The comment period on a 50-page proposed rule issued by the Federal Trade Commission (FTC) requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach expires next Monday.
The rule is intended to be in compliance with the American Recovery and Reinvestment Act (ARRA) of 2009. The stimulus act requires the FTC and Department of Health and Human Services to work on a report to Congress due in February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and "related entities."
In the meantime, the law required the FTC to publish "interim final regulations" not later than 180 days after the act was signed into law by President Barack Obama onFeb. 17.
Many states require some form of notification in the event of a breach of computerized personal information, including healthcare information, but the act adds a federal breach-notification requirement to the mix, saying vendors of personal health-record (PHR) systems must notify the FTC and "each individual who is a citizen or resident of the United States whose unsecured, PHR identifiable health information" was acquired by an unauthorized person as a result of such a breach of security."
The ARRA also seeks to place vendors of certain personal health-record systems contracted for by providers, payers and other so-called "covered entities" under the security and privacy rules promulgated in accordance to the Health Insurance Portability and Accountability Act of 1996.
For example, technology behemoths Microsoft (Redmond, Washington) and Google (Mountain View, California) both offer personal health-record platforms, but neither has affirmed that the HIPAA privacy and security provisions apply to them.
In March, a Microsoft spokesman said the company was studying the matter; also that month, a Google representative said the provision did not apply to its PHR offering.
In addition to PHR vendors, the proposed FTC interim rule also would apply to PHR-related entities, including those not covered under the privacy and security provisions of HIPAA, specifically, those: "that offer products or services through the website of a vendor of personal health records," "that are not covered entities (as defined by HIPPA) and that offer products or services through the websites of covered entities that offer individuals personal health records," and "that are not covered entities and that access information in a personal health record or send information to a personal health record."