FTC seeks comment on proposed rule for PHR security breaches

The Federal Trade Commission (FTC) is seeking public comment on a proposed rule that would require entities to notify consumers when the security of their personal health record (PHR) is breached.

The American Recovery and Reinvestment Act of 2009 (ARRA) includes provisions to advance the use of health IT and, at the same time, strengthen privacy and security protections for health information. Specifically, it requires the department of health and human services (HHS) to conduct a study and report, in consultation with the FTC, on potential privacy, security and breach notification requirements for vendors of PHRs and related entities by February 2010.

In the interim, the FTC is required to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached.

The proposed rule requires PHR vendors and related entities to provide notice to consumers following a breach. It also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach.

The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the HHS secretary.

The commission vote approving issuance of the Federal Register notice was 4-0. The FTC said the notice will be published shortly, and is available now on its Web site.

Public comments are being accepted through June 1, after which the commission will issue a final interim rule.

Visit the following link: https://secure.commentworks.com/ftc-healthbreachnotification to submit a comment.