HIMSS and PCHAlliance Submit Comments in Response to FTC Health Breach Notification Regulatory Review

On Aug. 20, 2020, HIMSS and PCHAlliance submitted comments in response to a Notice of Proposed Rulemaking (NPRM) Regulatory Review and Request for Public Feedback on the Federal Trade Commission’s (FTC’s) Health Breach Notification Rule.

HIMSS and PCHAlliance expressed support for a review of the rule and took this opportunity to address the critical intersections this update has on the broader discussion surrounding health data privacy.

This discussion encompassed the implications of potential updates to health information and data that fall under the purview of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as well as components expanded upon in the recently finalized version of the 21st Century Cures Act relating to application programming interface (API) technology. While these laws are separate and distinct from the Health Breach Notification Rule, the comment letter emphasized how the lines between information that falls in the categories of FTC non-protected personal health data and HIPAA protected health information are becoming increasingly muddled with the rise and advances of new technologies in this area.  

In the comment letter, HIMSS and PCHAlliance focused on two major themes including:

1. Ensuring that the Health Breach Notification Rule is retained and working in concert with other privacy and security regulations
2. Emphasizing the importance of harmonizing all privacy and security laws, regulations, directives and industry-led guidelines.

Within the recommendations, HIMSS and PCHAlliance included the need for foundational changes that would involve material terminology being re-visited and modified in order to better align with current definitions in health data privacy.

In addition, HIMSS and PCHAlliance encouraged cross-agency collaboration and stressed the importance of privacy regulations, or subsets of other regulations, working in concert as many of the same components of an individual’s protected and non-protected data are co-mingled together.

RELATED: Personal Health Information: Federal Trade Commission Health Breach Notification Rule Regulatory Review Response Letter

The letter also discusses how, in order to encourage widespread adoption, acceptance and trust of new innovative technologies, FTC should work closely with other federal agencies that currently have authority over these rules to ensure that the processes required to successfully update privacy and security standards and frameworks are facilitated.

In terms of developments coming out of the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services on interoperability, as more organizations and entities become subject to these specific regulations, more collaboration across the federal government will be helpful to the broader community.  

Other components of the letter addressed the importance of an updated mechanism and timeline for reporting a known data breach and the critically significant implications of COVID-19 on patient privacy.

Overall, HIMSS and PCHAlliance emphasized that as broader health data privacy and security changes are considered across the federal agencies or in Congress, the issues concerning the intersections, overlap and ambiguities in regulations and agency jurisdictions needs to be addressed. 

Please reach out to policy@himss.org with questions or for more information.