FTC Publishes Proposed Breach Notification Rule for Electronic Health Information

For Release

The Federal Trade Commission today announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached.

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers’ sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The Commission vote approving issuance of the Federal Register notice was 4-0. The notice will be published in the Federal Register shortly, and is available now on the FTC’s Web site as a link to this press release. Public comments are being accepted through June 1, 2009, after which the Commission will issue a final interim rule. To file a public comment, please click on the following link: https://secure.commentworks.com/ftc-healthbreachnotification and follow the instructions at that site.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

(FTC File No. R91-1002)
(health info.wpd)

Contact Information

MEDIA CONTACT:
Betsy Lordan
Office of Public Affairs

202-326-2180
STAFF CONTACT:
Maneesha Mithal
Bureau of Consumer Protection

202-326-2771