On August 17th, the Federal Trade Commission (FTC) issued a final rule requiring certain web-based businesses to notify consumers when the security of their electronic health information is breached. The rule applies to both vendors of personal health records, which provide online repositories that people can use to keep track of their health information, and entities that offer third-party applications for personal health records
Examples. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors’ offices, hospitals, and insurance companies.
Recovery Act provisions. The American Recovery and Reinvestment Act of 2009 (ARRA) required the FTC to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The FTC issued a proposed rule in April 2009, and collected public comments until June 1, 2009.
Requirements. The rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. If a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule on the FTC web site at www.ftc.gov/healthbreach.
Effective date. The rule will take effect 30 days after publication in the Federal Register. The FTC will begin enforcement 180 days after publication.
Visit our News Library to read more news stories.
