Monday, August 17, 2009

FTC Issues Health IT Breach Rule

The FTC on Monday issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached. Congress directed the consumer protection agency to issue the rule as part of the economic stimulus package and it applies to both vendors of personal health records - which provide online repositories that people can use to keep track of their health information - and entities that offer third-party applications for personal health records. Such applications include devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records, the FTC said.

Many existing health IT services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act, which applies to healthcare providers such as doctors' offices, hospitals, and insurance companies. The stimulus package required the Health and Human Services Department to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy and security requirements for vendors. In the meantime, the law required the FTC to issue a breach notification rule. Read details about the rule at www.ftc.gov/healthbreach.

On a related note, security expert Christopher Soghoian is leaving Harvard University's Berkman Center for Internet & Society to work as a technical consultant to FTC's Division of Privacy and Identity Protection in the Bureau of Consumer Protection. On his personal blog, Soghoian noted "the FTC has a lot of really smart lawyers, but they (currently) lack geek skills." He's an interesting hire given his self-admitted penchant for "railing against the oppressive surveillance state and the numerous privacy invasions committed by the law enforcement and intelligence agencies."