Health Information Management

Comment on security breach notification rule that targets personal health records

HIM-HIPAA Insider, April 21, 2009

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

If you’ve got an opinion on the proposed rule to require vendors of a personal health record (PHR) and related entities to provide notice to consumers in the event of a HIPAA security breach, be sure to voice it. The Federal Trade Commission (FTC) is seeking public comment on the 50-page proposed rule by June 1.

The American Recovery and Reinvestment Act (ARRA) of 2009 requires the FTC and HHS to draft a report on potential privacy, security, and breach notification requirements for PHR vendors and related entities no later than February 2010. The FTC will publish an interim final regulation no later August 17, which is 180 days after February 17—the day on which President Obama signed ARRA into effect.

According to ARRA, related entities are those that:

  • Offer products or services through the Web site of a vendor of PHRs
  • Are not covered entities (as defined by HIPAA) and that offer products or services through the Web sites of covered entities that offer individuals PHRs
  • Are not covered entities and that access information in a PHR or send information to a PHR

Although many states already require a breach notification of electronic personal health information, ARRA also requires a federal breach requirement in which PHR vendors and related entities must notify the FTC and each individual citizen whose information was breached.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular