There is a growing proliferation of on-line personal health records companies who undertake to warehouse and store personal health records for consumers on line. Four of the most prominent of these companies are Google Health, Microsoft Health Vault, RevolutionHealth Health Records and WebMD Personal Health Records. On April 20, 2009, the FTC took a first step in providing notice of breach standards for these companies by offering a proposed rule for public comment. The Rule will be available for public comment until June 1, 2009, with the intent to make the final rule effective in September, 2009. The Proposed Rule can be found at 74 Fed. Reg. 17914. and is slated to be included in the Code of Federal Regulations at 16 CFR § 318. The FTC's action is a mandate under the American Recovery and Reinvestment Act of 2009
The rule prescribes the content of the notice to include a brief description of how the breach occurred, including the date of the breach and the date of the discovery. There must be a description of the type of information involved, a statement of the steps consumers should take to protect themselves from potential harm and a brief description of the actions by the company to investigate the breach mitigate losses and protect against future losses.
In addition to security issues there have arisen some recent concerns about the accuracy of the records maintained by these vendors. This is apparently a garbage in/garbage out problem. A recent article in the Boston Globe related the problem that some of the information transferred to a vendor for storage was inaccurate because of errors or misunderstandings in claims reports. Some of these companies have developed relationships with major institutions for the electronic transfer of this information with patient authorization, but in many cases the patient will have to find a way to provide the information. If these records are going to have any real value it will be up to the individual consumer to undertake the responsibility to assure that his or her records are accurate and up to date. Mistakes, incomplete or dated data have the potential to mislead a health care provider and could result in substantial mistakes and harm. See http://www.boston.com/news/nation/washington/articles/2009/04/13/electronic_health_records_raise_doubt/
Comments