HIPAA Privacy Rule, because it is the sole regulation promulgated under section 264(c)(2) of HIPAA.
The Commission notes that the final rule preempts only contrary
state laws. Under HHS regulations implementing the preemption standard
of section 1178 of the Social Security Act, a state law is contrary to
federal requirements (1) if it would be impossible to comply with both
state and federal requirements or (2) if state law ``stands as an
obstacle to the accomplishment and execution of the full purposes and
objectives'' of the federal requirements.\45\ Under this standard, the
Commission's rule does not preempt state laws imposing additional, as
opposed to contradictory, breach notification requirements. For
example, some State laws require breach notices to include advice on
monitoring credit reports; others require contact information for
consumer reporting agencies; yet others require the notice to include
advice on reporting incidents to law enforcement agencies. Even though
these content requirements are different from those contained in the
FTC's rule, entities may comply with both state laws and the FTC rule
by setting forth all of the information required in a single breach
notice.\46\ In these circumstances, because it is possible to comply
with both laws, and the state laws do not thwart the objectives of the
federal law,\47\ there is no conflict between state and federal law. \45\ See 45 CFR 160.202.
\46\ The rule does not require entities to send multiple notices to comply with state and federal law.
\47\ For a discussion of the issue of federal preemption when state laws frustrate federal objectives, see Wyeth v. Levine, 129 S. Ct. 1187 (2009).
Section 318.2: Definitions
(a) Breach of security
The proposed rule defined ``breach of security'' as the acquisition
of unsecured PHR identifiable health information\48\ of an individual
in a personal health record without the authorization of the
individual.\49\ The Commission adopts this portion of the definition of
breach of security without modification. Examples of unauthorized
acquisition include the theft of a laptop containing unsecured PHRs;
the unauthorized downloading or transfer of such records by an
employee; and the electronic breakin and remote copying of such records by a hacker.
\48\ The phrase ``PHR identifiable health information'' is defined below.
\49\ Several of the rule provisions refer to information ``in a personal health record.'' Because a personal health record often includes information in transit, as well as stored information, the Commission interprets the phrase ``in a personal health record'' to include data in motion and data at rest.
The proposed rule also contained a rebuttable presumption for unauthorized access to an individual's data: It stated that, when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach ``has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.'' The presumption was intended to address the difficulty of determining whether access to data (i.e., the opportunity to view the data) did or did not lead to acquisition (i.e., the actual viewing or reading of the data). In these situations, the Commission stated that the entity that experienced the breach is in the best position to determine whether unauthorized acquisition has taken place.
In describing the rebuttable presumption, the Commission provided several examples. It noted that no breach of security has occurred if an unauthorized employee inadvertently accesses an individual's PHR and logs off without reading, using, or disclosing anything. If the unauthorized employee read the data and/or shared it, however, he or she ``acquired'' the information, thus triggering the notification obligation in the rule.
Similarly, the Commission provided an example of a lost laptop: If an entity's employee loses a laptop in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing, for example, that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised.
The Commission received numerous comments on the rebuttable
presumption. Several commenters supported it.\50\ Others stated that
the standard articulated by the Commission is too broad and instead
should require breach notification only when there is a risk of
harm.\51\ Several of these commenters stated that the Commission's
proposed standard would result in consumers' being inundated with
breach notices.\52\ In contrast, consumer groups expressed concern that
the Commission was giving too much discretion to companies, which could
easily claim that unauthorized access did not give rise to unauthorized
acquisition.\53\ Several commenters also requested further guidance on
how the rebuttable presumption would work in specific instances.\54\
\50\ See, e.g., AHIMA at 3; IDExperts at 1; NAID at 2; NAMIC at
3; Statewide Parent Advocacy Network, Inc., at 2, World Privacy Forum at 67.
\51\ See, e.g., AIA at 2, Blue Cross/Blue Shield at 3; National Community Pharmacists Association at 2; SIIA at 47; UHG at 35; WebMD at 4.
\52\ See, e.g., Blue Cross/Blue Shield at 4; SIIA at 67. \53\ See, e.g., CDT/Markle at 89; EPIC at 5.
