[Med-privacy] proposed FTC rule

peter marshall pwm@comcast.net
Mon, 8 Jun 2009 11:05:27 -0700 

  EPIC Submits Comments on Health Breach Notification to the FTC
=======================================================================

The Federal Trade Commission proposed a rule requiring vendors of
medical records and related entities to notify individuals when the
security of such medical information is compromised. The creation of
such rule was mandated under the American Recovery and Reinvestment
Act. The FTC sought comments on the proposed rule.

EPIC submitted comments recommending that the scope of the Commission's
authority be construed as broadly as possible, and that regulation
should include all entities that handle medical information be subject
to the rule. EPIC advised that the rule "provides the FTC with a unique
opportunity to strengthen privacy regulations covering [personal health
records] breaches, assess the strengths and weaknesses of such a
regime, and file a report with Congress." With regard to the difference
between information that had been "accessed" or "acquired," as per the
proposed rule, EPIC supported the presumption that if any information
could be accessed by an unauthorized person was acquired, it would
trigger notice obligations.

The FTC rule also provided Safe Harbor for de-identified information.
EPIC stated that such a provision created significant risks to personal
privacy and would undermine the purpose of the Act. EPIC raised
objections stating that de-identified information was not necessarily
anonymous since research has shown that a particular set of data could
be traced back to an individual. With respect to provisions for
media notices, EPIC advised the use of providing notice through the
home page of the entity's website, or provide notice in major print or
broadcast media. EPIC also encouraged the FTC to look into
opportunities that would improve the adequacy of notice when the breach
occurred by adopting new media technologies.

EPIC also recommended that the federal agency create comprehensive
privacy and security standards, and impose penalties on entities
storing health records whose security protocols do not meet minimum
security minimum requirements, resulting in data breaches. EPIC
supported the creation of a private right of action, including
statutory damages and/or civil penalties, in addition to injunctive
relief. EPIC also suggested preserving a private cause of action which
would enable the burden of enforcement on the private party and not
leave it exclusively upon the Commission. Among other suggestions,
EPIC advised the federal agency to require verification that consumers
receive data breach notifications and establish a central location to
track and announce breaches.

EPIC's Comments to the FTC:
       http://epic.org/privacy/medical/Comments_on_FTC_EHR-EPIC.pdf

FTC Proposed Rule:
       http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf

Federal Register:
       http://edocket.access.gpo.gov/2009/pdf/E9-8882.pdf

FTC Public Comment Submission (Deadline June 1, 2009):
       http://www.ftc.gov/os/publiccomments.shtm

The American Recovery and Reinvestment Act of 2009:
       http://epic.org/redirect/022309_Stimulus_Act.html