The Federal Trade Commission took a big step toward its new role as a front-line healthcare information technology enforcer by issuing a proposed rule requiring personal health-record systems, vendors and related entities to notify consumers in the event of a security breach.
Rule would require PHR vendors to notify customers
The move, mandated by Congress in February via the American Recovery and Reinvestment Act, is aimed at the growing number of companies seeking to give consumers a place to store their health information online. The stimulus act requires the FTC and HHS to work together in preparing a report to Congressdue by February 2010on potential privacy, security and breach notification requirements for PHR vendors and related entities.
The FTC said that its new rule would not apply to covered entities or their business associates as defined by the Health Insurance Portability and Accountability Act of 1996, but rather regulates previously unregulated entities that offer PHRs.
The move was cheered by privacy advocates. I think the Wild West just got a sheriff, and Im happy to see it, said Pam Dixon, founder of the World Privacy Forum. She cited Microsoft Corp. and Google as two PHR vendors that could be affected.
The 50-page notice and interim proposed rule noted that the stimulus act authorizes the agency to go beyond its traditional jurisdiction, including regulating not-for-profit PHR providers and nonprofit, third-party service providers.
FTC staff estimates that about 200 PHR vendors, another 500 related entities and 200 third-party service providers will be subject to the new breach notification rule. The staffers estimate that the 900 affected companies and organizations, on average, will experience 11 breaches each per year at a total cost of about $1 million per entity per year. Costs include investigating the breach, notifying consumers and establishing toll-free numbers for explaining the breaches and providing additional information to consumers.
Public comment period on the proposed interim FTC rule is open through June 1. The effective date of the rule is Sept. 18.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.