Does your organization offer or plan to offer employees online or electronic personal health records (PHRs)? Can employees enter their personal health information into online programs that help them evaluate and improve their health, such as weight loss applications?
If you’ve answered yes or if your organization provides electronic PHR programs to others, you should be aware of proposed rules on the topic from the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS). The extent to which employees will embrace new health information technologies and wellness-type applications (and to which your organization may save on health-related expenses) may depend on their faith in the security of sensitive health information.
The FTC’s proposed rules, at www.ftc.gov/os/2009/04/R911022healthbreach.pdf, spell out how vendors of PHRs and certain others must notify consumers if the security of their individual and identifiable health records has been breached. Comments on the proposed rules are due on or before June 1.
The recently passed American Reinvestment and Recovery Act (ARRA) calls for spending billions of dollars to move the country toward electronic health records to reach a goal of better health care at less cost. The ARRA also outlines HIPAA-based privacy safeguards to protect electronic health records. It requires the HHS to develop new privacy rules for entities already covered by HIPAA (generally, health care providers, health plans, and health clearinghouses). It further requires the FTC to develop privacy rules for entities not covered by HIPAA, such as PHR vendors and others.
The FTC rules are actually interim rules and are supposed to take effect within six months of the February 17, 2009, passage of the ARRA, or by August 17, 2009. They may be modified once the HHS, with the FTC, completes a report on privacy and security requirements for electronic health records. This report is due by February 17, 2010. But how long the interim rules will remain in effect is anybody’s guess. They may be here for a long time, so if you plan to adopt electronic health records, it could be worthwhile to review the proposed rules and submit your comments.
In brief, the proposed FTC rules require vendors of PHRs and related entities to provide notice to consumers following a breach. The proposed rules also require that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. There are specific provisions for notice, including notice on websites if 10 or more persons whose information was compromised can’t be contacted individually.
A “breach” is defined as the acquisition of unsecured identifiable health information of an individual in a PHR without the person’s authorization. Two key terms are “acquisition” and “unsecured.” There is a presumption that once an unauthorized person has obtained access to health information, he has also acquired it. To defeat the presumption, the entity whose security was breached must provide “reliable evidence” that the data wasn’t or couldn’t have been acquired.
For a breach to occur, information must be unsecured, defined as not protected by technology specified by the HHS as required by the ARRA. If the information has been protected by an approved technology or methodology, it is not unsecured, and there can be no breach, nor is any notification required.
The ARRA gave the HHS a deadline to specify the protective technology, which it did on April 17, 2009, when it issued guidance on protecting health information, available at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf. Comments must be submitted on or before May 21, 2009. The guidance is effective upon issuance, or April 17, 2009. In part, the HHS guidance states that electronic personal health information is rendered unusable and therefore secured if it has been encrypted as specified in the HIPAA Security Rule. It also lists acceptable encryption processes.
In the guidance, the HHS has listed questions seeking specific information from the public on encryption methodologies and on breach notification. Several questions deal with complying with similar state notification requirements, and one asks about exceptions to the definition of “breach.”
Will these regulations provide enough privacy protection for your employees? You be the judge. This area of regulation is evolving rapidly, and you have a chance to help shape its direction.
This alert was provided by the Benefits and Compensation Law Alert, a monthly newsletter for benefits and HR professionals with information on the latest developments in benefits and compensation laws, regulations, and court decisions. BCLA has a sister publication that deals specifically with non-profits, the Benefits and Compensation Law for Non-Profits newsletter.