A personal health record is an "electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual," according to the FTC.
Last year, the FTC issued a PHR breach notification rule, as called for under the HITECH Act. Under the rule, which took effect Sept. 24, 2009, major breaches must be reported to the FTC within 10 business days. PHR vendors, and certain companies with which they do business, must report any size breach to the individuals affected within 60 days. But they only have to report the smaller incidents to the FTC annually, 60 days after the start of the calendar year.
Incidents ListedThe FTC has posted a list of 13 incidents affecting 15 individuals in 2009. All were reported by Microsoft Corp., which offers the HealtVault PHR platform. Each case involved lost or stolen credentials, and none of the cases involved is known to have resulted in inappropriate use of patient information, says Cora Han, attorney in the division of privacy and identity protection in the FTC's bureau of consumer protection.
The FTC's breach notification rule requires reporting of incidents involving unauthorized acquisition of unencrypted PHR information that contains personal identifiers. "Microsoft did this proactively," Han says of the company's reports of the incidents, which could potentially lead to breaches. "They were not reported as cases where accounts had been breached."
The 13 HealthVault cases posted on the FTC site are the only reports the agency received regarding smaller PHR security incidents in 2009, Han confirms. In all but one case, individual PHR users reported the lost or stolen credentials to Microsoft, she says. In the other, Microsoft discovered three individuals' credentials had been lost or stolen.
The FTC waited until now to post information about the incidents because it was waiting to see how much information on breaches it received, Han says. The FTC does not have an official schedule for updating the list of incidents, but likely will do so every few months if new information becomes available, she adds.
Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.
Covered entities and their business associates must report breaches of all types of electronic or paper patient records affecting 500 or more individuals to the Health and Human Services' Office for Civil Rights within 60 days. Since the breach notification rule for covered entities went into effect last September, 181 major breach incidents affecting 4.9 million individuals have been reported to the Office for Civil Rights.
PHR Report OverdueFederal officials are still months away from submitting an overdue report to Congress on privacy and security requirements for personal health records vendors.
Section 13421 of the HITECH Act called for HHS, in collaboration with the FTC, to submit a report by last February on the requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the HHS Office of the National Coordinator for Health Information Technology worked on other projects, says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.
On Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs to gather information to use in preparing the report.
Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested, Pritts adds.
In written testimony prepared for a Congressional hearing held Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, called for stronger protection of personal health records, but not through HIPAA. She said that the Markle Foundation's Common Framework for Networked Personal Health Information would provide a good starting point.