The Federal Trade Commission, in compliance with the American Recovery and Reinvestment Act of 2009, issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach.
Comments on the 50-page proposed rule
can be submitted online
and must be in by June 1.
The stimulus act requires the FTC and HHS to work on a report to Congress due in February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and “related entities.” In the meantime, the law required the FTC to publish “interim final regulations” not later 180 days after the act was enacted. President Barack Obama signed the act into law Feb. 17.
Many states require some form of notification in the event of a breach of computerized personal information, including healthcare information, but the act adds a federal breach-notification requirement to the mix, saying vendors of personal health-record systems must notify the FTC and “each individual who is a citizen or resident of the United States whose unsecured, PHR identifiable health information” was acquired by an unauthorized person as a result of such a breach of security.”
The ARRA also seeks to place vendors of certain personal health-record systems contracted for by providers, payers and other so-called “covered entities” under the security and privacy rules promulgated in accordance to the Health Insurance Portability and Accountability Act of 1996. Technology giants Microsoft Corp. and Google both offer personal health-record platforms, but neither has affirmed that the HIPAA privacy and security provisions apply to them. In March, a Microsoft spokesman said the company was studying the matter; also that month, a Google representative said the provision did not apply
to its PHR offering.
In addition to PHR vendors, the proposed FTC interim rule also would apply to PHR-related entities, including those not covered under the privacy and security provisions of HIPAA, specifically, those: "that offer products or services through the website of a vendor of personal health records," "that are not covered entities (as defined by HIPAA) and that offer products or services through the websites of covered entities that offer individuals personal health records," and "that are not covered entities and that access information in a personal health record or send
information to a personal health record."
What do you think?
Post a comment on this article and share your opinion with other readers. Submit your comments to Modern Healthcare Online at firstname.lastname@example.org
. Please be sure to include your hometown and state, along with your organization and title.