Posted August 31, 2009 by Lygeia Ricciardi
Last week the Federal Trade Commission (FTC) issued a final rule that helps to protect users of personal health records (PHRs). The rule helps users by making sure they are told if the privacy of their health information has been compromised (or “breached” in industry parlance).
According to the rule, when health information in a PHR or a related device—for example, one that uploads readings from a blood pressure cuff or pedometer into a PHR—has been leaked, the service provider or providers involved need to let users and the FTC know. In some cases involving breaches of health information that impact a large number of people, the media must be informed, too.The FTC rule is designed to address a lack of public protections for PHR services and related applications that are offered by companies or other entities that are not traditional players in the health system (such as hospital systems and health insurance companies). Such entities (including providers of major PHR platform services, such as Microsoft’s HeathVault, Google Health, and Dossia) are not covered by HIPAA, the Health Insurance Portability & Accountability Act, but will need to comply with the new FTC rules.
The FTC was required to develop privacy breach rules for PHRs by the federal stimulus package issued last winter (the American Recovery and Reinvestment Act). The rule was released August 25th, and will go into effect on February 22, 2010.