FTC Issues Final Rule on Notification of Health Information Security Breaches

This posting was written by Darius Sturmer, Editor of CCH Trade Regulation Reporter.

The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.

The rule, which will take effect on September 24, 2009, applies to both vendors of personal health records—which provide online repositories that people can use to keep track of their health information—and entities that offer third-party applications for personal health records.

Third-party applications could include, for example, devices such as blood pressure cuffs or pedometers, whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential, according to the Commission.

Non-HIPAA Entities

Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors' offices, hospitals, and insurance companies.

Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the Commission to issue a rule requiring these entities to notify consumers if the security of their health information is breached.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.

Notice to Consumers, Media, FTC

The rule specifies the timing, method, and content of notification. In the case of certain breaches involving 500 or more people, notice must be provided to the media. Entities covered by the rule also must notify the FTC.

The Final Rule, which was published at 74 Federal Register 42962, August 25, 2009, appears at CCH Trade Regulation Reporter ¶38,066. It will also appear in CCH Privacy Law in Marketing.