FTC Extends Breach Notification to Web-Bsed Health Repositories
The Federal Trade Commission has issued a rule that broadens the reach of data breach notification rules covered by the Health Insurance Portability and Accountability Act (HIPAA). The new FTC rule applies to companies that provide an online repository of health information, such as vendors that provide Web-based tools that track and maintain blood pressure readings and other health related data.
Typically, web-based companies that collect health information are not covered under HIPAA. The new FTC rule applies only to these companies and requires vendors of personal health records and their service providers to notify consumers following a data security breach. If the breach involves more than 500 people, the company must give notice to the media, the FTC said.
The FTC said it is attempting to address a new wave of gadgets that enable consumers to upload data into their personal health records on the Internet such as readings from blood pressure cuffs and pedometers. The rule also covers Web-based tools such as HealthVault and Google Health as well as websites such as WebMD, which may collect and retain certain health information.