INTERNET MEDICINE PART III: FTC issues Notice of Rule Regarding Breach of Security of Personal Health Records.

There is a growing proliferation of on-line personal health records companies who undertake to warehouse and store personal health records for  consumers on line. Four of the most  prominent of these companies are Google Health, Microsoft Health Vault, RevolutionHealth Health Records and WebMD Personal Health Records. On April 20, 2009, the FTC took a first step in providing notice of breach standards for these companies by offering a proposed rule for public comment. The Rule will be available for public comment until June 1, 2009, with the intent to make the final rule effective in September, 2009. The Proposed Rule can be found at 74 Fed. Reg. 17914. and is slated to be included in the Code of Federal Regulations at 16 CFR § 318. The FTC's action is a mandate under the American Recovery and Reinvestment Act of 2009

The rule defines a beach of security as the “acquisition of such information without the authorization of the individual.” The rule requires vendors of personal health information to notify the owner of the personal health information within 60 days and prescribes a variety of notification methods depending on the seriousness of the breach. If ten or more persons cannot be notified of a breach by the standard methods the company must post a notice of the breach on its web site for a period of six months or publish in prominent print media. The notice must include a toll free number where the consumer can call the company for more information. If the breach relates to the records over 500 consumers the FTC must be notified as soon as possible, but not longer than 5 days.

The rule prescribes the content of the notice to include a brief description of how the breach occurred, including the date of the breach and the date of the discovery. There must be a description of the type of information involved, a statement of the steps consumers should take to protect themselves from potential harm and a brief description of the actions by the company to investigate the breach mitigate losses and protect against future losses.

In addition to security issues there have arisen some recent concerns about the accuracy of the records maintained by these vendors. This is apparently a garbage in/garbage out problem. A recent article in the Boston Globe related the problem that some of the information transferred to a vendor for storage was inaccurate because of errors or misunderstandings in claims reports. Some of these companies have developed relationships with major institutions for the electronic transfer of this information with patient authorization, but in many cases the patient will have to find a way to provide the information.  If these records are going to have any real value it will be up to the individual consumer to undertake the responsibility to assure that his or her records are accurate and up to date. Mistakes, incomplete or dated data have the potential to mislead a health care provider and could result in substantial mistakes and harm. See http://www.boston.com/news/nation/washington/articles/2009/04/13/electronic_health_records_raise_doubt/