On April 17, 2009, the Federal Trade Commission issued a notice of proposed rulemaking that requires vendors of personal health records and related entities such as non-profit organizations that offer PHRs, to notify individuals when the security of their individually identifiable health information is breached. The NPRM seeks to conform with rules from HHS that safeguard protected health information, but the FTC proposed rule applies to non HIPAA-covered entities that are not subject to HIPAA privacy and security requirements.
Of the many comments the FTC seeks is to identify entities that would fall under this ruling. We believe this rule will strengthen the trust consumers/patients have in sharing information in their PHRs with their health care providers. Major players entering the PHR market such as Google and Microsoft in March 2009 said HIPAA Privacy and Security Rules did not apply to them, but comments on the FTC’s NPRM may assist in helping the technology giants rethink compliance with privacy and security. What do you think?
You can read the NPRM here.
Make comments to the NPRM here:
FTC Publishes Proposed Breach Notification Rule for Electronic Health Information
The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. ARRA recognized new types of Web-based entities that collect or handle consumers’ sensitive health information. Some offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information, a real plus for patients managing chronic illnesses such as diabetes and heart conditions. Other online applications help consumers track and manage information in their personal health records, such as connecting a pedometer to computers and uploading miles traveled, heart rate, and other data. Patients with cancer can enter chemotherapy regimens, scheduled appointments, tumor staging, and recovery plans, a critical tool for cancer survivors. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.
In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.
With respect to the scope of the proposed rule, the Commission seeks comment on (1) the nature of entities to which its proposed rule would apply; (2) the particular products and services they offer; (3) the extent to which vendors of personal health records, PHR related entities, and third party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities; (4) whether some vendors of personal health records may have a dual role as a business associate of a HIPAA-covered entity and a direct provider of personal health records to the public; and (5) circumstances in which such a dual role might lead to consumers’ receiving multiple breach notices or receiving breach notices from an unexpected entity, and whether and how the rule should address such circumstances.