In mid-April, the Federal Trade Commission (FTC) issued new breach notification requirements for personal health record (PHR) vendors and related entities. The new rule (now open for public comment through June 1, 2009) requires that PHR vendors and associated entities report any security breaches to the consumer/patient and to the FTC, which will then post security breaches on the Department of Heath and Human Services website.
This is a new requirement for the PHR market; these types of vendors do not currently fall under the umbrella of the Health Insurance Portability and Accountability Act (HIPPA), the mother of patient privacy and data security policies.
The FTC rule is an initial attempt to pull the PHR vendors into the wider circle of patient protection established by HIPPA in 1996 (that circle is highly questionable, however). This is a common theme in the Health Information Technology for Economic and Clinical Health Act (HITECH), a.k.a. the American Reinvestment and Recovery Act, that has a specific focus on health information security and patient privacy. It is also a new role for the FTC that, in the past, focused on personal identity theft related to health care.
Through the HITECH Act, the FTC emerges as a major player in enforcement of non-HIPPA entities -- such as PHRs -- and will continue to play a prominent role in the development and enforcement of patient privacy and data security.
The FTC statement highlights the emergence of new technologies that enable patients to access their health information and contribute to their health record. However, while these new technologies are vital to meeting the goals of the HITECH Act, they generate a new set of challenges in keeping patient health and personal information secure. The FTC posting is a temporary safeguard for protecting electronic patient health information over the next six months.
The Department of Health and Human Services will soon conduct a survey that investigates potential privacy and security requirements needed for the management and transfer of electronic health data (to be delivered August 2009). From the survey, more concrete standards will be developed and implemented.
Already there is a lot of buzz asking pointed questions related to definitions (e.g. what constitutes a breach?) and what players are impacted by the FTC rule. According to Modern Healthcare, Microsoft and Google refused to acquiesce that the rule applied to them. Yet their increasing role in the PHR market is most certainly a target of the privacy and security goals of the HITECH Act. They, similar to many other companies developing PHR technology for health care systems and/or patient utilization, will likely fall under the guise of "associated entities and business partners" and they better get ready to join the complex, muddled world of federal regulation and patient privacy.
Get our Newsletter!
Click here to sign up and stay informed
Also Interesting: