The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

FTC To Review Healthcare Data Breach Notification Rule

by on Monday May 11, 2020

Contact Us
Free Demo
Chat

The FTC is seeking comment on whether or not it should make changes to its Health Breach Notification Rule, a rule that compels orgs to disclose when health records are breached.

With many Americans unable to visit a doctor’s office due to the ongoing COVID-19 pandemic and most nonessential appointments and surgeries canceled, the global market for telehealth has been on the rise lately.

What impact could these changes have on federal agencies in charge of overseeing compliance and data protection?

We might find out sooner than later.

The Federal Trade Commission (FTC) - one of those groups - said Friday that its looking into whether one of its rules, 2009’s Health Breach Notification Rule, is still effective.

The rule applies to the notification of individuals affected by data breaches of organizations that handle personal health data but aren't covered by the Health Insurance Portability and Accountability Act (HIPAA) which has its own set of breach notification rules. The rule typically applies to vendors or third-party companies that handle personal health records, or PHRs - like services that offer online repositories that people can use to keep track of their health information.

Under the rule, organizations impacted by a breach have 60 days to report it to the FTC. If more than 500 individuals are affected, the organization must report it in 10 business days.

The U.S. government may want use this as an opportunity to reign in those numbers to more closely reflect the times. In the European Union, under the General Data Protection Regulation, organizations have 72 hours to gather information on and report data breaches to the supervisory authority. Several states require organizations to notify victims of a data breach in as little as 30 days.

The FTC reviews rules every 10 years to ensure they keep pace with technology and business models but it's hard to imagine this one won’t be viewed in a different light, given the uptick in telehealth technology during these times.

In a study carried out last year by Fair Health, a nonprofit that follows price transparency in the healthcare industry, medical claim lines for all telehealth services increased by 624% from 2014 to 2018. Forrester Research suggested last month that the total number of telehealth interactions are on track to top 1 billion by the end of 2020. The total number of predicted visits, 200 million, is a far cry from its original projection of 36 million.

With an influx of new, online patients, likely using new technology, more individuals than ever could be covered by the FTC’s rule going forward.

In addition to whether it should be retained, changed or eliminated, The FTC is looking for comment on:

  • Whether the Rule has resulted in under-notification, over-notification, or an efficient level of notification;
  • Whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes;
  • Whether the timing requirements and methods for reporting a breach are adequate;
  • The implications for enforcement raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools; and
  • Whether and how the Rule should address any developments in health care products or services related to COVID-19.

Federal agencies have had to augment how data is collected and how violations are approached in the two months since the World Health Organization’s coronavirus pandemic declaration.

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) last month said it wouldn't be imposing penalties for violations of some provisions of HIPAA Privacy Rule.

With so many children accessing education technology, the FTC also said in April that in lieu of parents, schools can consent to the collection of student data under the Children's Online Privacy Protection Act, as long as its for a school-authorized purpose..

Tags: Industry Insights

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.