The Federal Trade Commission (FTC) has been stepping up its game when it comes to protecting health information.
In 2010, the FTC began enforcing the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured, individually identifiable electronic health information — called personal health records (PHRs). PHRs are electronic health records that can be “drawn from multiple sources and that are managed, shared, and controlled by, or primarily for the individual.” Think a Fitbit profile or a blood pressure monitoring app.
The Rule applies to vendors of PHRs, PHR-related entities, or a third-party service provider for a PHR vendor or PHR-related entity. In the case of a breach, the rule requires companies to notify each affected person residing in the United States, the Federal Trade Commission, and sometimes, the media.
So what does this mean for public health agencies? It means that health departments could be subject to both the HIPAA and FTC breach notification rules. The FTC Rule does not apply to HIPAA-covered entities, but in the case of a hybrid entity, the FTC rule would apply to the non-HIPAA covered components of a hybrid entity. Consequently, for example, if a breach occurs that compromises all data within a health department, the health department must notify the people who use any PHR services under the FTC Rule. In addition, the health department must notify any clients of the HIPAA-covered components under the HIPAA Breach Notification Rule.
The FTC has not stopped with data breaches. An FTC report published last month focused on privacy and security issues related to the massive Internet of Things trend — or the increasing numbers of physical objects embedded with technology allowing for the exchange of data — which includes the growing number of connected health devices. Some of the FTC staff’s recommendations include a push for Congressional action related to general data security regulation, and not just health related data, but the agency specifically stated that HIPAA doesn’t cover all health-related data. Many health apps and devices are collecting sensitive health information through consumer-facing products, to which HIPAA protections do not apply.
The impact that any future FTC rules might have on public health agencies is unclear. But as the Internet of Things continues to expand and health departments continue to adapt to best serve clients, it is important to ensure the privacy and security of individual’s health information, with or without FTC rules.
This blog was prepared by Jennifer Bernstein, J.D., M.P.H., Staff Attorney, Network for Public Health Law – Mid-states Region at the University of Michigan School of Public Health.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not necessarily represent the views of, and should not be attributed to, RWJF.