If you’re in the business of collecting and storing your customers’ health data, you still have obligations when it comes to notifying them about discovered data breaches. Although HIPAA will likely not govern your company’s activities, you’ll still need to answer to the Federal Trade Commission (FTC) under the FTC Health Breach Notification Rule. This regulation impacts app developers, companies that offer digitized health tracking and monitoring programs, and organizations that allow users to upload and manage their health information. It also affects the obligations of companies that provide services to these types of organizations.
Under this rule, companies that aren’t HIPAA-regulated must alert their users, the media, and/or the FTC about any unauthorized acquisitions of unsecured health information from users’ personal health files that can be used to identify specific individuals. While this covers unauthorized hacker breaches and internal employee activities, companies are only required to make disclosures if the health information affected was unencrypted and stored electronically. This means that if your business used 256-bit AES encryption and similar safeguards to protect your customers’ health data, your business would be exempt from the rule’s reporting requirements.
If your business doesn’t already have encryption mechanisms built into your IT infrastructure, you could be subject to different notification requirements depending on the severity of the breach. For breaches of any size, you must notify each affected person by e-mail or first-class mail depending on the individual’s preferences without unreasonable delay within a 60-day period. This means that although you technically have a 60-day window to notify customers, you’re required to alert them as soon as you collect all the necessary details about the pertinent breach. You’ll also need to notify the FTC within 10 days of discovering the breach if the breach affected at least 500 people, or within 60 days following the end of the calendar year the breach occurred if it impacted less than 500 customers. In addition, if more than 500 of your affected customers live in any one state or in the District of Columbia, you must send a supplemental notice to pertinent print, online, and television media outlets that serve those customers.
What you say in your notice is just as important. First, you must include basic information about when the breach had occurred and when you discovered it. You’ll also need to disclose what types of personal health information and other data that were affected, along with information describing how your customers can contact you for more information. If particularly sensitive information—such as social security numbers, banking information, and insurance information—was exposed, you’ll also need to outline potential next steps your customers should take with banks, insurance companies credit reporting agencies, and other institutions to mitigate their risks for identity theft, fraud, and other crimes. Non-compliant businesses could face civil penalties of up to $41,484 per violation.
In the end, however, the easiest and most efficient way companies can avoid liability under this rule can do so is to encrypt their customers’ health records. Abacus Private Cloud allows you to implement 256-bit AES encryption and other HIPAA-compliant safeguards to protect your customers’ data from inadvertent or bad faith disclosure.