Home > Wired Government > FTC issues Health Breach Rule (Regulation)

FTC issues Health Breach Rule (Regulation)

The 2009 Recovery Act identified a growing segment of the technology market – “web-based entities” that collect health information from consumers. These include companies that allow consumers to manage their personal health record or “PHR” online. Such entities are currently not required to comply with the privacy and confidentiality requirements of HIPAA.

Under the Act, HHS and the FTC must study “privacy, security and breach notification” requirements for covered entities, and then report back to Congress.  The hope is that Congress will eventually implement the report’s findings into future legislation.  But until that happens, the Act provides temporary requirements, and looks to the FTC to promulgate the implementing regulations.  After digesting over 130 comments, the FTC has now issued its final rule.

The FTC’s Health Breach Rule requires covered entities to notify US citizens and residents in instances where there is a “breach of security,” i.e. instances where there is an “unauthorized acquisition of unsecured PHR identifiable health information of an individual”…

Some additional highlights: Notification must be made without “unreasonable delay” – within 60 days.  The rule does not apply to HIPAA-covered entities (with many pages devoted to this analysis). Comments to the rule reveal considerable concern over the use of electronic health records, and potential consumer confusion over multiple breach notices (required under other federal or state laws).

The rule is clear on pre-emption: only state breach notification laws that are contrary to this rule are pre-empted.  In other words, the federal rule is merely a “floor” here; covered entities must also comply with any additional state law requirements.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: