The Cross-Border Biotech Blog

Biotechnology, Health and Business in Canada, the United States and Worldwide

Tag Archives: proposed rule

FTC Proposed Rule for Medical Record Privacy for Non-HIPAA Entities

One of the concerns about the privacy of electronic medical records is that many of the major providers — notably Google and Microsoft —  are not “covered entities” under HIPAA and are therefore not subject to its privacy provisions.

The funding for Electronic Health Records in the American Recovery & Reinvestment Act of 2009 comes with a requirement that HHS study, in consultation with the FTC, “potential privacy, security, and breach notification requirements” with respect to entities not covered by HIPAA, and make recommendations within one year.

In the interim, Section 13407(g)(1) of the Recovery Act requires the FTC to promulgate regulations on breach of security notification provisions.

The FTC has proposed a breach notification rule, and is coordinating with HHS.  The proposed rule:

  • requires vendors of personal health records and related entities to provide notice to consumers following a breach, and reaches through to require the vendors’ service providers to notify the vendors;
  • sets the standard for what triggers the notice requirement, as well as the timing, method, and content of notice; and
  • requires FTC notification of any breaches.
Public comments are being accepted through June 1, 2009, and can be submitted online at https://secure.commentworks.com/ftc-healthbreachnotification.  In particular, the FTC is seeking comments on:
  1. the nature of entities to which its proposed rule would apply;
  2. the particular products and services they offer;
  3. the extent to which vendors of personal health records, PHR related entities, and third party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities;
  4. whether some vendors of personal health records may have dual roles as a business associate of a HIPAA-covered entity and a direct provider of personal health records to the public; and
  5. circumstances in which such a dual role might lead to consumers’ receiving multiple breach notices or receiving breach notices from an unexpected entity, and whether and how the rule should address such circumstances.

 

Bookmark and Share

Follow

Get every new post delivered to your Inbox.

Join 129 other followers