Yesterday, the Federal Trade Commission (FTC) released its final rule on health breach notification. The rule sets guidelines for vendors of personal health records (PHRs) on how and when to notify consumers when their health information has been breached.
PHRs are typically Internet-based programs that enable consumers to collect, retain and share their personal health information. A defining characteristic of PHRs is the high level of control consumers exert over information in the PHR. The FTC final rule applies to PHRs that are operated by entities that are not covered by HIPAA, such as Google and Microsoft. Other PHRs are operated by health care providers that are covered under HIPAA laws, like hospitals; the Dept. of Health and Human Services (HHS) is expected issue separate final breach notification rules for these PHRs very soon.
CDT submitted comments to the FTC's proposed rule in June 09. The FTC's final rule implements most, although not all, of CDT's recommendations. Among CDT's recommendations that the FTC agreed to implement in its final rule:
- The FTC and HHS rules on health data breach notification must be harmonized,
- Privacy and security protections should apply both to data in storage and in transit,
- This rule represents an appropriate expansion of the FTC's traditional consumer protection authority,
- Breach notices should be issued from the entity with the closest direct relationship to the consumer, and only one notice per breach, and
Read more »