These changes took effect on July 29. Therefore, in the event of a qualifying security incident, companies who are not considered HIPAA-covered entities or business associates should be aware of their legal obligations. A copy of the amendments is available here.
Is my business subject to the Health Breach Notification Rule?
As a result of the amendments, the Rule applies to health applications, websites, and other technologies that possess health information but aren’t subject to HIPAA. If your business falls within one of the three categories below, you are subject to the obligations outlined in the Rule:
- Vendors of personal health records. If your business “offers or maintains a personal health record,” then it is a vendor of personal health records. However, HIPAA-covered entities and their business associates are excluded from this definition. A personal health record is “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” An example is a health advice website or app that collects geolocation data via an application programming interface where consumers log in with a username and password, enter their symptoms, and receive potential medical diagnoses. In this case, the site or app draws information from multiple sources (the consumer and the API), and is managed by or primarily for the individual.
- Personal Health Related Entity. If your business engages in any of the following you are a PHR-related entity: (1) offers products or services online through a vendor of a PHR website; (2) offers products or services online through a HIPAA-covered entity’s website; or (3) accesses identifiable health information in a health record or sends identifiable health information to a health record.
- Third-party service provider. You are a third-party service provider if your business provides services to a PHR-related entity or health care records vendor, and in connection with those services it “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses” health information.
When is my business required to comply with the HBNR?
The HNBR is triggered when your business experiences an unauthorized acquisition of unsecured PHR identifiable health information that resulted from a “data breach or unauthorized disclosure.” This means that the Rule applies when your company (1) makes an unauthorized use or disclosure of health information, or (2) experiences a data breach.
Who is my business required to notify if a breach of security occurs?
In the event of a breach of security, the Rule requires that you notify all of the following:
- Affected individuals (those whose information was compromised as a result of the breach of security) who are citizens or residents of the United States.
- The FTC.
- Media outlets if the breach of security compromised the information of more than 500 individuals.
If you are a third-party service provider, you are also subject to the notification requirement after the discovery of a breach of security. You must notify the health records vendor or the PHR related entity to whom you provide services. The notification must identify all affected individuals. After the vendor or PHR related entity receives notification, it must acknowledge receipt of your notice. To comply with these requirements, health records vendors and PHR entities must be forthcoming about their status.
How long does my business have to provide the required notifications?
Applicable entities who experience a breach of security should provide notice to the affected individuals and the media without unreasonable delay and no later than 60 calendar days after discovery of the breach of the security. If fewer than 500 individuals are affected by the breach, the entity must notify the FTC within “60 calendar days following end of calendar year.”
However, when the breach of security involves more than 500 people, the entity must notify the FTC at the same time that it notifies the affected individuals.
What are the permitted notification methods?
- Depending on the circumstances and contact information available to your business, individuals may be provided notice via electronic mail, first-class mail, telephone, website posting, media posting, or their next of kin.
- The FTC can be notified via the online Notice of Breach of Health Information.
- Media notifications can be made via prominent news outlets in the applicable state or jurisdiction.
What is my business required to include in the notice?
Regardless of the notice method, the notice must contain the following information:
- A brief description of the incident.
- The type of information disclosed or affected.
- The efforts made by the business to investigate after discovery of the breach.
- Contact information for individuals to learn more about the incident
What happens if my business fails to comply?
Businesses that do not comply may be subject to civil penalties.
