FTC Unveils EHR Security Rule

HealthLeaders Media Staff, April 17, 2009

The FTC's proposed interim rule governing security for electronic health records expands responsibility for maintaining patient confidentiality to include third-party vendors, enhances patient notifications for breaches, and sends a clear signal that the federal government will crack down on violators.

"It's a tremendous scare," says Tom Green, senior director of sales and marketing for Premier Insurance Management Services Inc., a subsidiary of Premier Inc. "If patient health information is not properly safeguarded or encrypted or they don't have the necessary policies and procedures in place to ensure safe-keeping, you are opening yourself up to significant civil fines and penalties in addition to some potential lawsuits, not to mention the public relations issues you could be facing."

In addition to providing about $36.3 billion to offset hospitals' and physicians' costs for installing interoperable EHR, the stimulus package also includes mandates to strengthen privacy and security protections. The FTC and HHS are drafting a report due next February that will establish threshold requirements. Until then, the FTC will operate under the proposed interim rule, which was unveiled last week for a public comment period that ends June 1.

The interim rule would apply to entities that traditionally have been beyond FTC's jurisdiction, including "vendors of personal health records and other non-HIPAA covered entities," regardless of whether they fall within the FTC's jurisdiction. "Thus, the proposed rule would apply to entities such as nonprofit entities that offer personal health records or related products and services, as well as nonprofit third-party service providers," the FTC notice says.

The proposed rule also includes stepped up patient notification provisions after a breach. Whereas HIPAA only requires that steps be taken to mitigate damages after a breach, the new rule requires notifying affected patients. If more than 500 patients' records are compromised the local "prominent media" must be told. "This is going to really create a huge potential public relations exposure for these entities," Green says. "When these breaches are occurring, you are seeing breaches in the thousands. Five hundred is something that could happen very easily."

While the new rule may seem stringent, Green says no one should be surprised by the stepped-up enforcement. "The public has been calling for this level of protection for some time," he says. "As we become a society that relies more upon electronic means for transmission of information, utilization of different IT, it's appropriate that these safeguards are taken to protect against identity theft."

Green says everyone affected by the interim rule needs to read up on the new proposal. That includes examining existing security measures, ensuring that employees are properly trained and informed, and reviewing the security measures of vendors who may have access to EHR.

The FTC anticipates that 900 entities – including vendors and other "non-HIPAA covered entities" -- will now be covered by the proposed rule and saddled with an annual cost of more than $1 million to cover the breach notification provisions, including approximately 200 vendors, 500 related entities, and 200 third-party service providers. These entities are expected to average 11 breaches a year that warrant notification, and there is a three-page explanation for how the FTC got those figures in the public comments notice. The bottom line is that the estimated annual cost of the breach notifications is $1,020,625: $83,402 for costs associated with investigating breaches, drafting notifications of breaches and notifying the FTC; $74,240 for costs associated with notifying consumers; and $862,983 for costs associated with establishing toll-free numbers. (The FTC says these figures might be overstated because they assume all breaches will require notification.)

Green says the eventual permanent rules governing EHR security won't be much different from what's already been proposed in the interim rule. "There will be a little bit of tweaking to some of the regulations, but the essence of the rules as stated are probably going to be advanced as they are," he says. "A few states have already enacted similar laws, such as California. This is really broadening it to the federal level."

To file a public comment, go to: https://secure.commentworks.com.

Facebook icon
LinkedIn icon
Twitter icon