I do wonder if this will include Pharmacy Benefit Managers who have our medication rap sheets that have been sold and data mined for years. I would tend to believe that medications we take are a part of a medical record as viewed today. BD
This appears to be a “catch all” proposed solution for those who do not fall under the auspice of HIPAA in the area of security and breaches. BD
The Federal Trade Commission, which heretofore has had a minimal role in enforcing privacy and security laws affecting electronic health records, took a big first step Thursday toward its new role as a front line, federal healthcare IT enforcer.
In a 50-page notice and interim proposed rule, the FTC outlined its position on a set of new, federal breach notification requirements for the developers of electronic personal health-record systems and three broadly defined groups of related companies and organizations that send or receive patient information to or from PHRs, about 900 companies and organizations in total.
The FTC was dispatched by Congress in February via the American Recovery and Reinvestment Act to try and plug privacy and security regulatory gaps opened by PHRs and other related health 2.0 technologies that were not even a twinkle in a programmer’s code base when Congress passed the Health Insurance Portability and Accountability Act, the principal federal healthcare IT privacy and security law, in 1996.
The proposed interim rule extensively defines what constitutes notice of a breach. The definition includes first-class mail, e-mail or telephone communications. If 10 or more affected individuals could not be reached by these methods, then a vendor or other PHR-related entity must post a notice of the breach on its Web site or in the print and broadcast media where individuals affected are likely to reside.
Media notices must be accompanied by a toll-free number an individual may call to determine if his or her records were breached. In addition, the media must be contacted if the breach involves 500 or more individuals. Breach notices must include a brief description of how the breach occurred and what type of information was involved, such as whether it involved people's names, Social Security numbers, dates of birth, addresses and account numbers. The required notices also should include what steps individuals might take to prevent harm as a result of the breach and what the PHR vendor or other entity is doing to investigate the breach, prevent further occurrences and mitigate losses.
In addition to PHR vendors, the proposed interim rule also would apply to "PHR-related entities," including companies or organizations not covered under HIPAA. The rule defines three classes of related entities, those that:
- Offer products or services through the Web site of a vendor of personal health records.
- Are not covered entities (as defined by HIPAA) and that offer products or services through the Web sites of covered entities that offer individuals personal health records.
- Are not covered entities and that access information in a personal health record or send information to a personal health record.