FROM THE FOUNDATION

Paper to Electronic Charts Made Easy

Community clinics with experience making the transition from paper to electronic records share the strategies, techniques, and insights they learned along the way.

Telehealth Project to Provide Dental Care

Low-income families will receive free dental care, thanks to the Virtual Dental Home, a telehealth project supported by CHCF and other funders. The four-year pilot project will eventually operate in nine California communities.

Take the DiabetesMine Design Challenge

Have a creative idea for a new tool to improve life with diabetes? The 2010 DiabetesMine Design Challenge is offering $23,000 in cash, plus consultations with design experts and other prizes. CHCF is a sponsor; entries are due by April 30.

Have you signed up for your free subscription and the daily email update? Please login or register to continue your session.

Privacy and Security

Tuesday, April 21, 2009

Proposed Rule Would Expand Reach of Health Data Breach Regulations

The Federal Trade Commission's proposed rule on disclosure of personal health information breaches would greatly expand the number of companies that would be subject to notifying individuals if their health data were exposed, NextGov.com reports (Brewin, NextGov.com, 4/20).

The American Recovery and Reinvestment Act requires FTC to issue an interim final rule on breach notification requirements for PHR vendors and related entities by August. The act also requires HHS and FTC to publish a study on potential privacy, security and breach notification requirements for PHR vendors and related entities by February 2010 (iHealthBeat, 4/17).

Details of Proposed Rule

Under the proposed rule, PHR vendors and groups not covered by the HIPAA medical privacy rule that access or send health information to or from a patient-controlled health record would be required to notify individuals if their personal data are breached.

If approved, the rule would require PHR vendors and any related entity to notify individuals of personal health data breaches by first-class mail or e-mail within 60 days. If 10 or more individuals cannot be reached by mail or e-mail, the groups must use mainstream print or broadcast media, or their Web site home pages, to notify the public.

Affected Groups

FTC did not identify specific vendors or products in its rule, but NextGov.com reports that the rule would cover about 200 PHR vendors, 500 related entities and 200 third-party providers that offer billing and data services.

Pam Dixon, founder and executive director of the World Privacy Forum, said the language of the proposed FTC rule makes it clear that both Google and Microsoft would be required to follow the breach notification rules.

The rule also would cover online applications that allow patients to connect blood pressure cuffs, blood glucose monitors and other monitoring devices to PHR tools, such as Google Health and Microsoft's HealthVault.

Health professionals say the rule also might include companies offering a Web-based application that helps patients manage medications, a Web site that offers a personalized health checklist or a firm that advertises dietary supplements online.

In a statement on Monday, Google acknowledged that its Google Health PHR tool would be subject to the new breach notification laws, adding that the company "takes the privacy and security of our users very seriously" (NextGov.com, 4/20).



Readers are invited to send feedback to: ihb@chcf.org

Click to register for iHealthBeat