Proposed breach notification rule would affect more health vendors

Rules proposed by the Federal Trade Commission on April 16 on disclosure of breaches of personal health information would greatly expand the number of companies that would be subject to notifying individuals if their personal health data was exposed because records were lost or stolen, or because a hacker broke into a computer health network.

Vendors that offer personal health records and organizations not covered by the Health Insurance Portability and Accountability Act -- which requires patient confidentiality -- that access or send health information to or from a patient-controlled health record would be required to notify individuals whose personal data was exposed by a breach.

Such a definition would include online applications that allow individuals to connect monitoring devices -- like blood pressure cuffs and blood glucose monitors -- that send information to an electronic health record, such as Microsoft's HealthVault or Google Health, the agency said. FTC did not identify specific vendors or products in its proposed rules.

Companies or services also could include a Web-based application that helps consumers manage medications, a Web site that offers a personalized health checklist, or a company that advertises dietary supplements online, health professionals said.

The rules are based on language contained in the 2009 American Recovery and Reinvestment Act President Obama signed in February.

The rules, if approved, would require a health record vendor and any related entity to notify individuals within 60 days or less by first-class mail or e-mail that their records were exposed because of a breach. If 10 individuals or more cannot be reached by mail or e-mail, the vendor and related entities must use mainstream print or broadcast media, or the home page of their Web sites, to notify the public.

Neither Microsoft nor Google have publicly acknowledged that they are required to make data breach notifications under HIPAA. But Pam Dixon, founder and executive director of the World Privacy Forum, said the straight-forward language on the proposed FTC rules makes it clear that both Google and Microsoft will be required to follow the breach notification rules.

Google acknowledged in a statement today that Google Health is subject to the new breach notification laws in the American Recovery and Reinvestment Act and said it "takes the privacy and security of our users very seriously."

Microsoft officials also said it will comply with the law's privacy regulations on their effective dates. "Health IT privacy and security regulation is an ongoing discussion and we look forward to working collaboratively with policymakers and agencies as they approach related rulemaking."

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

Many companies have launched products and services to monetize health care information. The rules, which "plug a huge regulatory gap" on protection of health care information, would require them to adhere to a new set of rigorous guidelines, Dixon said.

The rules apply to unencrypted data only, Fox said. Dixon added FTC does not have the power to force companies that aren't covered by HIPAA to encrypt patient information.

Nonprofit organizations aligned with personal health record vendors also face regulation, she said. The American Heart Association, for example, offers a Cardiovascular Wellness Center in connection with HealthVault. The association potentially could fall under the rule's purview. The group's officials did not respond to requests for comment.

Comments on the proposed rule close June 1.