{"id":342,"date":"2020-05-19T11:12:18","date_gmt":"2020-05-19T15:12:18","guid":{"rendered":"https:\/\/pbacyber.com\/?p=342"},"modified":"2021-11-22T11:00:07","modified_gmt":"2021-11-22T16:00:07","slug":"ftc-undertakes-10-year-review-of-health-breach-notification-rule-seeks-public-comments","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2020\/05\/19\/ftc-undertakes-10-year-review-of-health-breach-notification-rule-seeks-public-comments\/","title":{"rendered":"FTC Undertakes 10-Year Review of Health Breach Notification Rule, Seeks Public Comments"},"content":{"rendered":"<p>By Jennifer K. Wagner, J.D., Ph.D.<\/p>\n<p>&nbsp;<\/p>\n<p>On April 15, 2020, the Federal Trade Commission (FTC) published a <a href=\"https:\/\/www.federalregister.gov\/documents\/2020\/04\/15\/2020-07757\/regulatory-review-schedule\">notice of its intent<\/a> to conduct a 10-year review of the Health Breach Notification Rule (HBN Rule) (85 FR 20889) and <a href=\"https:\/\/www.ftc.gov\/news-events\/press-releases\/2020\/05\/ftc-seeks-comment-part-review-health-breach-notification-rule\">announced<\/a> on May 8, 2020 that it would be <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/federal_register_notices\/2020\/05\/p205405_hbn_rule_review_-_proposed_doc.pdf\">requesting public comment<\/a>. The comment period will remain open for 90 days after the request has been published in the Federal Register.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>What is the HBN Rule?<\/em><\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ecfr.gov\/cgi-bin\/retrieveECFR?gp=1&amp;SID=6ae79a215bd299fd401a63594e98ce70&amp;ty=HTML&amp;h=L&amp;n=16y1.0.1.3.42&amp;r=PART\">HBN Rule<\/a> has been around for more than a decade, but it has not garnered as much attention as it perhaps should. It has been overshadowed by the Health Insurance Portability and Accountability Act Breach Notification Rule (<a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/breach-notification\/index.html\">HIPAA Rule<\/a>) enforced by the Department of Health and Human Services (HHS). The FTC and HHS rules are similar to one another but, notably, the FTC\u2019s HBN Rule applies to businesses that are outside of the regulatory reach of HHS\u2019s HIPAA Rule. This has been increasingly important, as much of our individual \u201chealth\u201d data is no longer generated, managed, or controlled by businesses traditionally viewed as the keepers of health data (e.g., doctors\u2019 offices with patients\u2019 medical records) but instead generated, managed, or controlled by businesses offering apps, wearables, and\u00a0 online platforms, portals, and communities. Interestingly, while there apparently have been only two notifications of <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/plain-language\/draft_breach_notices_received_by_ftc_2015.pdf\">data breaches involving 500 individuals or more reported to the FTC<\/a> over the entire decade, hundreds of similar data breach notifications have been <a href=\"https:\/\/ocrportal.hhs.gov\/ocr\/breach\/breach_report.jsf\">reported to HHS<\/a> in merely the most recent 24 months.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>How is the HBN Rule different from the HIPAA Rule?<\/em><\/strong><\/p>\n<p>The HIPAA Rule applies to covered entities (i.e., health plans, health care clearinghouses, and health care providers) and their business associates (i.e., individuals or entities performing certain functions and providing certain services <em>on behalf of<\/em> covered entities). The HBN Rule applies to those who do not meet those criteria but nevertheless have your health data and engage in activities involving health data <em>on behalf of<\/em> the consumer\/user: vendors of personal health records (PHRs), PHR-related entities, and third-party service providers who support them. A \u201cpersonal health record\u201d is defined by 16 C.F.R. \u00a7318.2(d) as \u201can electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for an individual.\u201d<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>What does the HBN Rule do?<\/em><\/strong><\/p>\n<p>The HBN Rule is intended to obligate vendors of PHRs, PHR-related entities, and third-party service providers to alert the FTC and consumers when<\/p>\n<ol>\n<li>there has been an unauthorized acquisition<\/li>\n<li>of PHR-identifiable health information<\/li>\n<li>that is unsecured and<\/li>\n<li>in a personal health record.