The Federal Trade Commission has announced a proposed rule that would require vendors of personal health records to notify consumers when the security of their electronic health information is breached.
The American Recovery and Reinvestment Act of 2009 (ARRA) requires the Department of Health and Human Services in consultation with the FTC to conduct a study and report, by February 2010, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. In the interim, ARRA requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached.
The proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches.
Public comments on the proposed rule will be accepted through June 1, 2009.
