Yesterday, the FTC ruled that web based businesses will be required to notify consumers in the case of a security breach involving electronic health information. The ruling applies to businesses that offer third-party applications for personal health records and vendors of personal health records.
The new rule is part of the American Recovery and Reinvestment Act of 2009, and was put into place by Congress. The businesses that will be affected by this rule offer services that are not already subject to HIPAA privacy and security requirements. A study will be conducted by the Department of Health and Human Services on potential security, privacy, and breach notification requirements for entities not governed by HIPAA regulations, with a report forthcoming by February 2010. Meanwhile, the FTC ruled that these businesses notify consumers of any breach of the security of their health information. In addition, any service providers of these businesses that encounter a data breach must notify their client, who will then in turn notify the consumers.
The ruling details content of the breach notification, method of notification, and time constraints. Should a breach occur involving 500 or more records, it is required that the media be notified as well as the FTC.
Comments