Knowledge Center

2009 rule requires vendors of personal health records to notify consumers following a breach involving unsecured information

WASHINGTON, DC — August 31, 2020 — WEDI, the nation’s leading nonprofit authority on the use of health IT to create efficiencies in health care information exchange and a statutory advisor to the U.S. Department of Health and Human Services (HHS), today issued a statement on behalf of its Board Chair, Jay Eisenstock. The following remarks are in response to the Federal Trade Commission’s (FTC’s) regulatory review and request for public comment concerning the 2009 Health Breach Notification (HBN) Rule (85 Fed. Reg. 31085):

“The U.S. Department of Health and Human Services has implemented many of the privacy provisions included in the HIPAA and HITECH Act requirements for HIPAA-covered entities and their business associates, while the FTC regulations address other entities authorized by the HITECH Act. Section 318.1 of the HBN rule makes clear that the FTC regulation does not apply to HIPAA-covered entities or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. The statutory distinction between the jurisdiction of HHS over HIPAA-covered entities and that of FTC over certain non-HIPAA entities in this provision are critical to maintain. HIPAA-covered entities and business associates should continue to be governed by HHS’s Breach Notification Rule; the FTC should oversee the entities authorized by the HITECH Act.

“While regulations should be streamlined, they should not be duplicated. If non-health care entities are dealing with consumers’ identifiable health information, those entities should be required to follow similar rules as health care covered entities and business associates. This will ensure a ‘level playing field’ so that consumers have confidence that their information will be protected in different environments. Entities that fall within the FTC’s ‘third party’ definition and are not a HIPAA-covered entity or business associate should be further clarified in future regulations or guidance. This work should be done in line with the HITECH Act, but should consider whether new entities would qualify as a ‘third party,’ particularly in the software applications and other electronic interfaces that are being developed in the technology industry.”

For more information on the FTC’s regulatory review and request for public comment, visit https://www.federalregister.gov/documents/2020/05/22/2020-10263/health-breach-notification

About WEDI
WEDI is the leading authority on the use of health IT to improve health care information exchange in order to enhance the quality of care, improve efficiency, and reduce costs of our nation’s health care system. WEDI was formed in 1991 by the Secretary of Health and Human Services and was designated in the 1996 HIPAA legislation as an advisor to HHS. WEDI’s membership includes a broad coalition of organizations, including: hospitals, providers, health plans, vendors, government agencies, consumers, not-for-profit organizations, and standards development organizations. To learn more, visit www.wedi.org and connect with us on Twitter and LinkedIn.