The HITECH Act expands the legal obligations and liabilities related to safeguarding health records to entities which are neither covered entities nor business associates under HIPAA. The affected entities are personal health record vendors (PHR Vendors) and entities that: (i) offer products and services through the website of a PHR Vendor, (ii) are not covered by HIPAA and offer products or services through the websites of covered entities that offer individuals PHR; and (iii) are not covered entities and that access information in a PHR or send information to a PHR (each a “PHR Management Service”). A third party service provider which provides services to PHR Vendors and PHR Management Services in connection with PHR Records and “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.”
The new obligations created by the HITECH Act require such entities to provide notification in the event of a breach of security resulting in the acquisition of unsecured PHR identifiable health information without the authorization of the affected individuals. The PHR Vendor, PHR Management Services and their respective third party servicers are required to provide notifications to each affected individual and the FTC. The FTC is then required to provide notice to the HHS. The third party servicers must also provide notice to PHR Vendors and PHR Management Services of any breach that it discovers and such notice must identify each affected individual.
Each breach is considered to be a violation of Federal Trade Commission Act on unfair and deceptive acts or practices and subject to civil penalties of up to $16,000 per breach. Pursuant to the HITECH Act, the FTC has adopted the Health Breach Notification Rule and stated that an unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information (the FTC Rule). However, the presumption is a rebuttable one, provided the PHR Vendor, PHR Management Service or respective third party servicer that experienced the breach has reliable evidence showing there has not been, or could not reasonably have been, any unauthorized acquisition of such information. The FTC has decided that the FTC Rule ‘‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.’’
The notification requirements for breaches set forth in the FTC Rule are similar to the requirements of the HITECH Act. The FTC Rule essentially places the same notification obligations on PHR Vendors, PHR Management Services and their third party servicers that the HITECH Act places on covered entities and business associates. The enforcement of the FTC Rule commenced on February 22, 2010 and the FTC has already posted incidents of breaches and the names of the entities involved.
The HITECH Act and the FTC Rule have upped the ante for entities not subject to HIPAA and require any businesses which deal with PHR to evaluate their operations to ensure compliance. The HITECH Act and the FTC Rule also create additional complexity for entities which may be covered by HIPAA and then alternatively may be subject to the FTC Rule.