Protecting Employee Privacy: Health Information Rules for Businesses
by Stephen Morris, Community Moderator
- Created: May 16, 2011, 6:54 pm
- Updated: May 16, 2011, 6:55 pm
By Cecelia Taylor
Does your employee health plan allow workers to maintain their medical information online? Do you store information on employee healthcare plans? If so, then you should familiarize yourself with the American Recovery and Reinvestment Act of 2009 (ARRA), which includes provisions to strengthen privacy and security protections for web-based businesses practices.
As a result of ARRA, the Federal Trade Commission issued a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule which requires businesses who have a security breach to:
Notify everyone whose information was breached;
In some cases, notify the media; and
Notify the FTC
The Health Breach Notification Rule applies if you are a:
- Vendor of personal health records (PHRs);
- PHR-related entity; or
- Third-party service provider for a vendor of PHRs or a PHR-related entity.
The Rule requires you to provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record. In these cases, the FTC has designed a standard form for companies to use to report a breach.
The Federal Trade Commission further defines these terms with the following:
- Personal health record: A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records – not electronic records – the FTC’s Rule doesn’t require any notification. However, because many states have notification laws that might apply, it’s wise to consult your attorney.
- Unauthorized acquisition: If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule.
- PHR-identifiable health information: The notification requirements apply only when you’ve experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone.
- Unsecured information: The Rule applies only to unsecured health information, defined by the U.S. Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn’t be required to provide notification.
Be sure to read the brochure “Complying with the FTC’s Health Breach Notification Rule”, which the FTC created to explain which businesses must comply with the Rule. The brochure also offers guidance on what to do in case your business experiences a security breach.
The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In the event of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule. FTC enforcement of the Rule began on February 22, 2010.
For more information on privacy practices and understanding the law, check out the following resources for small businesses:
- The SBA’s Privacy and Security guide which explains how privacy laws apply to your business and how to comply with them
- Interactive tutorial of FTC's Information Security Guide for business
- SBA’s article on “How to use credit and consumer reports to protect your small business interests”
About the Author
Stephen Morris is online media coordinator for the U.S. Small Business Administration where he manages digital outreach to the small business community.
Top Rated Articles
About This Blog
Legal terms and rules explained
- July 2014 (11)
- June 2014 (17)
- May 2014 (23)
- April 2014 (28)
- March 2014 (21)
- February 2014 (16)
- January 2014 (22)
- December 2013 (15)
- November 2013 (26)
- October 2013 (17)
- September 2013 (24)
- August 2013 (21)
- July 2013 (26)
- June 2013 (24)
- May 2013 (29)
- April 2013 (29)
- March 2013 (27)
- February 2013 (26)
- January 2013 (30)