- Public comment period to FTC’s Health Breach Notification Rule closed August 20, 2020.
- The CARES Act amendments will require SAMHSA to add Breach Notification provisions to 42 CFR Part 2.
- Healthcare providers, vendors of PHRs and Part 2 providers and programs will need to keep an eye out for coming regulations which will require updates to Breach Notification P&Ps.
Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with changes to Data Breach Notification laws and regulations.
Yesterday, the period for public comment on the Federal Trade Commission (FTC) Health Breach Notification Rule closed. The FTC’s Health Breach Notification Rule, which went into effect in 2009, requires vendors of personal health records (PHR) and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Currently, the Rule requires such entities to provide notifications within 60 days after discovery of the breach. If more than 500 individuals are affected by a breach, however, entities must notify the FTC within 10 business days.
Since enactment of the Rule, the FTC website shows that only 3 (!) Breach Notices have been received by the FTC. In its Notice of Request for Public Comment, the FTC specifically sought comments on such issues as:
- whether the Rule has resulted in under-notification, over-notification, or an efficient level of notification;
- whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes;
- whether the timing requirements and methods for reporting a breach are adequate;
- the implications for enforcement raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools; and
- whether and how the Rule should address any developments in health care products or services related to COVID-19.
Once processed, the comments on the Rule review will be posted to Regulations.gov.
Another area of change to Breach Notification is arising out of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which was was enacted into law on March 27, 2020 and is making significant changes to the federal law, 42 U.S.C. § 290dd-2, implemented at 42 C.F.R. Part 2 which govern the confidentiality of substance-use disorder records. Among other changes that the CARES Act is introducing (and there are a lot, so stay tuned for future posts on this), it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2! To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR Part 2. Any such notification obligation would only arise to the extent that such Part 2 information was also protected health information (PHI) and then used or disclosed in violation of the HIPAA Privacy Rule. In addition, the CARES Act is introducing NEW enforcement authority which will allow SAMHSA to enforce violations of 42 CFR Part 2 in a manner similar to what is currently done with HIPAA.
In light of these changes, covered entity healthcare providers, vendors of PHRs, as well as Part 2 providers and programs will soon need to reevalutate their data Breach Notification policies and procedures when the implementing regulations are published compliance deadlines are knows.