Health Information Management

Comment on security breach notification rule that targets personal health records

HIM-HIPAA Insider, April 20, 2009

If you have an opinion on the proposed rule to require vendors of a personal health record (PHR) and related entities to provide consumers notice in the event of a HIPAA Security breach, be sure to voice it. The Federal Trade Commission (FTC)  seeks public comment on the 50-page proposed rule by June 1.

The American Recovery and Reinvestment Act (ARRA) of 2009 requires the FTC and HHS to draft a report on potential privacy, security, and breach notification requirements for PHR vendors and related entities no later than February 2010. The FTC will publish an interim final regulation no later than August 17, which is 180 days after February 17—the day on which President Obama signed ARRA into law.

Pursuant to ARRA, related entities are those that:

  • Offer products or services through the Web site of a PHR vendor
  • Are not covered entities (as defined by HIPAA) and that offer products or services through the Web sites of covered entities that offer individuals PHRs
  • Are not covered entities and that access information in or send information to a PHR

Many states already require breach notification of a breach of electronic personal health information. ARRA creates a similar requirement at the federal level under which PHR vendors and related entities must notify the FTC and each individual citizen whose information was breached.

Most Popular