Zombie PHR Breach Rule Rises From the Dead

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

What’s changed? According to three of the commissioners on the FTC: nothing, as reported in the press release. Indeed, the policy statement suggests that the FTC has simply reiterated a rule “many appear to misunderstand.”

But most objective observers would agree that, at a minimum, the FTC has announced a previously unarticulated view of the definition of “personal health record.” Under the existing regulation, if an “electronic record . . . of identifiable health information” draws “information” from multiple sources, it constitutes a regulated PHR.

The FTC’s policy statement announces the FTC’s belief that this does not mean the record must draw “health information” from multiple sources, but rather means that the record (1) includes health information and (2) draws any other information from multiple sources. The FTC gives this example: “if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”

This position was not found in the FTC’s original 2010 Guidance on PHRs, which specifically noted that apps which relied exclusively on user-inputted information were not subject to the Rule.

Second, the FTC announced that it views the definition of “breach” as including any “sharing of covered information without an individual’s authorization.” This includes sharing information with advertisers and other third parties. Two of the three commissioners approving the new policy statement have previously argued that the FTC’s recent enforcement action against Flo Health, Inc., should have been brought as a violation of the PHR Breach rule. Flo Health was alleged to have shared information with marketing and analytics providers.

Who is exempt? HIPAA Covered Entities and Business Associates are exempt from the PHR Breach rule.

What’s required? If an entity that offers a PHR identifies a breach of the information contained in that record, then it is required to provide notice to each impacted individual and to the FTC. The notices to individuals must be provided within 60 calendar days of discovery. Notices to the FTC, however, must be provided within 10 business days of discovery when the incident impacts more than 500 individuals. Breaches are treated as “discovered” as of the date the breach was “known or reasonably should have been known” to the entity.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.