The Federal Trade Commission (FTC) Health Breach Notification Rule requires vendors of personal health records (PHRs) and related entities to notify consumers following a breach involving unsecured information. But as the FTC considers change, the ADA is asking for coordination between the rule and state, local, and other federal laws and regulations.
The proposed rule does not apply to health information secured through technologies specified by the Department of Health and Human Services (HHS) or to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Instead, these businesses and organizations must comply with HHS’s breach notification rule.
To prevent unnecessary confusion in notification requirements, the ADA said that it strongly recommends that the FTC and HHS work closely together to assess the extent to which vendors of PHRs, PHR-related entities, and third-party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities.
Also, the ADA said that the FTC and HHS should ensure that the breach notification requirements are effective but not overly burdensome or costly. Coordination between the FTC and HHS to develop the requirements is essential to prevent patients from receiving multiple, duplicate breach notices over the same incident, the ADA said.
Furthermore, the ADA said, overly burdensome and costly requirements could act as a disincentive for widespread PHR and electronic health records adoption and use.
The ADA additionally is concerned with the impact of state laws and regulations that may overlap with these proposed requirements, leading to confusion among dentists and their patients. This confusion may grow when a federal regulation such as those proposed by the FTC overlaps with several states that may be served by an entity, the ADA said.
“With the potential for electronic PHRs to be operated by a vendor across several states, this problem is exacerbated,” the ADA said in its letter to the FTC. “Data breaches often require entities to comply with multiple laws which may not be consistent, and ensuring consistency could help affected individuals receive timely, meaningful, and consistent notification and help ease the compliance burden back on entities.”
The ADA, then, recommends that the FTC work to eliminate the potential lack of conformity and overlapping requirements that could burden regulated entities while confusing and worrying patients.