Health data stakeholders must distinguish between the Federal Trade Commission's (FTC) Health Breach Notification Rule and the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, enforced by the Department of Health and Human Services.
While both rules protect data privacy and security, their jurisdiction, definitions of a breach, and notification processes differ.
Jurisdiction and scope
The FTC's jurisdiction covers commercial health applications and services outside that while traditional healthcare organizations and their business associates are subject to HIPAA.
During the recent Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference, FTC attorney Ryan Mehm explained that although the FTC's rule is a "companion rule to HHS's breach notification,” it relates to a different range of entities."
The FTC's Rule applies to “vendors of personal health records (PHR) and PHR-related entities,” including the “huge explosion in health apps that are on the marketplace,” that are not governed by HIPAA.
Mehm emphasized that the FTC's jurisdiction is "incredibly broad and covers nearly all entities doing business in the United States, with the exception of nonprofits, insurance companies, [and] common carriers."
In contrast, HIPAA's Breach Notification Rule applies to covered entities like healthcare providers, health plans, and business associates.
Breach definition and types of incidents
The FTC has a broader definition of a data breach, even if there isn't an actual, direct cyber-attack. According to Mehm, “The Commission modified the definition of a breach of security to clarify that a breach covers both traditional cybersecurity incidents as well as unauthorized disclosures.”
On the other hand, HIPAA defines a breach as the unauthorized acquisition, access, use, or disclosure of unsecured protected health information (PHI), focusing more on data security breaches and unauthorized PHI disclosures.
Notification requirements
The FTC’s rule, as Mehm explained, requires PHR-related entities and their service providers to notify “consumers, the FTC, and in some cases, the media when there has been a breach of unsecured PHR identifiable health information.”
He added that the amendments to the rule now allow for a greater use of electronic notifications. Mehm elaborated, “The amendments do so by adding a new definition of electronic mail.” Organizations giving notice under the rule must use email with supplementing methods like "text message, in-app messaging, or an electronic banner within [their] website or app."
HIPAA, on its part, requires that covered entities notify the affected individuals, HHS, and the media if the number of affected individuals exceeds 500. Notifications are usually by direct mail unless otherwise indicated.
Timing and content of notifications
The amended FTC Rule requires that organizations inform the Commission and impacted individuals simultaneously "without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach."
Mehm commented on the change, saying, “The practical ramification of this is that the FTC will likely be receiving notices on a more extended timeline than we did previously, but the trade-off is we expect and anticipate that those notices will be more complete and more fulsome.”
HIPAA requires notifying affected individuals without unreasonable delay and within 60 calendar days of discovering the breach and notifying the HHS for breaches involving 500 or more individuals within 60 days or annually for smaller breaches.
Content requirements
The FTC requires notifications “to include the name or identity of any third parties that acquired unsecured PHR identifiable health information as a result of the breach [and] the specific categories of health information that were involved in a breach.”
HIPAA’s breach notification rule also requires a description of the breach, the type of information involved, and steps individuals can take to protect themselves, but does not include the FTC’s additional electronic notification methods.
Go deeper: What are the HIPAA breach notification requirements
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who must follow HIPAA rules?
HIPAA rules apply to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle patients’ protected health information (PHI).
How does HIPAA compliant email help with cybersecurity?
HIPAA compliant email, like Paubox, offers audit trails, access controls, and malware scanning. These features track PHI access and limit threat exposure, enhancing security against phishing and malware attacks.
Furthermore, Paubox email meets HIPAA’s Security Rule, helping organizations avoid penalties after a cyber incident.
Learn more: HIPAA Compliant Email: The Definitive Guide
