HIT: Healthcare InfoTech Business Report – Proposed rule would require notice about security breaches

An HIT

The comment period on a 50-page proposed rule issued by the Federal Trade Commission (FTC) requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach expires next Monday.

The rule is intended to be in compliance with the American Recovery and Reinvestment Act (ARRA) of 2009. The stimulus act requires the FTC and Department of Health and Human Services to work on a report to Congress due in February 2010 on potential privacy, security and breach notification requirements for personal health-record vendors and "related entities."

In the meantime, the law required the FTC to publish "interim final regulations" not later than 180 days after the act was signed into law by President Barack Obama onFeb. 17.

Many states require some form of notification in the event of a breach of computerized personal information, including healthcare information, but the act adds a federal breach-notification requirement to the mix, saying vendors of personal health-record (PHR) systems must notify the FTC and "each individual who is a citizen or resident of the United States whose unsecured, PHR identifiable health information" was acquired by an unauthorized person as a result of such a breach of security."

The ARRA also seeks to place vendors of certain personal health-record systems contracted for by providers, payers and other so-called "covered entities" under the security and privacy rules promulgated in accordance to the Health Insurance Portability and Accountability Act of 1996.

For example, technology behemoths Microsoft (Redmond, Washington) and Google (Mountain View, California) both offer personal health-record platforms, but neither has affirmed that the HIPAA privacy and security provisions apply to them.

In March, a Microsoft spokesman said the company was studying the matter; also that month, a Google representative said the provision did not apply to its PHR offering.

In addition to PHR vendors, the proposed FTC interim rule also would apply to PHR-related entities, including those not covered under the privacy and security provisions of HIPAA, specifically, those: "that offer products or services through the website of a vendor of personal health records," "that are not covered entities (as defined by HIPPA) and that offer products or services through the websites of covered entities that offer individuals personal health records," and "that are not covered entities and that access information in a personal health record or send information to a personal health record."

Article reprints

BioWorld MedTech

Today's news in brief

BioWorld

BioWorld briefs for April 19, 2024.

Today's news in brief

BioWorld MedTech

BioWorld MedTech briefs for April 19, 2024.

AACR 24: Freezing, of all things, is one way to heat cold tumors

BioWorld

“Hot and cold tumors may need different types of immunotherapy,” Jay Berzofsky told the audience as the American Association for Cancer Research’s (AACR) 2024...

AACR 2024: Getting older younger may be driving rise in early-onset cancers

BioWorld

As with most common diseases of the developed world, aging is the major risk factor for developing cancer. Most of the half-dozen hallmarks of precancer that were...

More biosimilars from China, US encroach on Amgen’s denosumab

BioWorld

Biosimilar competition to Amgen Inc.’s denosumab (Prolia/Xgeva) is rising globally, with Mabwell (Shanghai) Bioscience Co. Ltd. gaining the latest China NMPA...

Upgrade your daily dose of biopharma and medtech news

HIT: Healthcare InfoTech Business Report – Proposed rule would require notice about security breaches

An HIT