The Federal Trade Commission today announced that it has approved a Federal Register notice seeking public comment on a proposed rule ("Proposed Rule") that would require entities to notify consumers of security breaches of their electronic health information. A copy of the Proposed Rule can be found at http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf. Provisions addressing personal health records ("PHR") in the American Recovery and Reinvestment Act of 2009 ("ARRA") required the FTC to promulgate such a rule. Once finalized, the Rule will apply to PHR vendors, PHR related entities, and third party service providers. Importantly, the Proposed Rule will not apply to HIPAA-covered entities, or any other entity that engages in activities as a business associate of a HIPAA-covered entity so as not to be redundant of any notification requirements under HIPAA.

The ARRA includes provisions encouraging the use of health information technology and, at the same time, strengthening privacy and security protections for such information. Among other things, the ARRA identifies new types of web-based entities that collect or handle sensitive consumers' health information. The ARRA recognizes that these entities have the potential to provide numerous benefits for consumers, but only if consumers have confidence that the security and confidentiality of their health information will be maintained.

To address these issues, section 14407 of the ARRA requires the U.S. Department of Health and Human Services ("HHS") to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the ARRA requires the FTC to issue a temporary rule requiring relevant entities to notify consumers if the security of their health information is breached.

The FTC estimates that approximately 900 entities in the U.S. will be covered by the Proposed Rule with an annual cost burden of the breach notification provisions of $1,020,625.

The Proposed Rule:

  • Requires PHR vendors and related entities to provide notice to consumers following a breach.
  • Requires, in the event of a security breach, a service provider of a PHR vendor to notify the PHR vendor, which in turn must notify consumers of the breach.
  • Sets thresholds for triggering of the notice requirement.
  • Sets standards for the timing, method, and content of notice.
  • Requires entities covered by the Proposed Rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify HHS.

In addition to accepting comments on the specific language of the Proposed Rule, the FTC also encourages comments on:

  • Whether the proposed collection of information is necessary for the proper performance of the functions of the FTC, including whether the information will have practical utility.
  • The accuracy of the FTC's estimate of the burden of the proposed collection of information.
  • Ways to enhance the quality, utility and clarity of the information to be collected.
  • Ways to minimize the burden of collecting information through, for example, the use of appropriate, electronic, mechanical or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses.