Health Breach Notification Rulemaking #541358-00109

Submission Number:
Joel White
Health IT Now Coalition
Initiative Name:
Health Breach Notification Rulemaking
June 1, 2009 Mr. Jon Leibowitz Federal Trade Commission Office of the Secretary Room H-135 (Annex M) 600 Pennsylvania Avenue, N.W. Washington, D.C. 20508 RE: Health Breach Notification Rulemaking, Project No. R911002 Dear Mr. Leibowitz: We appreciate the opportunity to submit our comments on the Health Breach Notification Rulemaking, Project No. R911002. The undersigned groups represent a broad range of interests who applaud your efforts to promote the adoption and use of health information technology (HIT) and to notify and protect consumers when there is a breach of personal health information. The American Recovery and Reinvestment Act (ARRA) requires vendors of personal health records, PHR related entities and third party service providers to comply with new breach notification requirements to alert consumers of the acquisition of personal health information by an unauthorized person. It is necessary to ensure that the rule is carefully crafted because FTC’s temporary authority to regulate and enforce breaches ends only if Congress enacts legislation to address this issue, which they may not do. Uniform Standards Across Entities We believe disparate rules for breach notification for different entities would be counterproductive and costly. Because the ARRA covers entities that are not subject to HIPAA and extends authority to the FTC to enforce new requirements, we appreciate and support collaboration with the Department of Health and Human Services to ensure that requirements are uniform. We encourage you to harmonize your proposed rule with that of HHS to minimize costs for those who use personal health information. Differing standards will only increase administrative complexity and cost. In addition, some entities may be considered business associates under HIPAA in some instances and thus governed by the HHS breach notification rule, and, in other cases, these same entities will be governed by the FTC rule. Standards across instances such as this should be uniform because the goal remains the same: consumers deserve to know if their personal health information is at risk. Businesses should have clear rules to follow in achieving that goal. Multiple breach notices would confuse individuals. The FTC should devise standards that vest accountability for the breach in one entity (controlling entity) and require one notice for the same breach of information. Individual Notice We appreciate the FTC’s comments in the proposed rule regarding notice to individuals. We particularly believe that e-mail notice of a breach may be better suited to the on-line relationship between a vendor of personal health records or a PHR related entity and an individual. We note the Commission’s recognition that, due to this relationship, vendors and related entities and consumers may not want to collect or share their physical mailing addresses. We disagree, however, that the statute requires consumers to opt-in to an e-mail arrangement as proposed by the rule. We strongly believe consumers should be allowed to opt-out of an e-mail notification if they choose and opt into a postal service mail notice. We believe the default option in an electronic and on-line relationship should be notification by e-mail. This will help enhance the convenience for consumers and the timeliness of a notice. In addition, an e-mail notice will help protect consumer privacy by not requiring disclosure of their physical mailing address. It will also help reduce mailing costs and administrative expenses for vendors and PHR related entities. These costs are ones that will not be passed on to consumers because they are not incurred. Thank you for the opportunity to submit these comments on the proposed rule. Sincerely, American Homeowners Grassroots Alliance and the American Homeowners Foundation Genetic Alliance HLTH Corporation National Association of Chain Drug Stores National Retail Fe