\54\ See, e.g., AHIP at 2; IDExperts at 1; Intuit at 2; Molina Healthcare at 2.
After considering the comments received, the Commission has decided to adopt the rebuttable presumption as part of the definition of breach of security, without modification. In response to the comments suggesting that the Commission require notification only if there is a risk of harm, the Commission notes that its standard does take harm into account. Indeed, notification would not be required in a case where an entity can show that although an unauthorized employee accidentally opened a file, it was not viewed, and therefore there has been no harm to the consumer.
The Commission notes that harm in the context of health information may be different from harm in the context of financial information. As one commenter stated, ``[w]ith a breach of financial records, a consumer faces a significant headache, but ultimately can have their credit and funds restored; this is not the case with health records. A stigmatizing diagnosis, condition or prescription in the wrong hands can cause irreversible damage and discrimination.''\55\ Because health information is so sensitive, the Commission believes the standard for notification must give companies the appropriate incentive to implement policies to safeguard such highlysensitive information.
\55\ See Patient Privacy Rights at 6.
With respect to commenters' concerns about the possibility of
consumers' being inundated with breach notifications, the Commission believes
that its standard strikes the right balance. Given the highly personal nature of health information, the Commission believes that consumers would want to know if such information was read or shared without authorization. In addition, the danger of overnotification may be overstated. For example, where there has been unauthorized access to a database leading to the acquisition of specific consumers' data, a vendor or entity need not notify all consumers whose information appears in that database; it only needs to notify those specific consumers whose data was acquired.
Nevertheless, the Commission agrees that further guidance would be useful to entities in assessing whether unauthorized acquisition has taken place as a result of unauthorized access. This further guidance should also allay consumer groups' concerns that businesses have too much discretion in making this determination. Commenters posed several scenarios, which the Commission addresses here.
First, one commenter noted that companies should not have to delve into the state of mind of employees who accessed data to determine whether they viewed, read, memorized, or shared such data.\56\ The Commission agrees and notes that, in a case of inadvertent access by an employee, no breach notification is required if (1) the employee follows company policies by reporting such access to his or her supervisor and affirming that he or she did not read or share the data, and (2) the company conducts a reasonable investigation to corroborate the employee's version of events.
\56\ See, e.g., SIIA at 5.
Second, some commenters asked if unauthorized acquisition has taken place when a PHR is accessible on the Internet through an obscure Web site.\57\ The Commission believes that it would be very difficult to overcome the presumption that unauthorized acquisition has taken place in this scenario. In fact, because the Internet is accessible to hundreds of millions of people around the world, it is not generally reasonable to assume that the information available on the Internet was not acquired. The presumption of unauthorized acquisition could likely only be overcome if there was forensic evidence showing that the page was not viewed.
\57\ See NAID at 2; Patient Privacy Rights at 45.
Third, and similar to the example above, if an employee sends a
mass email containing an individual's unsecured PHR identifiable health
information accidentally, and the employee immediately recalls the
message, the Commission believes that it is highly unlikely that the
presumption can be overcome. In contrast to a situation in which an
employee sends a single email and immediately asks the recipient to
delete it, once hundreds of people have received an email, the
Commission does not believe that there can be a reasonable expectation that no one ``acquired'' the information.\58\
\58\ See In the Matter of Eli Lilly & Co., Docket No. C4047 (May 8, 2002) (settlement of action in which FTC alleged that company failed to maintain reasonable security; employee
inadvertently had sent mass email revealing customers' sensitive health information).
On a related issue, the final rule provides that a breach of
security means acquisition of information without the authorization
``of the individual.'' Some commenters raised questions about how the
extent of individual authorization should be determined.\59\ For
extensive dissemination of consumers' data, could consumers be said to have authorized such dissemination?
\59\ See, e.g., CDT/Markle at 10; International Pharmaceutical Privacy Consortium at 2; SIIA at 6.
