Rip off the Band-Aid: Time to Scrap the FTC’s Health Breach Notification Rule

The Federal Trade Commission’s (FTC) Health Breach Notification Rule (HBNR) is a perfect example of a narrowly tailored regulation that only contributes to the cumbersome patchwork of privacy rules in this country without providing any real benefit.  Promulgated over 10 years ago to address a specific concern, the HBNR requires notice to consumers and the FTC when an entity not subject to health privacy laws suffers a breach affecting health records it maintains at the consumer’s direction.   

To date, the FTC has never initiated any HBNR enforcement actions and it has received notice of only two breaches involving 500 or more individuals over the past decade.[1]  The FTC did not disclose the number of notifications it has received for breaches involving fewer than 500 individuals.  By comparison, the Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act of 1996 and its regulations (HIPAA), has received notification of more than 3,000 breaches of protected health information involving 500 or more individuals over the same time period.    

There are serious questions about the efficacy of the HBNR and whether it would apply to present-day technologies such as direct-to-consumer genetic testing, contact tracing and mobile health applications.  Further, the HBNR serves only the limited purpose of providing notification in the event of a breach; it provides no privacy protections.  These may be the reasons why the FTC requested review of and public comment on the HBNR on May 8, 2020.[2]     

Background

In February 2009, Congress passed the American Recovery and Reinvestment Act, which contained the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Along with HITECH Act provisions directing the regulation of electronic protected health information under HIPAA, Congress added provisions addressing electronic health records maintained for individuals by vendors that are not regulated under HIPAA. 

Specifically, Congress directed the FTC to create regulations requiring that such vendors notify affected individuals and the FTC in the event of a breach.[3]  Those regulations, the HBNR, became effective in September 2009.  As noted above, earlier this month, the FTC issued a notice requesting public comment on whether any changes to the HBNR are warranted.

The Health Breach Notification Rule

The HBNR requires vendors of personal health records that suffer a breach of unsecured personal health information to notify affected consumers and the FTC within 60 days of discovering the breach.  For breaches involving 500 or more individuals, the HBNR requires media notification and the FTC must be notified within 10 days.  Other HBNR notification requirements are similar, but not identical, to HIPAA’s breach notification rules.

Under the HBNR, a “vendor of personal health records” is an entity that offers or maintains personal health records for individuals and is not subject to HIPAA as a covered entity or business associate.[4]  “Personal health record” refers to an electronic record of individually identifiable health information, as defined under the Social Security Act, that “can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[5] 

Importantly, the definition of “individually identifiable health information” includes only identifying health information that “is created or received by a health care provider, health plan, employer, or health care clearinghouse.”[6]  In other words, the HBNR applies only to health records that are created by HIPAA covered entities. 

The Problems with the HBNR

This narrow definition of “personal health records” means that the HBNR applies only to records created by healthcare providers or others subject to HIPAA.  This definition may have satisfied Congress’ intent in 2009 to ensure that breach notification rules applied to electronic health records that patients retrieved from healthcare providers and stored in on-line repositories with vendors not subject to HIPAA.  The HBNR’s utility starts and stops there.

The HBNR does not apply in common scenarios that involve an individual’s health information.  Consider direct-to-consumer genetic testing.  When a consumer spits into a container and sends that valuable health information to a genetic testing company and that company has a breach, the HBNR would not apply.  Again, the narrow definition of personal health record under the HBNR includes only information that was created by a HIPAA covered entity. 

The same would be true for contact tracing applications that did not involve records from a HIPAA covered entity or an application that tracks medical information originating from the consumer him or herself.  While the HBNR would not apply in these instances, all US states have some form of a data breach notification law and such laws may require notification.

Even if the FTC amended the HBNR to expand the definition of personal health record, it likely would be duplicative of state data breach laws and, more importantly, it would still fail to provide any privacy protections to the health information in any way.  For example, the HBNR does not prohibit a direct-to-consumer genetic testing company from selling the genetic data or require that the company provide the consumer any information on what it will do with the genetic information. 

Are Changes to the HBNR Warranted?

Yes.  Scrap it.  The genetic testing example is just one of many that illustrate the lack of utility of the narrowly tailored HBNR.  No revisions to the HBNR would address its shortcomings.  As noted above, simply expanding the definition of personal health information is not helpful.  Any revised notification rule would still fall far short of providing actual privacy protections and would only serve to create a more complex and even less effective privacy framework in this country. 

What’s the solution?  In the authorizing statute, which is titled “Temporary breach notification requirement for vendors of personal health records. . .,” Congress left the door wide open for another law to replace the HBNR (emphasis added):

“If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.”[7]

It’s time to walk through that open door.  We need to stop wasting time creating and revising band-aid privacy rules to address the issue of the day and, instead, focus efforts on constructing a federal privacy law that provides uniform and meaningful protections that entities can implement without undue burden, expense or confusion. 

The FTC is accepting public comments in response to its request 90 days after it publishes the request in the Federal Register.  Comments can be submitted online at https://www.regulations.gov.


[1]  https://www.ftc.gov/system/files/documents/federal_register_notices/2020/05/p205405_hbn_rule_ review_-_proposed_doc.pdf (p. 3-4).

[2] Id. (p. 1).

[3] 16 C.F.R. § 318.3.

[4] 16 C.F.R. § 318.2(j).

[5] 16 C.F.R. § 318.2(d) and (e).

[6] 42 U.S.C. § 1320d(6).

[7] 42 U.S.C. § 17937(g)(2).