The Federal Trade Commission has released a final rule requiring vendors of personal health records--and entities that offer third-party PHRs--to notify consumers when the security of their PHR data is breached. Despite efforts of the FTC and the Department of Health and Human Services to harmonize separate rules governing notification of breaches, the FTC rule takes confusion to a new level and will require considerable study.
Example 1: Under the rule, vendors must notify consumer users of its PHR software in cases of a breach. But if a hospital, insurer or other entity offers a vendor's PHR to consumers, then the vendor must notify the entity, which in turn must notify affected consumers.
Example 2: The rule does not apply to HIPAA-covered entities; the Department of Health and Human Services is writing separate rules governing the reporting of data breaches for these entities. Still, HIPAA-covered entities could fall under the FTC's rules for PHR breaches. "Because the FTC's rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees," according to the FTC final rule. "However, if a HIPAA-covered health care provider or group health plan offers PHRs to employees because they also are patients of such health care provider or enrollees of such group health plan, then HHS' rule would apply to the PHRs."
Example 3: Although the FTC's proposed rule made clear that it did not apply to HIPAA-covered entities, FTC explicitly excluded doctors from its rule, even if they are involved with PHRs, but with a twist. "The Commission agrees that, because health care providers such as doctors are generally HIPAA-covered entities, the FTC's rule does not apply to them in such capacity. Thus, if a doctor's medical practice offers PHRs to its patients, neither the doctor nor the medical practice is subject to FTC's rule. However, if the doctor creates a PHR in a personal capacity, there may be circumstances under which the FTC's rule would apply. For example, a non-practicing doctor may create and offer PHRs to the public as part of a start-up business venture. In this circumstance, the doctor is not acting in his or her capacity as a HIPAA-covered entity, and thus, the FTC's rule would regulate the PHRs."
Example 4: Business associates of HIPAA-covered entities, which will be covered under HHS' breach notification rule, also in some circumstances could fall under FTC's rule. "If they experience a beach, they could be required to provide direct breach notification to their individual customers under the FTC's rule," the final rule states. "At the same time, under HHS' rule, they could be required to notify HIPAA-covered entities to whom they provide services, so that the HIPAA-covered entities could in turn notify individuals. In some cases, as discussed further below, this potential overlap could lead to consumers' receiving multiple notices for the same breach."
These four examples are from just the first dozen pages of the 88-page rule, available for viewing at ftc.gov/os/2009/08/R911002hbn.pdf. The rule soon will be published in the Federal Register, at which time it will become official.
The FTC final rule and HHS' forthcoming rule, which covers a variety of data breaches including PHRs, were mandated under the American Recovery and Reinvestment Act.
--Joseph Goedert
AUG 17, 2009 5:54pm ET
FTC's PHR Breach Rule = Confusion
Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Most Read
Most Emailed
Twitter
Facebook
LinkedIn
Current Issue
A major success factor for accountable care organizations will be linking caregivers across the spectrum of care delivery. If history is any indication, that's going to be an industrywide struggle.
Be the first to comment on this post using the section below.