The Federal Trade Commission proposed a rule detailing the steps vendors of personal health records (PHRs) and related entities would have to take when notifying individuals following a breach of unsecured identifiable health information (74 Fed. Reg. 17914).
The American Recovery and Reinvestment Act of 2009 (ARRA) directed the FTC to issue such a rule requiring PHR vendors as well as PHR-related entities and third-party service providers to notify consumers of breaches of unsecured data.
The April 20 proposed rule sets forth specific requirements governing the standard for what triggers the notice, as well as the timing, method and content of notice. The FTC also clarified that if there is no reasonable basis to believe that information can be used to identify an individual, the information is not “PHR identifiable health information,” and a breach notification is not required. For example, if a breach involves information that has been de-identified, the information falls outside the scope of the rule, according to the Federal Register notice.
Public comments will be accepted until June 1. The FTC requested comment on specific issues, such as the extent to which PHR vendors may be covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and whether there is any overlap between HIPAA and this proposed rule.
The FTC estimated the cost of complying with the rule as $7,582 per breach, assuming most notifications can be made via e-mail.