The Commission believes that an entity's use of information to
enhance individuals' experience with their PHR would be within the
scope of the individuals' authorization, as long as such use is
consistent with the entity's disclosures and individuals' reasonable
expectations. Such authorized uses could include communication of
information to the consumer, data processing, or Web design, either in
house or through the use of service providers. Beyond such uses, the
Commission expects that vendors of personal health records and PHR
related entities would limit the sharing of consumers' information,
unless the consumers exercise meaningful choice in consenting to such
sharing. Buried disclosures in lengthy privacy policies do not satisfy
the standard of ``meaningful choice.''\60\ The Commission will examine this issue further when providing input on the HHS report.
\60\ See, e.g., In the Matter of Sears Management Holding Co., File No. 082 3099 (June 4, 2009) (accepted for public comment) (alleging that Sears' failure to adequately disclose its tracking activities violated the FTC Act, given that Sears only disclosed such tracking in a lengthy user license agreement, available to consumers at the end of a multistep registration process); FTC Staff Report, ``SelfRegulatory Principles for Online Behavioral Advertising,'' Feb. 2009, (http://www2.ftc.gov/os/2009/02/ P085400behavadreport.pdf.); FTC Publication, Dot Com Disclosures: Information About Online Advertising at 5 (May 2000), available at (http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus41.pdf) (``Making [a] disclosure available. . . so that consumers who are looking for the information might find it doesn't meet the clear and conspicuous standard. . . [D]isclosures must be communicated effectively so that consumers are likely to notice and understand them.'') (emphasis in original); see also FTC Policy Statement on Deception, appended to In the Matter of Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984), available at (http://www.ftc.gov/bcp/ policystmt/addecept.htm) (fine print disclosures not adequate to cure deception).
(b) Business associates and (c) HIPAAcovered entities
Proposed paragraph (b) defined ``business associate'' to mean a
business associate under HIPAA, as defined in 45 CFR 160.103. That
regulation, in relevant part, defines a business associate as an entity
that handles the protected health information of a HIPAAcovered entity
and (1) provides certain functions or activities on behalf of the
HIPAAcovered entity or (2) provides ``legal, actuarial, accounting, consulting, data aggregation, management, administrative,
accreditation, or financial services to or for'' the HIPAAcovered entity. Proposed paragraph (c) defined ``HIPAAcovered entity'' to mean a covered entity under HIPAA, as defined in 45 CFR 160.103. That regulation provides that a HIPAAcovered entity is a health care provider that conducts certain transactions in electronic form, a health care clearinghouse (which provides certain data processing services for health information), or a health plan. The Commission adopts these definitions without modification.
(d) Personal health record
Proposed paragraph (d) defined a ``personal health record'' as an
``electronic record of PHR identifiable health information on an
individual that can be drawn from multiple sources and that is managed,
shared, and controlled by or primarily for the individual.'' The FTC adopts this definition without modification.\61\
\61\ In response to comments received, the Commission emphasizes that PHRs are managed, shared, and controlled ``by or primarily for the individual.'' See, e.g., AIA at 2; ACLI; Molina Healthcare at 2 3; National Association of Mutual Insurance Companies (``NAMIC'') at 34. Thus, they do not include the kinds of records managed by or primarily for commercial enterprises, such as life insurance companies that maintain such records for their own business purposes.
Several commenters urged the FTC to cover paper records, as well as
electronic records.\62\ Although the Commission agrees that breaches of
data in paper form can be as harmful as breaches of such data in
electronic form, the plain language of the Recovery Act compels the Commission to issue a rule
covering only electronic data.\63\ The Commission will examine this issue further when providing input on the HHS report to Congress. \62\ See supra note 19.
\63\ See Pinero v. Jackson Hewitt Tax Service, Inc., 594 F. Supp. 2d 710, 71617 (E.D. La. 2009) (dismissing plaintiff's claim alleging breach of paper records under Louisiana data breach notification law because that law covers only a breach of
(e) PHR identifiable health information
Proposed paragraph (e) defined ``PHR identifiable health
information'' as ```individually identifiable health information,' as
defined in section 1171(6) of the Social Security Act (42 U.S.C.
1320d(6)),\64\ and with respect to an individual, information (1) that
is provided by or on behalf of the individual; and (2) that identifies
the individual or with respect to which there is a reasonable basis to
believe that the information can be used to identify the individual.'' The Commission adopts this definition without change.
