FTC's electronic health record breach rule sparks debate

Protecting healthcare privacy at core of FTC rules but are they enough?

Trying to get a handle on what most certainly will be an explosion of digitization of medical records the Federal Trade Commission today issued the final rules requiring "certain Web-based businesses to notify consumers" when the security of their electronic health information is breached.

But are the rules meaty enough or will they merely offer more fuel to the already burning healthcare fire?

First, let's understand what's happening.  Congress this spring told the FTC to issue the breach rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to vendors of personal health records - which provide online repositories that people can use to keep track of their health information - and entities that offer third-party applications for personal health records.

The rules contain specific requirements governing the timing, method, and contents of the breach notice to consumers. For example, they require companies to provide breach notices without what the FTC calls "unreasonable delay," and in no case later than 60 calendar days after discovering a breach; it requires notice to consumers by first-class mail or, if specified as a preference by the individual, by email; and it requires substitute notice, through the media or a web posting, if there is insufficient contact information for ten or more individuals.

The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach. It also authorizes the FTC to seek civil penalties for violations.

While the FTC's Final Rule attempts to sort out all manner of digital healthcare privacy issues, detractors say it does nothing but confuse.

On the Health Data Managememt.com site for example, they state: Efforts by the FTC and the Department of Health and Human Services to harmonize separate rules governing notification of breaches, the FTC rule takes confusion to a new level and will require considerable study. It cites a number of examples it calls confusing.  A couple examples:

1: Under the rule, vendors must notify consumer users of its public health records software in cases of a breach. But if a hospital, insurer or other entity offers a vendor's records to consumers, and then the vendor must notify the entity, which in turn must notify affected consumers, the site states.

2: Although the FTC's proposed rule made clear that it did not apply to HIPAA-covered entities, FTC explicitly excluded doctors from its rule, even if they are involved with public health records, but with a twist. "The Commission agrees that, because health care providers such as doctors are generally HIPAA-covered entities, the FTC's rule does not apply to them in such capacity. Thus, if a doctor's medical practice offers records to its patients, neither the doctor nor the medical practice is subject to FTC's rule. However, if the doctor creates a record in a personal capacity, there may be circumstances under which the FTC's rule would apply, the site states.

Meanwhile the Government Accountability Office earlier this year offered up a report on federal IT health initiatives and said: "Achieving widespread adoption and implementation of health IT has proven challenging, and the best way to accomplish this transition remains subject to much debate."

The GAO said that any transition to online record needs to address the following key issues:

  • Establish a foundation of clearly defined health IT standards that are agreed upon by all important stakeholders. Developing, coordinating, and agreeing on standards are crucial for allowing health IT systems to work together and to provide the right people access to the information they need: for example, technology standards must be agreed on (such as file types and interchange systems), and a host of content issues must also be addressed (one example is the need for consistent medical terminology).
  • Although important steps have been taken, additional effort is needed to define, adopt, and implement such standards to promote data quality and consistency, system interoperability (that is, the ability of automated systems to share and use information), and information protection.
  • Implement an approach to protection of personal privacy that encourages public acceptance of health IT. A robust approach to privacy protection is essential to establish the high degree of public confidence and trust needed to encourage widespread adoption of health IT and particularly electronic medical records. Health IT programs and applications need to address key privacy principles (for example, the access principle, which establishes the right of individuals to review certain personal health information). At the same time, they need to overcome key challenges (for example, those related to variations in states' privacy laws).

Unless these principles and challenges are adequately addressed, there is reduced assurance that privacy protection measures will be consistently built into health IT programs and applications, and public acceptance of health IT may be put at risk, the GAO stated. 

Layer 8 in a box

Check out these other hot stories:

NASA blows up inflatable heat shield

Wicked tiny laser could radically alter electronics

The network is the volcano

Killer asteroids getting free pass on NASA's watch

Can unmanned aircraft mix safely with commercial aviation?

Should your credit report disqualify you for a job?

Berkeley lab gets $62M to build 100Gbps Ethernet network

Harvesting algae to power sophisticated unmanned aircraft

NASA adds $50M program to develop commercial space systems

IBM gets $16 million to bolster its brain-on-a-chip technology           

Will intelligent killer military robots lead to real Terminators?

NASA and Goodyear team to develop tire that won't go flat

Google Voice aims free program at military

15-ton bomb would move aside "The Mother" and become "The Father Of All bombs"

NASA offers $1.5 million for 200MPG aircraft

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)