FTC: Health Breach Notification Rule

Posted on by Dissent

From the FTC:

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Under the FTC’s Rule, companies that have had a security breach must:

  1. Notify everyone whose information was breached;
  2. In many cases, notify the media; and
  3. Notify the FTC.

The FTC has designed a standard form for companies to use to notify the FTC of a breach. The FTC will begin enforcement on February 22, 2010.

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.

Interestingly, the list of choices for Type of Breach lists:

  • Lost or stolen laptop, computer, flash drive, disk, etc.
  • Stolen password or credentials
  • Unauthorized access by an employee or contractor
  • Hacker
  • Other (describe)

I might have broken it down a bit more to list malware, exposure due to file-sharing application, exposure due to insider error (such as email attachment).  I would also include a sub-level for lost/stolen that asks whether the device was lost or stolen from the premises, off-premises, or unknown.  And I’d give them an option to check if the company received an extortion attempt.   But that’s just me — I love to get more data that can be analyzed and having specific bullets as opposed to “describe” for “other” could facilitate data analysis.

H/T, HIPAA Blog.

Category: Uncategorized