FTC Exploring Privacy: Rountable Series

Over the next couple of months the Federal Trade Commission (FTC) will be hosting the Exploring Privacy: A Roundtable Services.

The roundtable discussions are day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.

The FTC indicates that the "roundtable discussions will cover topics including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."

More information can be obtained on the FTC's Exploring Privacy website, including the dates and locations of the upcoming roundtable events in Berkeley, CA and Washington, DC, submitted public comments and other information.

The first roundtable was held this week in Washington, DC. Details of the event are available on the website including two interesting charts -- Data flow chart (personal data ecosystem) and Data flow charts (medical, social networking, mobile, behavioral advertising, and retail loyalty card).

FTC Proposed Health Breach Notification Rule for PHRs and Electronic Health Information

Yesterday, April 16, 2009, the Federal Trade Commission released its proposed Health Breach Notification Rule for Vendors of Personal Health Records (PHRs) and Electronic Health Information.

The official title of the proposed rule is: 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009.

The FTC is seeking written comments electronically or in paper form. The comments must be submitted by June 1, 2009 and will be placed on the public record and made accessible at the FTC website at: http://www.ftc.gov/os/publiccomments.shtm.

The FTC's press release states:

The Federal Trade Commission today announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached.

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers’ sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

More information over at info.rmatics blog who appear to have done a quick summary of the proposed rule. I have only had a chance to quickly scan the proposed rule but will add addition comments once I have a chance to read the entire proposed regulations. Comments and thoughts of others are welcomed - please post your comments.

HIPAA Settlement: Dumping of PHI Results In $2.25M Settlement

This week's settlement by CVS, the nations largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and take corrective action highlights the need for providers and other covered entities to focus on the simple privacy protections such as appropriately disposing of patient information in a secure manner.

The first known joint investigation and settlement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) with CVS was the result of CVS failing to guard patients PHI when disposing of patient information such as identifying information on pill bottle labels. .

The review and settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by OCR and the FTC indicated that:

• CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
• CVS failed to adequately train employees on how to dispose of such information properly
  

The investigation started after various news media reported fiding prescription drug and other PHI had been dumped into unsecured trash containers at CVS pharmacies. As a result CVS not only violated the HIPAA Privacy Rule but also was brought under the FTC's deceptive business practice guidelines by claiming that CVS represents to consumers that maintaining customer privacy was central to their operations.
For more read the OCR Press Release (related OCR information/summary) FTC Press ReleaseComplaint and Consent Order) and the Resolution Agreement. Also, OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of PHI. (related FTC