WASHINGTON (CN) – The Federal Trade Commission issued final regulations requiring vendors of personal health records and related companies to notify their customers when the security of their individually identifiable health information has been breached.
Customers must be notified of security breaches within 60 days after discovering a breach. Consumers will be notified by first-class mail or, if specified as a preference by the individual, by email. If there is insufficient contact information for more than ten individuals whose records have been compromised, the company must use a substitute notice, through the media or a web posting.
Vendors, and related companies, of personal health records do not include entities covered by the Health Insurance Portability and Accountability Act, such as hospitals, doctors’ offices and health insurance companies, which are regulated by the Department of Health and Human Services. Vendors who work with HIPPA covered entities can, through their contracts determine who is responsible for notifying customers of a breach. For instance, many group health plans use third party contractors to manage their members’ personal health records and if a breach occurs either entity can inform the consumer under the new rule.
Click on the document icon for this and other regulations.