The Federal Trade Commission, in compliance with the American Recovery and Reinvestment Act of 2009, issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health-record systems and related entities to provide notice to consumers in the event of a security breach.
The stimulus act requires the FTC and HHS to work on a report to Congress due in by February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and "related entities." In the meantime, the law required the FTC to publish "interim final regulations" not later 180 days after it was enacted. President Barack Obama signed the act into law Feb. 17.
In addition to PHR vendors, the proposed FTC interim rule also would apply to PHR-related entities, including those not covered under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. Specifically, those "that offer products or services through the Web site of a vendor of personal health records," "that are not covered entities (as defined by HIPAA) and that offer products or services through the Web sites of covered entities that offer individuals personal health records," and "that are not covered entities and that access information in a personal health record or send
information to a personal health record."
Many states require some form of notification in the event of a breach of computerized personal information, including healthcare information, but the act adds a federal breach-notification requirement to the mix, saying vendors of personal health-record systems must notify the FTC and "each individual who is a citizen or resident of the United States whose unsecured, PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security."
The act also seeks to place vendors of certain personal health-record systems contracted for by providers, payers and other so-called "covered entities" under the security and privacy rules promulgated in accordance to HIPAA. Technology giants Microsoft Corp. and Google both offer personal health-record platforms, but neither has affirmed that the HIPAA privacy and security provisions apply to them. In March, a Microsoft spokesman said the company was studying the matter; also that month, a Google representative said the provision did not apply to its PHR offering.