[Med-privacy] FTC

[peter marshall]

Federal Agency Proposes Medical Records Breach Rule
=======================================================================

The Federal Trade Commission has issued a notice of proposed rulemaking
and request for public comments regarding rules requiring vendors of
personal health records and related entities to notify individuals when
the security of their individually identifiable health information is
breached. The deadline for public comments is June 1, 2009.

The Recovery Act mandated the Department of Health and Human Services
to study, in consultation with the FTC, potential privacy, security,
and breach notification requirements to be submitted to the Congress
within a year. As an interim measure, the FTC is to enforce temporary
requirements which includes vendors of personal health records, PHR
related entities, third party service providers and online applications
that interact with such personal health records to notify customers in
the event of a breach. The proposed rule clarifies that it does not
apply to HIPAA-covered entities or to any entity's activities as a
business associate of a HIPAA-covered entity.

The Commission is seeking comments on the scope of the proposed rule
with respect to (1) the nature of entities to which the proposed rule
will apply; (2) the products and services offered; (3) the extent to
which the affected entities may be covered under HIPAA rules;
(4) whether some vendors of personal health records may have a dual
role as a business associate under HIPAA; and (5) circumstances when
such dual roles may lead to multiple breach notices.

The proposed rule adds Part 318 to 16 CFR and defines various terms
anew or borrows from other statutes including the Recovery Act. The
definitions include "breach of security;" "business associate;" "HIPAA-
-covered entity;" "personal health record;" "PHR identifiable health
information;" "PHR related entity;" "Third party service provider;"
"unsecured;" and "vendor of personal health records."

The notification requirements call for individual notification as well
as notification to the FTC to be made "without unreasonable delay" and
within 60 calendar days and 5 business days, respectively, after the
discovery of the breach. A section of the proposed rule addresses
methods of notice to individuals, the Commission, and the media.

Another section of the rule requires the content of the notice to
include a description of how the breach occurred; a description of the
types of information involved in the breach; steps to be taken by the
individual to protect from potential harm; and a description of action
being taken by the entity involved in the breach. The rule borrows
other sections heavily from the Recovery Act.


FTC Proposed Rule:
      http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf

Federal Register:
      http://edocket.access.gpo.gov/2009/pdf/E9-8882.pdf

FTC Public Comment Submission (Deadline June 1, 2009):
      http://www.ftc.gov/os/publiccomments.shtm

The American Recovery and Reinvestment Act of 2009:
      http://epic.org/redirect/022309_Stimulus_Act.html

Subtitle D - Privacy:
      http://epic.org/privacy/pdf/StimulusPassedBill-SubD.pdf