\64\ This provision defines ``individually identifiable health information'' as information that ``(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.''
In its NPRM, the Commission noted three points with respect to this
definition. First, it stated that the definition of ``PHR identifiable
health information'' includes the fact of having an account with a
vendor of personal health records or related entity, where the products
or services offered by such vendor or related entity relate to
particular health conditions.\65\ The Commission retains this interpretation.
\65\ For example, the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require breach notification, even if no specific health information is contained in that list.
Second, the Commission noted that the proposed rule would cover a
security breach of a database containing names and credit card
information, even if no other information was included. Several
commenters pointed out that this approach was not supported by the
statutory language of the Recovery Act, which defines ``PHR
identifiable health information'' to include information that relates
to payment only ``for the provision of health care to an individual.''
These commenters noted that providing PHRs to consumers does not
constitute the ``provision of health care to an individual.''\66\ The
Commission is persuaded that name and credit card information alone is
not PHR identifiable health information. However, as noted above, if
the disclosure of credit card information identifies an individual as a
customer of a vendor of personal health records or related entity
associated with a particular health condition, that information would constitute ``PHR identifiable health information.''\67\
\66\ See, e.g., Intuit at 2; MasterCard at 13; SIIA at 10, Dossia at 67.
\67\ The Commission also notes that, depending on the
circumstances, the failure to secure name and credit card
information could constitute a violation of section 5 of the FTC Act. See (http://www.ftc.gov/privacy/privacyinitiatives/promises_ enf.html.)
Third, the Commission stated that, if there is no reasonable basis
to believe that information can be used to identify an individual, the
information is not ``PHR identifiable health information,'' and breach
notification need not be provided. The Commission also stated that, if
a breach involves information that has been ``deidentified'' under 45
CFR 164.514(b),\68\ the Commission will deem that information to fall
outside the scope of ``PHR identifiable health information'' and
therefore not covered by the rule. 45 CFR 164.514(b) states that data
is ``deidentified'' (1) if there has been a formal, documented
analysis by a qualified statistician that the risk of reidentifying
the individual associated with such data is ``very small,'' or (2) if
specific identifiers about the individual, the individual's relatives,
household members, and employers (including names, contact information,
birth date, and zip code) are removed, and the covered entity has no
actual knowledge that the remaining data could be used to identify the
individual. The Commission also requested examples of other instances
where, even though the standard for deidentification under 45 CFR
164.514(b) is not met, there is no reasonable basis to believe that information is individually identifiable.
\68\ This standard, which appears in the HIPAA Privacy Rule, creates an exemption to that Rule.
The Commission received numerous comments on this issue. Some
commenters supported the Commission's proposal that ``deidentified''
data not be deemed ``PHR identifiable health information.''\69\ Others
rejected this standard as not sufficiently protective of consumers
because, in some instances, even ``deidentified'' data can be tracked back to an individual.\70\
\69\ See, e.g., Columbia University at 2; NACDS at 2.
\70\ CDT/Markle at 78; EPIC at 68; Patient Privacy Rights at 56.
One commenter requested that the FTC similarly state that ``limited data sets'' under HIPAA are not ``PHR identifiable health
information.''\71\ Under HIPAA's Privacy Rule, HIPAAcovered entities may use ``limited data sets'' for research, public health, or health care operations without individual authorization, as long as contracts govern the use of such data. ``Limited data sets'' do not include names, addresses, or account numbers; they can, however, include an individual's city, town, fivedigit zip code, and date of birth.\72\ Another commenter urged the FTC to state that, if information has been ``redacted, truncated, obfuscated, or otherwise pseudonymized,'' there is no reasonable basis to believe that the information can be used to identify the individual.\73\ Indeed, several commenters noted that mandating notification for breaches of data that does not include individual identifiers would require reidentification of individuals associated with such data, the process of which would expose their information to new security risks.\74\
\71\ Minnesota Department of Health at 3.
\72\ 45 CFR 164.514(e). Deidentified data sets cannot contain even this information, unless a qualified statistician determines that such information, when combined with other data, would present a ``very small'' risk of reidentification.
\73\ SIIA at 910.
\74\ See, e.g., iGuard at 2; Quintiles at 23.
