Protecting Employee Privacy: Health Information Rules for Businesses

By Cecelia Taylor

Does your employee health plan allow workers to maintain their medical information online?  Do you store information on employee healthcare plans? If so, then you should familiarize yourself with the American Recovery and Reinvestment Act of 2009 (ARRA), which includes provisions to strengthen privacy and security protections for web-based businesses practices.

As a result of ARRA, the Federal Trade Commission issued a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule which requires businesses who have a security breach to:

• Notify everyone whose information was breached;

• In some cases, notify the media; and

• Notify the FTC

The Health Breach Notification Rule applies if you are a:

• Vendor of personal health records (PHRs);
• PHR-related entity; or
• Third-party service provider for a vendor of PHRs or a PHR-related entity.

The Rule requires you to provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record.  In these cases, the FTC has designed a standard form for companies to use to report a breach.  

The Federal Trade Commission further defines these terms with the following:

• Personal health record: A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records – not electronic records – the FTC’s Rule doesn’t require any notification. However, because many states have notification laws that might apply, it’s wise to consult your attorney.
• Unauthorized acquisition: If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule.
• PHR-identifiable health information: The notification requirements apply only when you’ve experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone.
• Unsecured information: The Rule applies only to unsecured health information, defined by the U.S. Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn’t be required to provide notification.

Be sure to read the brochure “Complying with the FTC’s Health Breach Notification Rule”, which the FTC created to explain which businesses must comply with the Rule.  The brochure also offers guidance on what to do in case your business experiences a security breach.

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services.  Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA).  In the event of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.  FTC enforcement of the Rule began on February 22, 2010.

Additional Resources:

For more information on privacy practices and understanding the law, check out the following resources for small businesses:

• The SBA’s Privacy and Security guide which explains how privacy laws apply to your business and how to comply with them
• Interactive tutorial of FTC's Information Security Guide for business
• SBA’s article on “How to use credit and consumer reports to protect your small business interests”