Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Commissions
Toggle Search Area
Toggle Menu
e-mail Print Share

ADA comments on proposed changes to FTC Health Breach Notification Rule

Association urges agency to coordinate final rule with HHS, state law

August 21, 2020

By Jennifer Garvin

Washington — The ADA is asking the Federal Trade Commission to coordinate its final Health Breach Notification Rule with other laws and regulations in order “to eliminate the potential lack of conformity and overlapping requirements that could lead to burdens on regulated entities as well as confusion and worry for patients.”

The Association shared this in Aug. 20 comments filed with the FTC. In the letter, ADA President Chad P. Gehani and Executive Director Kathleen T. O’Loughlin said the ADA is concerned about the proposed rule’s conflicts between the rule and state, local and other federal laws and regulations.

Drs. Gehani and O’Loughlin said the proposed rule’s acknowledgement that “it does not apply to health information secured through technologies specified by HHS” and the fact that it is not applicable to businesses or organizations covered by the Health Insurance Portability and Accountability Act, could be potentially confusing, noting that HIPAA-covered entities and their business associates must instead comply with HHS’s breach notification rule.

In order to prevent “unnecessary confusion” in notification requirements, the ADA said it “strongly recommends” that the FTC and HHS work “closely together to assess the extent to which vendors of personal health records, personal health records-related entities and third-party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities.”

The ADA stressed the FTC and HHS should ensure that the breach notification requirements are effective but not “overly burdensome or costly to implement and follow.”

“Coordination between the FTC and HHS to come up with the requirements is essential in order to avoid circumstances in which consumers (i.e., patients) may receive multiple, duplicative breach notices over the same incident. Moreover, overly burdensome, costly requirements may act as a disincentive for widespread personal health records and electronic health records adoption and use,” Drs. Gehani and O’Loughlin wrote.

The ADA also said it is concerned about the impact of state laws and regulations that may overlap with these proposed requirements.

“Overlapping and conflicting laws and regulations risk leading to confusion on the part of dentists as well as their patients,” Drs. Gehani and O’Loughlin wrote. “This confusion may grow even greater when a federal regulation, such as those proposed here by the FTC, overlaps with several states that may be served by an entity. With the potential for electronic personal health records to be operated by a vendor across several states, this problem is exacerbated. Data breaches often require entities to comply with multiple laws which may not be consistent, and ensuring consistency could help affected individuals receive timely, meaningful, and consistent notification and help ease the compliance burden on entities.”

Follow all of the ADA’s advocacy efforts at ADA.org/Advocacy.