Does your employee health plan allow workers to maintain their medical information online? Do you store information on employee healthcare plans? If so, then you should familiarize yourself with the American Recovery and Reinvestment Act of 2009 (ARRA), which includes provisions to strengthen privacy and security protections for web-based businesses practices.
As a result of ARRA, the Federal Trade Commission issued a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule which requires businesses who have a security breach to:
- Notify everyone whose information was breached;
- In some cases, notify the media; and
- Notify the FTC
The Health Breach Notification Rule applies if you are a:
- Vendor of personal health records (PHRs);
- PHR-related entity; or
- Third-party service provider for a vendor of PHRs or a PHR-related entity.
The Rule requires you to provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record. In these cases, the FTC has designed a standard form for companies to use to report a breach.
The Federal Trade Commission further defines these terms with the following:
- Personal health record: A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records – not electronic records – the FTC’s Rule doesn’t require any notification. However, because many states have notification laws that might apply, it’s wise to consult your attorney.
- Unauthorized acquisition: If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule.
- PHR-identifiable health information: The notification requirements apply only when you’ve experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone.
- Unsecured information: The Rule applies only to unsecured health information, defined by the U.S. Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn’t be required to provide notification.
Be sure to read the brochure “Complying with the FTC’s Health Breach Notification Rule”, which the FTC created to explain which businesses must comply with the Rule. The brochure also offers guidance on what to do in case your business experiences a security breach.
The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In the event of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule. FTC enforcement of the Rule began on February 22, 2010.
used with permission from SBA.gov
by Cecelia Taylor