The Federal Trade Commission (FTC) has just issued a final rule requiring some Internet-based businesses to notify consumers when their electronic health information security is breached. This final rule applies to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). The FTC's rule does not apply to those entities covered by the Health Insurance Portability & Accountability Act (HIPAA). A security breach for HIPAA-covered entities must comply with HHS' breach notification rule.

The FTC has issued the rule as part of the American Recovery and Reinvestment Act of 2009. This rule applies to both vendors of personal health records and those entities offering third-party applications for personal health records. The FTC's press release states that such applications could include, for example, those for devices that allow readings from blood pressure cuffs or pedometers to be uploaded into a consumer's personal health record.

Since some of these entities are not subject to HIPAA requirements, the Recovery Act also requires the Department of Health and Human Services, in consultation with the FTC, to conduct a study and report in February, 2010 on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. Currently, the act requires the commission to issue this final rule requiring such entities to notify consumers if the security of their health information is breached.

The final rule requires the vendors of personal health records and related entities to notify consumers if a breach occurs involving unsecured, protected health information. If a service provider to one of the covered entities undergoes a breach, the provider must notify the entity, which in turn must notify consumers.

The final rule specifies the timing, method, and content of notification. If certain breaches involve 500 or more people, an entity will be required to notify the media. Entities covered by the rule must notify the FTC, and can use a standard form that can be found, along with additional information about the rule, at www.ftc.gov/healthbreach. The FTC's form asks for information on the type of breach, how it occurred, what information was involved, and what steps are being taken to investigate the breach.

Adapted from a press release and information from the FTC.

More Industry Headlines