With respect to ``deidentified'' data and ``limited data sets,''
commenters provided empirical evidence on the likelihood that such data
could be combined with other data to identify individuals. For example,
several commenters cited to the research of Dr. LaTanya Sweeney of
Carnegie Mellon University, which showed that .04% of the population
could be reidentified by combining a ``deidentified'' data set with
other public data.\75\ In addition, Dr. Bradley Malin, Director of the
Health Information Privacy Laboratory of Vanderbilt University,
estimated that, using a ``limited data set,'' 68.4% of the population
was reidentifiable.\76\ Thus, it appears that the risk of re
identification of a ``limited data set'' is exponentially greater than the risk of reidentification of ``deidentified'' data.
\75\ CDT/Markle at 7; Columbia University at n. 6; World Privacy Forum at 8.
\76\ Health Information Privacy Laboratory at Vanderbilt University at 1.
Based on the comments received, the Commission affirms that ``de
identified'' data will not be deemed to be ``PHR identifiable health
information.'' Given the small risk that such data will be re
identified by unauthorized third parties, the Commission believes that
the data would be more vulnerable if entities were required to re
identify these consumers solely to provide breach notification. Thus,
deidentified data under HHS rules will not constitute ``PHR identifiable health information,''
and therefore, if such data is breached, no notification needs to be provided. On the other hand, the Commission declines to adopt a blanket statement that ``limited data sets'' are not ``PHR identifiable health information'' because the risk of reidentification is too high. The Commission similarly declines to state that ``redacted, truncated, obfuscated, or otherwise pseudonymized data'' does not constitute ``PHR identifiable health information'' because the risk of reidentification will depend on the context.
Even if a particular data set is not ``deidentified,'' however, entities still may be able to show, in specific instances, that there is no reasonable basis to identify individuals whose data has been breached, and thus, no need to send breach notices. For example, consider a Web site that helps consumers manage their medications. The Web site collects only email addresses, city, and medication information from consumers, but it keeps email addresses secured in accordance with HHS standards\77\ and on a separate server. It experiences a breach of the server containing the city and medication information (but no email addresses). A hacker obtains medication information associated with ten anonymous individuals, who live in New York City. In this situation, the Web site could show that, even though a city is revealed, thus preventing the data from being categorized as ``deidentified,'' there is no reasonable basis for identifying the individuals, and no breach notification needs to be provided. \77\ As noted below, the Recovery Act requires notification only if ``unsecured'' data has been breached, with the term ``unsecured'' to be defined by HHS. HHS issued guidance on the term ``unsecured'' on April 17, 2009. See 74 FR 19,006. The above example assumes the email addresses are secured in accordance with such guidance. (f) PHR related entity
Proposed paragraph (f) defined the term ``PHR related entity'' as
an entity that (1) offers products or services through the Web site of
a vendor of personal health records; (2) offers products or services
through the Web sites of HIPAAcovered entities that offer individuals
PHRs; or (3) ``accesses information in a personal health record or
sends information to a personal health record.''\78\ The definition did
not include HIPAAcovered entities or other entities acting as business
associates of HIPAAcovered entities. The Commission adopts this definition without modification.
\78\ An entity that ``accesses information in a personal health record or sends information to a personal health record'' includes online applications through which individuals connect their blood pressure cuffs, blood glucose monitors, or other devices so that they can track the results through their PHRs. It also includes online medication or weight tracking programs that pull information from PHRs.
Several commenters raised questions about the first two categories.
In particular, these commenters raised the question of whether the
phrase ``offers products or services through'' a PHR Web site includes
advertisers.\79\ In its NPRM, the Commission had stated that PHR
related entities would include ``a webbased application that helps
consumers manage medications; a Web site offering an online
personalized health checklist; and a brickandmortar company
advertising dietary supplements online.'' The Commission affirms that
such entities are PHR related entities, but notes that they are only
subject to the rule's breach notification requirements if they
experience a breach of ``unsecured PHR identifiable health
information'' in a ``personal health record.''\80\ Thus, if they do not
collect unsecured PHR identifiable health information at the Web site
offering PHRs, they will not be subject to the rule's breach notification requirements.\81\
\79\ See, e.g., SIIA at 10; World Privacy Forum at 5.
