FTC Issues New Health Records Data Breach Notification Rules and Massachusetts Modifies Data Security Rules
August 27, 2009

FTC Issues Final Data Breach Notification Rules for Vendors of Electronic Health Records 

On August 17, 2009, the Federal Trade Commission ("FTC") published its final rule on data breach notification for electronic health records.  The Health Breach Notification Rule ("the Rule"), which will be codified at 16 CFR Part 318, requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, as defined, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the trigger, timing, means, and content of the notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the Rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule on the FTC's website. Failure to comply can result in civil penalties under Section 18 of the FTC Act.

The Recovery Act does not limit the FTC's enforcement authority to its enforcement jurisdiction under Section 5 of the FTC Act.  Therefore, the Rule expressly applies to "vendors of personal health records and other non-HIPAA covered entities," without regard to whether such entities fall within the FTC's jurisdiction under Section 5.  Some of these non-typical entities include non-profit organizations, educational institutions, charities, and 501(c)(3) organizations.  The Rule does, however, preempt state law.   

The Rule does not apply to HIPAA-covered entities or business associates of such entities, which are already subject to the notification rules implemented by the U.S. Department of Health and Human Services. 

Notice Trigger: Acquisition of Unsecured PHR Data Without Authorization

Notice under the Rule is triggered by a "breach of data security," which is defined as the "acquisition of unsecured PHR [personal health record] identifiable health information of an individual in a personal health record without the authorization of the individual"  (emphasis added). Under the Rule, unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The Rule provides that a breach of security will be considered to have been "discovered," as of the first day on which such breach is known or reasonably should have been known to the vendor of personal health records, PHR related entity, or third party service provider, respectively, or any of their employees, officers, or agents.

Notice Requirement:  Timing and Means

The Rule requires that notice be given to consumers and to the Federal Trade Commission "without unreasonable delay", but in any event no more than 60 days after the discovery of a data security breach.  Notice may be delayed if a law enforcement official determines that notice would impede a criminal investigation or cause damage to national security.  Notice must also be given to prominent media outlets of a State or jurisdiction following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach.

Notice may be provided in any of the following ways:  (1) by first class mail; (2) by email if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not opt-put; or (3) by substitute notice, if the vendor of personal health records or PHR related entity finds that contact information for ten or more individuals is insufficient or out-of-date.

Content of Notice: 

Notice under the Rule must contain the following elements:

(1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

(2) a description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code);

(3) steps individuals should take to protect themselves from potential harm resulting from the breach;

(4) a brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and

(5) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.

Massachusetts Modifies Data Security Rules at Request of Small Businesses

The Massachusetts Office of Consumer Affairs and Business Regulation announced on August 17 that it has modified the state's data security regulations and extended the deadline for compliance to March 1, 2010.  The new amendments encourage a flexible, risk-based approach, especially for small businesses that may not handle large amounts of personal data.  The risk-based approach requires companies to consider their size, industry, and record keeping practices when developing a data security program.

The revised regulations continue to require all businesses that own or license "personal information" of Massachusetts residents to develop and implement a comprehensive, written information security program.  Key technical requirements of such a program include:  (1) secure user authentication and access protocols (with details on how to do so included in the Regulation);  (2) encryption of all transmitted records and files containing personal information that will travel across public networks, of all data containing personal information to be transmitted wirelessly, and of all personal information stored on laptops or other portable devices; (3) reasonable monitoring of systems for unauthorized use of, or access to, personal information; (4) reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information for files containing personal information on a system that is connected to the Internet; (5) reasonably up-to-date versions malware protection, patches and virus definitions, and (6) education and training of employees on the proper use of the computer security system and the importance of personal information security.

Kelley Drye & Warren LLP

Kelley Drye & Warren's Information Security and Privacy practice is a leader in advising clients on information security and privacy issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of data security and privacy compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their data security and privacy practices.

For more information about this Client Advisory, please contact:

Lewis Rose
(202) 342-8821
lrose@kelleydrye.com

Alysa Zeltzer Hutnik
(202) 342-8603
ahutnik@kelleydrye.com