Yesterday, the Federal Trade Commission (FTC) released its final rule on health breach notification. The rule sets guidelines for vendors of personal health records (PHRs) on how and when to notify consumers when their health information has been breached. PHRs are typically Internet-based programs that enable consumers to collect, retain and share their personal health information. A defining characteristic of PHRs is the high level of control consumers exert over information in the PHR. The FTC final rule applies to PHRs that are operated by entities that are not covered by HIPAA, such as Google and Microsoft. Other PHRs are operated by health care providers that are covered under HIPAA laws, like hospitals; the Dept. of Health and Human Services (HHS) is expected issue separate final breach notification rules for these PHRs very soon.
CDT submitted comments to the FTC’s proposed rule in June 09. The FTC’s final rule implements most, although not all, of CDT’s recommendations. Among CDT’s recommendations that the FTC agreed to implement in its final rule:
- The FTC and HHS rules on health data breach notification must be harmonized,
- Privacy and security protections should apply both to data in storage and in transit,
- This rule represents an appropriate expansion of the FTC’s traditional consumer protection authority,
- Breach notices should be issued from the entity with the closest direct relationship to the consumer, and only one notice per breach, and
- Companies’ disclosures regarding how consumers’ information is used must give consumers meaningful choices and not be buried in lengthy privacy policies.
The FTC rule differs from CDT’s recommendations in two important areas, however: how companies determine whether a breach has occurred, and whether de-identified data or limited data sets count as personal health information for which notification must be issued in the event of a breach. The FTC final rule would require companies to notify consumers if PHR information is acquired without the authorization of the consumer. The FTC also established a presumption of acquisition when the information is accessed without authorization. Companies may rebut that presumption, however, with evidence showing that the information could not “reasonably” have been acquired, and therefore avoid having to notify consumers about the breach. This would be an internal decision on the part of the company.
In CDT’s comments to the proposed rule, we recommended against giving companies such broad discretion to determine whether acquisition took place, arguing that those companies have financial and reputational incentives to avoid notification. Although sensitive to this concern, the FTC decided to leave the rebuttable presumption in the rule without modification. The FTC’s proposed rule contained an exception to notification requirements for if the data breached was “de-identified”. Under HIPAA, “de-identified data” is data stripped of a list of specific identifiers, such as names, birth dates, zip codes, employers, etc. CDT argued against excepting “de-identified data” due to the risk of re-identification; research shows that a small percentage of the population could be re-identified if “de-identified” information was combined with other data sets, like voter rolls. This percentage is likely to increase as data analysis tools grow stronger and more information is made publicly available online. The FTC decided against eliminating the exception for “de-identified” data, but did reject calls to include an exception for “limited data sets”, which is another HIPAA standard that strips fewer identifiers from the data (and therefore has a much higher risk of re-identification) than “de-identified data”.
The FTC and HHS will revisit some of these issues, such as company disclosures and consumer authorizations, in less than a year in a study mandated by Congress on privacy and security. CDT will issue reports on the most pressing areas to inform the report in coming months.