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>When a breach is discovered, the notice to affected consumers must be \u201cwithout unreasonable delay\u201d and within 60 calendar days of the discovery. The notification is to include a brief description of what happened, what kind of health data was involved, what identity theft risks are associated with the data that was affected and what steps could reduce those risks, a description of what has been done to mitigate the harm and prevent the breach from recurring, and contact information so that consumers may easily obtain additional information.<\/p>\n<p>&nbsp;<\/p>\n<p>How quickly the notice must be submitted to the FTC depends on the magnitude of the data breach. If the breach affected fewer than 500 individuals, the notification to the FTC must occur within 60 calendar days following the end of that calendar year. If the breach affected 500 individuals or more, the notification to the FTC must occur within 10 business days of the discovery. Also, if the breach involves 500 individuals or more who reside in one particular location (i.e., a specific state, district, or US territory), the media for that location must also be notified.<\/p>\n<p>&nbsp;<\/p>\n<p>Each violation of the HBN Rule can result in civil penalties of $43,280, as per the most recent <a href=\"https:\/\/www.ftc.gov\/news-events\/press-releases\/2020\/01\/ftc-publishes-inflation-adjusted-civil-penalty-amounts\">inflation-adjustments to the maximum civil penalties<\/a> allowable for the statutes enforced by the FTC (<a href=\"https:\/\/www.federalregister.gov\/documents\/2020\/01\/14\/2020-00314\/adjustments-to-civil-penalty-amounts\">85 FR 2014<\/a>). <a href=\"https:\/\/www.ftc.gov\/tips-advice\/business-center\/guidance\/complying-ftcs-health-breach-notification-rule\">Guidance for businesses on how to comply with the HBN Rule<\/a> has been available since 2010, and a standardized Notice of Breach of Health Information form is to be used (OMB Control No. 3084-0150). (Interestingly, both <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/rules\/health-breach-notification-rule\/r2911002_hbn_092015.pdf\">the version provided<\/a> <a href=\"https:\/\/www.ftc.gov\/enforcement\/rules\/rulemaking-regulatory-reform-proceedings\/health-breach-notification-rule\">on the FTC\u2019s website<\/a> and the <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/plain-language\/2017_5_2_breach_notification_form.pdf\">version cited<\/a> in the request for comments are expired versions\u2014exp. 3\/31\/2016 and 3\/13\/2019, respectively).<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>FTC Seeking Input&#8230;Again<\/em><\/strong><\/p>\n<p>This is not the first time the FTC attempted to obtain public input on the HBN Rule. Early last year (February 2019), the FTC sought comments (<a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/FR-2019-02-08\/pdf\/2019-01530.pdf\">84 FR 2868<\/a>) on four issues under the HBN Rule: (1) whether the information collected has \u201cpractical utility\u201d for the FTC to perform its functions; (2) the accuracy of the FTC\u2019s estimated burden of the information to be collected; (3) how to \u201cenhance the quality, utility, and clarity of the information to be collected\u201d; and (4) how to \u201cminimize the burden\u201d on businesses. In May 2019 after the comment period was over, however, the FTC indicated (<a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/FR-2019-05-02\/pdf\/2019-08909.pdf\">84 FR 18845<\/a>) that its request had been <a href=\"https:\/\/www.regulations.gov\/document?D=FTC-2019-0004-0001\">unsuccessful<\/a> (eliciting seven \u201cnon-germane\u201d comments) and reopened the comment period through June 2019. Judging by the lack of comments appearing <a href=\"https:\/\/www.regulations.gov\/document?D=FTC-2019-0028-0001\">in the docket folder<\/a> on regulations.gov, it appears that attempt was also unsuccessful. The FTC\u2019s most recent request for public comments on the HBN rule seeks input on 23 general and specific questions, suggesting that the FTC is considering a full range of options (i.e., keep the rule, modify the rule, or perhaps even abandon the rule).