Digital technology enables businesses to store information electronically, without the need for expansive file cabinets and storage facilities, and to transmit data quickly and efficiently. It also exposes businesses to the risk of data breaches, which expose consumers to risks like identity theft. The Federal Trade Commission (FTC) recently issued guidelines regarding compliance with two major federal statutes that protect consumers and their privacy: the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. 104-191, 110 Stat. 1936 (Aug. 21, 1996); and the Federal Trade Commission Act (FTC Act) of 1914, 15 U.S.C. § 41 et seq.
HIPAA is a comprehensive law dealing with various aspects of health insurance, but it is perhaps best known to the public for its provisions regarding medical information privacy. The statute directed the Department of Health and Human Services (HHS) to present “detailed recommendations on standards with respect to the privacy of individually identifiable health information” to several Congressional committees. Pub. L. 104-191 § 264, 110 Stat. 2033. HHS developed a set of standards and procedures from this, commonly known as the Privacy Rule, found at 45 C.F.R. Part 164.
In a very general sense, the Privacy Rule only applies to health care providers, insurers, and related businesses, described as “covered entities.” 45 C.F.R. 160.103. The Rule also applies, however, to “business associates,” defined to include any “subcontractor that creates, receives, maintains, or transmits” PHI. Id. This definition can apply to many types of businesses besides medical professionals and health care providers.