Law360 (May 8, 2020, 8:00 PM EDT) -- The Federal Trade Commission said Friday that it is considering changing a decade-old, little-used rule that requires certain companies handling health information to publicly report data breaches — and which could gain new relevance as consumers increasingly turn to telehealth.
The consumer protection agency says it is soliciting comments on whether it should make changes to its 2009 "Health Breach Notification Rule," which mandates the disclosure of data breaches by firms that handle personal health data but who are not covered by the Health Insurance Portability and Accountability Act, or HIPAA, which has its own breach notification rules.
Federal authorities have not filed a single enforcement action under the obscure rule over the past decade, and only two companies have notified the commission about breaches affecting more than 500 people, the agency said in a notice posted in the Federal Register.
Most companies that handle health data have historically been covered by HIPAA or by data breach notification rules issued by the U.S. Department of Health and Human Services, the FTC said. But more companies may soon be covered by the FTC's rule as health care patients more and more turn to technologies such as virtual assistants and mobile health apps, according to the agency.
The rise of telehealth services has been sped up considerably in recent weeks as the coronavirus pandemic has forced the federal government to lift barriers to telemedicine so patients can get care without leaving home.
In a news release, the FTC said Friday that it is now seeking comments on "whether the rule's definitions should be modified to reflect legal, economic, and technological changes," including "whether and how the rule should address any developments in health care products or services related to COVID-19."
Among the questions that the agency will examine is whether covered companies should be required to report data breaches sooner, the FTC said in the release. The rule currently mandates that covered companies alert the FTC within 10 business days after discovering a breach if more than 500 people are affected, and up to 60 days after discovering a breach affecting fewer people.
Many state U.S. laws require companies to notify authorities of data breaches sooner than that, and the European Union's General Data Protection Regulation mandates that firms report breaches within 72 hours after discovering them.
The FTC's request for comment is part of the agency's protocol of reviewing rules every 10 years. In this case, that review period happens to coincide with the rise of telehealth during COVID-19. But telehealth technologies had already been growing in popularity long before the pandemic hit.
Federal authorities have already either made tweaks to privacy laws like HIPAA amid COVID-19, while FTC officials have attempted to clarify how privacy law applies in the age of social distancing. Last month, for example, the FTC wrote in a blog post that schools rather than parents can consent under the Children's Online Privacy Protection Act to the collection of young students' personal data for educational reasons, in guidance for education technology firms enabling remote learning during the pandemic.
--Additional reporting by Kevin Stawicki. Editing by Jay Jackson Jr.
For a reprint of this article, please contact email@example.com.