The Federal Trade Commission, in compliance with the American Recovery and Reinvestment Act of 2009, issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health-record systems and related entities to provide notice to consumers in the event of a security breach.
The stimulus act requires the FTC and HHS to work on a report to Congress due in February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and related entities. In the meantime, the law required the FTC to publish interim final regulations not later 180 days after the act was enacted. President Barack Obama signed the act into law on Feb. 17.
Many states require some form of notification in the event of a breach of computerized personal information, including healthcare information, but the act adds a federal breach-notification requirement to the mix, saying vendors of personal health-record systems must notify the FTC and each individual who is a citizen or resident of the United States whose unsecured, PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security.
Comments on the 50-page proposed rule can be submitted online and must be in by June 1. (Please click here for a longer version of this story.)