FTC Proposes Revisions to Update the Health Breach Notification Rule

The Federal Trade Commission (FTC) has suggested adjustments to the Health Breach Notification Rule to reinforce the applicability of the Rule to health applications and other arising direct-to-consumer systems that gather, save, and transfer identifiable health information.

There are a lot of health applications and linked devices that gather health information, and those applications and devices are accumulating substantial amounts of health information. There are additional incentives for organizations that acquire health information to share that data to third parties for promotions and other reasons. The Health Insurance Portability and Accountability Act (HIPAA) demands the safety of health information, putting limitations on the uses and disclosures of health information, and in case of a data breach, the HIPAA Breach Notification Rule calls for the issuance of notifications. Although health applications and connected devices may gather health information that will be categorized as Protected Health Information (PHI) under HIPAA when acquired by a HIPAA-regulated entity, the majority of health applications and connected devices aren’t protected under HIPAA.

The FTC Health Breach Notification Regulation is applicable to providers of personal health records (PHR) and associated entities that aren’t regulated by HIPAA and demands those companies to send breach notifications to individuals, the FTC, and the press in case of a breach of identifiable health information. If a data breach happens at a third-party provider to vendors of PHRs and PHR-associated entities, the Health Breach Notification Rule calls for those entities to send notifications to vendors and PHR-associated entities. The Health Breach Notification Rule has been in place for 10 years, however, the FTC has just begun implementing compliance. From December 2022, the FTC has implemented two enforcement actions on entities identified to have broken the Health Breach Notification Rule: Easy Healthcare (Premom) and GoodRx. The two were identified to have been unsuccessful in issuing prompt notifications regarding breaches of identifiable health information.

Last September 2021, the FTC released a policy statement that confirm the Health Breach Notification Rule is applicable to health applications and connected devices that gather, utilize, or send consumer health data. The FTC has assessed the remarks received concerning the policy statement and has confirmed that the Health Breach Notification Rule must be updated to make clear its applicability to health applications, connected gadgets, and other direct-to-consumer systems.

The suggested updates include changing the definition of “PHR identifiable health information.” The terms “Health care provider” and “health care services or supplies” have been given new additional definitions as well. The definition of “PHR-related entity” was modified to clearly state that only entities with access or sending unsecured PHR identifiable health data to a personal health record — instead of entities with access or sending any data to a personal health record — are eligible as PHR-related entities. The FTC has additionally cleared up what is meant by a personal health record to get PHR identifiable health data from several sources. The suggested revision makes it apparent that a “breach of security” consists of the unauthorized collection of identifiable health data that happens because of a data security breach or unauthorized exposure.

The FTC has additionally approved the extended usage of email and other digital means to provide clear and efficient breach notice to consumers, and the necessary information of notifications was likewise enhanced. Notifications must contain details regarding the possible damage that could happen due to the breach, and notices need to contain the names of any third parties that might have gotten unsecured personally identifiable health data.

The period to give comments on the proposed adjustments is 60 days since the publication of the Notice of Proposed Rulemaking in the Federal Register.

Bipartisan Legislation to Deal with the Skill Gaps in Rural Hospital Cybersecurity

New bipartisan legislation was lately introduced to help deal with the present scarcity of cybersecurity capabilities at rural hospitals. Sen. Gary Peters (D-MI), who is chairman of the Senate Homeland Security and Governmental Affairs Committee, and committee member Sen. Josh Hawley (R-MO) introduced the Rural Hospital Cybersecurity Enhancement Act.

Cyberattacks on healthcare companies have grown considerably in the last couple of years. These attacks bring about substantial disruption to patient care and could put lives in danger and although health systems have invested more in cybersecurity, numerous small and rural hospitals are short of the required resources and find it hard to employ experienced cybersecurity experts. At the last Senate Homeland Security and Governmental Affairs Committee hearing, cybersecurity professionals spoke about the present healthcare cybersecurity problems. Kate Pierce, past CIO and CISO at North County Hospital in Vermont and executive at Fortified Health Security stated cybercriminals have changed their emphasis and are currently actively attacking small and rural hospitals. Big health systems have carried out sophisticated cybersecurity measures and use big cybersecurity teams to handle their advanced defenses, however, there is a big difference in cybersecurity investment at small and rural hospitals, which are apt to have weaker security.

A fundamental security measure such as around-the-clock supervising of systems is hard to have for these companies. In spite of all the guidance, advice, and solutions given in the last couple of years by H-ISAC, CISA, HSCC, 405(d), and other companies, I have discovered that the majority of small and rural hospitals don’t know this information, and too confused to make use of these important tools.

The Rural Hospital Cybersecurity Enhancement Act calls for the Cybersecurity and Infrastructure Security Agency (CISA) to create an extensive cybersecurity workforce development tactic for healthcare amenities that offer inpatient and outpatient care services in non-urban locations. The technique ought to include public-private partners, the creation of curricula and training sources, and policy suggestions. The bill directs the Director of CISA to make training materials for rural hospitals to teach personnel basic cybersecurity measures, and the Department of Homeland Security to submit an annual report to congressional committees about improvements to the tactic and any plans that were executed.

It is a must to stop ransomware attacks on hospitals and healthcare systems that expose sensitive medical data and affect patient care. Regrettably, small and rural hospitals are usually lacking the resources to improve cybersecurity defenses and employees to stop these breaches. This bipartisan law will call on the federal government to make sure that healthcare companies possess the needed tools to keep patient data safe and give lifesaving care although criminal hackers keep on targeting their systems.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone