Companies who offer to store your personal healthcare information are loudly touting the Federal Trade Commissions rule mandating notification of consumers when the security of their electronic health information is breached.

Unfortunately, this rule does little or nothing to promote the security of your health information stored on the company’s servers, nor does it provide any type of relief for a security breach which results in provable damages.

Once again, we caution all consumers thinking about allowing their health information to be uploaded to any third-party system.

One, all of your rights and remedies are contained in a confusing set of user agreements between you and the vendor. These unilateral agreements are written for the sole protection of the company and do little or nothing to protect you against the costs of remedying the inadvertent disclosure of your personal health information.

Two, all of your health information is at risk of an administrative summons or other legal subpoena – which you may or may not be notified has been presented and which may not provide enough time to legally contest the turnover of your healthcare information.

Three, the standard insurance application that you sign for health insurance may authorize the access and disclosure of this information – with little more than a photocopied application form.

Four, the service vendor may sell your personal information, often in aggregate form without personal identifiers, for research purposes or offer to use it to develop “targeted profiles” to be sold to advertisers.

Five, the service vendor often disclaims liability for the availability of your health information or the inability of emergency room personnel to access the data on a timely basis.

So what did the FTC final rule contain …

FTC Issues Final Breach Notification Rule for Electronic Health Information

The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.

Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

An FTC warning …

Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors’ offices, hospitals, and insurance companies.

Another study: confusing motion with action …

The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the Commission to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The Commission announced a proposed rule in April 2009, collected public comments until June 1, and is issuing the Final Rule today.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

Caveat Emptor: Let the Buyer Beware …

The truth of the matter is that there are very few cases when your health information will be a critical issue in the delivery of services to you … especially on an emergency basis.

First, most emergency rooms will treat you for the presenting symptoms. They will perform their own blood and diagnostic testing. Should you have a chronic underlying condition this will often be disclosed in the patient’s history taken by the nurse or doctor after admission.

Second, in routine situations, doctors obtain medical records directly from treating doctors and facilities because these documents and results may have impressions and notes which are not provided to the patient and which will only be provided to physicians. Very few doctors have the patience or the need to sort through reams of your medical records.

Third, your third-party medical records may be dangerously incomplete and lacking critical information. Also, many doctor’s may suspect records created by the patient or susceptible to modifications by the patient or other vendors.

And fourth, because of our litigious society, doctors cannot rely on any information source which will not hold up in a court of law.

Bottom line …

This is a concept that sound great in concept and which falls short in execution or usability. It appears that many of the large-scale vendors are hoping to achieve a critical mass of consumers so that, if and when, electronic recordkeeping becomes a mandated part of healthcare rules and regulations, they will be well-positioned as a vendor to the government, insurance companies and/or healthcare providers.

However, without legally enforceable privacy and security protections – backed with criminal penalties and fines – all of the vendor’s representations, or should I say, insinuations mean little or nothing. Especially when the vendor uses server facilities outside of the United States and employees people which have not been as thoroughly vetted and trained as personnel in a medical setting.

Before you say anything, consider that information on celebrities was accessed and sold to a tabloid by an employee at a major hospital. And consider that revelations of key medical information have been used for political purposes.

Be well, be safe and protect yourself and your family first.

-- steve

P.S. A final word: the Federal Trade Commission is one of the most honest, ethical and hard-working agencies in the government. Tell your elected officials that we do not want them turned into a hyper-politicalized agency by combining them with other regulators who often pursue hidden political agendas. – steve

_______________________________________________

OneCitizenSpeaking: Saying out loud what you may be thinking …

Reference Links:

FTC Issues Final Breach Notification Rule for Electronic Health Information

16 C.F.R. Part 318: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached

• Text of the Federal Register Notice
• Health Breach Notification Form

Health Breach Notification Rule Website

Mayo Clinic backs Microsoft health records storage site, so what? |OneCitizenSpeaking

OBAMA STIMULUS: COMPROMISING YOUR HEALTH RECORDS FOR POLITICS AND PROFITS|OneCitizenSpeaking

Danger: The SINGLE most important key to protecting your health records! | One Citizen Speaking

Microsoft HealthVault: Can you trust Microsoft or any other commercial vendor with your health information? One Citizen Speaking