\80\ See Recovery Act, 13407(f)(1).
One commenter stated that search engines appearing on PHR Web sites
should be considered PHR related entities. This commenter noted that
including such search engines within the rule's scope is important
because consumers may search for particular health conditions, and many
search engines track individually identifiable information, such as the
contents of previous searches, IP addresses, and cookies.\82\ In
response, the Commission notes that search engines are PHR related
entities if they appear on PHR Web sites, and are subject to the rule's
breach notification requirements if they collect unsecured PHR identifiable information at those Web sites.\83\
\82\ World Privacy Forum at 4. For further discussion of privacy issues raised in this context, see FTC Staff Report, ``Self Regulatory Principles for Online Behavioral Advertising,'' Feb. 2009, (http://www2.ftc.gov/os/2009/02/P085400behavadreport.pdf). \83\ Several commenters asked the Commission to clarify that an individual, such as a family member that accesses information in a relative's PHR, is not a PHR related entity. See, e.g., CDT/Markle at 6; UHG at 5. The Commission agrees that a family member who accesses information in a consumer's PHR with the consumer's authorization is not a PHR related entity.
New paragraph (g) defines the term ``State'' as ``any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa and the Northern Mariana Islands.'' This paragraph is identical to section 13400(15) of the Recovery Act and was added for reasons explained below, in the discussion of notice to the media.
(h) Third party service provider
Paragraph (g) of the proposed rule defined the term ``third party service provider'' as ``an entity that (1) provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.'' The Commission retains the definition of ``third party service provider'' without modification in the final rule and redesignates this paragraph as paragraph (h). Third party service providers include, for example, entities that provide billing, debt collection, or data storage services to vendors of personal health records or PHR related entities.
Paragraph (h) of the proposed rule defined the term ``unsecured''
as ``not protected through the use of a technology or methodology
specified by the Secretary of Health and Human Services in the guidance
issued under section 13402(h)(2) of the American Recovery and
Reinvestment Act of 2009.'' It further provided that, if such guidance
is not issued by the date specified in such section, the term unsecured
``shall mean not secured by a technology standard that renders PHR
identifiable health information unusable, unreadable, or indecipherable
to unauthorized individuals and that is developed or endorsed by a
standards developing organization that is accredited by the American
National Standards Institute.'' The Commission has removed the
alternative definition from the final rule because HHS has already
issued the required guidance under the Recovery Act.\84\ The [[Page 42970]]
Commission also has redesignated this paragraph as paragraph (i). \84\ See supra note 77.
(j) Vendor of personal health records
Paragraph (i) of the proposed rule defined the term ``vendor of personal health records'' to mean ``an entity, other than a HIPAA covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAAcovered entity, that offers or maintains a personal health record.'' The Commission retains this definition as proposed and redesignates it as paragraph (j). Proposed section 318.3: Breach notification requirement
Paragraph 318.3(a) of the proposed rule required vendors of personal health records and PHR related entities, upon discovery of a breach of security, to notify U.S. citizens and residents whose information was acquired in the breach and to notify the FTC. The Commission retains this paragraph in the final rule without modification.
Paragraph 318.3(b) of the proposed rule required third party service providers of vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach. The purpose of this requirement is to ensure that the vendor or entity receiving the breach notification is aware of the breach, so that it can in turn provide its customers with a breach notice. To further this purpose, proposed paragraph 318.3(b) required that the third party service provider's notification include ``the identification of each individual'' whose information ``has been, or is reasonably believed to have been acquired during such breach.'' The proposed paragraph also required third party service providers to provide notice to a senior official of the vendor or PHR related entity and to obtain acknowledgment from such official that he or she has received the notice. The Commission received several comments on paragraph 318.3(b), in response to which the Commission is making some changes to the final rule provision.
First, one commenter noted that a third party service provider may be unaware that it is dealing with a vendor of personal health records. For example, a cloud comp
FOR FURTHER INFORMATION CONTACT
Cora Tung Han or Maneesha Mithal, Attorneys, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580, (202) 3262252.