FTC: Organizations not bound by HIPAA must report breaches

by Steve Ragan - Aug 19 2009, 18:30

In a 4-0 ruling Monday, the FTC approved a rule that will require Web based businesses that deal with personal health information, even if they are not bound by HIPAA laws, to report security breaches. The Health Breach Notification Rule was created and put in place because Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009.

“The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records,” the FTC explained.

Many of the business and organizations who offer Web based health services are not covered under HIPAA laws. While doctors are covered under HIPAA mandates, third parties who work with doctors have to deal with various grey areas. In the outline of the rule, the FTC gave a few examples how this new rule of law will work. You can read the entire eighty-eight page document here. [PDF]

The FTC said that the new rule requires vendors of personal health records and related entities to notify consumers following a security breach that involves unsecured information. According to the form that the entity must submit to the FTC, it does not matter how the breach took place, or where. All that matters is that there is notification.

“In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media,” the FTC explained in a statement.

The actual form is here. [PDF]

The FTC ruling is good news as it means third-parties and providers indirectly related to a healthcare provider needs to follow the same rules. However, information security isn’t as simple as layering governmental mandates, the providers and vendors need to ensure that they work to secure their systems and networks.

There shouldn’t be a need for these laws if the vendors and providers looked after the information they mine on a daily basis in the first place. However, the sad fact is it only takes a database glitch or a misconfiguration to expose every patient or customer to task of dealing with the aftermath of a security breach.

Under the Recovery Act, the Department of Health and Human Services has been assigned to conduct a study and report by February 2010 on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA.

Around the Web