Document: FTC and HHS Release Proposed Health Breach Notification Guidance, Request Comments: ERIC

ERIC memorandum template

	Regulatory Documents

FTC and HHS Release Proposed Health Breach Notification Guidance, Request Comments

The Federal Trade Commission (FTC) last week issued a proposed rule requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached.

The American Recovery and Reinvestment Act of 2009, which included provisions to advance the use of health information technology and strengthen privacy and security protections for health information, directed the FTC to issue within 180 days regulations on the breach notification provisions applicable to its regulated entities, including vendors of personal health records.

The proposed rule applies to vendors of personal health records, PHR related entities, and third party service providers, and does not apply to HIPAA-covered entities (Health Insurance Portability and Accountability Act of 1996), or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

In general, following the discovery of a breach of security of personal health record information maintained or offered by a vendor (and related entity), the vendor would be required to notify each individual who is a citizen or resident of the United States whose information was acquired by an unauthorized person and notify the Federal Trade Commission. In addition, a third-party service provider would be required to provide notice of a breach to a senior official at the vendor of personal health records or related entity to which it provides services, and obtain acknowledgment from such official that such notice was received.

The FTC has requested that comments on the proposed rule be received by June 1, 2009.

Meanwhile, the Department of Health and Human Services on April 17 issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Recovery Act. HHS said the guidance relates both to notification regulations issued by HHS for covered entities and their business associates under HIPAA and to the FTC's guidance discussed above for vendors of personal health records and other non-HIPAA covered entities. In addition, HHS also has issued a request for information (RFI) on the breach notification provisions.

Websites:

FTC Proposed Rule/Request for Comments

HHS Guidance/Request for Information

Back to Previous Page