Breach notice for personal health records

Friday, August 21, 2009

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for companies that offer web-based "personal health record" services. (One such business in Microsoft Health Vault.) The law directed the Federal Trade Commission (FTC) to issue a rule requiring these companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Under the FTC’s Rule, companies that have had a security breach must:

• Notify everyone whose information was breached;
• In many cases, notify the media; and
• Notify the FTC.

The rule applies to both vendors of personal health records (PHRs) – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit from these services, but only if they are confident that their health information is secure and confidential.

Many companies offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors’ offices, hospitals, and insurance companies. The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities not subject to HIPAA. Meanwhile, the FTC has issued this rule requiring entities to notify consumers if the security of their health information is breached.

The FTC has designed a standard form for companies to use to notify the FTC of a breach. The form will become final after the Rule has been published in the Federal Register. The rule will take effect 30 days after publication in the Federal Register. The FTC will begin enforcement 180 days after publication. Consumer Action will update this alert as soon as we learn the key dates.

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.