Jurisdiction issues muddle Tricare EHR breach

A data breach involving nearly 5 million people treated at military healthcare facilities over a 19-year period is raising questions about whether U.S. Federal Trade Commission rules supersede Health Insurance Portability and Accountability Act regulations. Last week, Tricare, the managed care arm of the U.S. government's Military Health System, disclosed that contractor Science Applications International Corp. had lost backup tapes containing personally identifiable information--including some health data--of about 4.9 million people. The tapes contained data from electronic health records used at military hospitals, clinics, and pharmacies in the San Antonio area from 1992 until Sept. 7, 2011. Unlike HIPAA, FTC regulations don't require entities to sign agreements with "business associates" that hold third parties to the same standards when handling sensitive data.