<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>This is potentially a much bigger deal than just a breach notification rule that hasn\u2019t been enforced. <\/em><\/strong><\/p>\n<p>Asking whether the HBN Rule remains up to the task and how its design might be improved given today\u2019s contexts does seem appropriate. With the Office of the National Coordinator for Health Information Technology\u2019s (ONC\u2019s) recent issuance of the <a href=\"https:\/\/www.healthit.gov\/curesrule\/overview\/about-oncs-cures-act-final-rule\">Final Rule implementing the 21<sup>st<\/sup> Century Cures Act<\/a> and the American Medical Informatics Association (AMIA) emphasizing the importance of \u201c<a href=\"https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/amia_response_to_ntia_rfi_on_data_privacy_outcomes_and_goals_vfinal.pdf\">consumer centricity<\/a>\u201d to data privacy policies, individuals are intended to have far greater access and control over the flow of their own health information than ever before, suggesting that more and more data activities are intended to be performed <em>on behalf of<\/em> the individual (consumer, research participant, or patient) rather than HIPAA covered entities and their business associates. The input collected as part of this 10-year rule review on the HBN Rule\u2014when combined with the insights from the 14 hearings the FTC has held recently on \u201c<a href=\"https:\/\/www.ftc.gov\/policy\/hearings-competition-consumer-protection\">Competition and Consumer Protection in the 21<sup>st<\/sup> Century<\/a>\u201d and from the relevant reports issued (e.g., <a href=\"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/docs\/big_data_privacy_report_may_1_2014.pdf\">Big Data: Seizing Opportunities, Preserving Values<\/a> in 2014; the <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/reports\/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy\/150127iotrpt.pdf\">Internet of Things<\/a> in 2015; <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/reports\/big-data-tool-inclusion-or-exclusion-understanding-issues\/160106big-data-rpt.pdf\">Big Data: A Tool for Inclusion or Exclusion<\/a> in 2016; the <a href=\"https:\/\/www.healthit.gov\/sites\/default\/files\/non-covered_entities_report_june_17_2016.pdf\">HHS report on non-HIPAA entities<\/a> in 2016)\u2014could become instrumental in shaping how data protection regulations are harmonized, how overlapping agency responsibilities (such as those involving the FTC, FDA, FCC, and CISA) are coordinated and shared, and even how possible comprehensive federal privacy legislation develops.<\/p>\n<p>&nbsp;<\/p>\n<p>The FTC has provided us with a significant opportunity to contribute to what our future holds with regard to health data privacy and security. Comments may be submitted online through <a href=\"https:\/\/www.regulations.gov\">https:\/\/www.regulations.gov<\/a> until August 2020 (with the exact deadline being 90 days after the request\u2019s publication in the Federal Register).<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>Correction on November 21, 2021:<\/em><\/strong> This post has been revised to correct a typographical error in the original text in which the Health <em>Insurance<\/em> Portability and Accountability Act was erroneously referred to\u00a0as the Health <em>Information<\/em> Portability and Accountability Act. No other revisions have been made.<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<p>Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics &amp; Health Care Policy at Geisinger. She is a former contributing editor of the <em>Genomics Law Report<\/em> and has published scholarly articles in prominent legal and scientific journals, including the <em>Journal of Law &amp; Biosciences<\/em>; <em>Journal of Law, Medicine, &amp; Ethics; Albany Law Journal of Science &amp; Technology<\/em>; <em>Virginia Sports and Entertainment Law Journal<\/em>; <em>North Carolina Journal of Law and Technology<\/em>; <em>Nature Communications<\/em>; <em>Nature Medicine; American Journal of Human Genetics<\/em>; <em>Genetics in Medicine; and PLOS Genetics<\/em>. She served as a AAAS Congressional Fellow in a U.S. Senator\u2019s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as <a href=\"https:\/\/twitter.com\/DNAlawyer\" target=\"_blank\" rel=\"noopener noreferrer\">@DNAlawyer<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Jennifer K. Wagner, J.D., Ph.D. &nbsp; On April 15, 2020, the Federal Trade Commission (FTC) published a notice of its intent to conduct a 10-year review of the Health Breach Notification Rule (HBN Rule) (85 FR 20889) and announced on May 8, 2020 that it would be requesting public comment. The comment period will <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2020\/05\/19\/ftc-undertakes-10-year-review-of-health-breach-notification-rule-seeks-public-comments\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,4,32],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/342"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=342"}],"version-history":[{"count":4,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions"}],"predecessor-version":[{"id":437,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions\/437"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}