Comment re: Health Breach Notification Rulemaking, Project No. R911002
In most instances, an entity that (i) falls under the definition of either "vendor of PHR" or "PHR related entity" and (ii) is a business associate of a HIPAA covered entity, will not be subject to the Federal Trade Commission (FTC) reporting requirements, but instead will be subject to the reporting requirements of the Department of Health and Human Services (HHS). In limited instances, however, the entity may be subjected to a double reporting requirement. For instance, a health information exchange (HIE) may offer as a benefit to its covered entity sponsor health plans, PHRs as a benefit to the health plans' members. Because the HIE is a business associate of the health plans, the HIE would fall under the HHS reporting requirements and would report any disclosure due to a breach to the covered entity and HHS. However, should the HIE maintain a PHR for an individual that is no longer a member of a sponsor health plan, for purposes of the departing individual, the HIE would no longer be considered a business associate of the health plan; and therefore would be subject to the FTC reporting requirements for that individual. This arrangement creates a situation where in some instances the HIE entity would report a breach to the FTC, while in other instances, the HIE would report a breach to the HHS. Subjecting an entity to this double reporting requirement would require the entity to track not only the disclosures but to categorize any affected individuals into required reporting categories, as well as to implement policies and procedures for each reporting scenario. The administrative burden put on such an entity would like outweigh the benefit received by the affected individual, as the individual is notified under both the FTC and the HHS reporting requirements.
We ask for clarification and guidance regarding how an entity that would be subjected to both the FTC and the HHS reporting requirements should proceed. We suggest that since the FTC ultimately reports disclosures to HHS, that once an entity is excepted from the FTC reporting requirements due to its business associate status, so long as the entity remains a business associate of the covered entity, the entity should remain subject to the HHS reporting requirements for any disclosure of protected health information for any affected individual.