FTC Issues Final Rules on Health Care Breach Disclosure
The Federal Trade Commission has recently issued a final rule that requires Web-based companies to notify consumers when the security of their electronic health information has been breached. The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009.
As explained by Dark Reading, the rule applies to both vendors of personal health records “which provide online repositories that people can use to keep track of their health information ” and entities that offer third-party applications for personal health records.
The FTC’s Final Rule comes to complete the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which left out many types of organizations that could have exposed health related information.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.
The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.
