Yesterday HHS published its breach notification rule for HIPAA covered entities. Today the Federal Trade Commission’s rule appeared in print, making it official also. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010.

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address. (more…)

AHIMA’s consumer Web site myPHR.com relaunched with a major redesign. The new site offers information on PHRs organized by seven major user groups: parents, students, seniors, caregivers, the chronically ill, travelers, and athletes. Check out the new blogs, news feed, and events calendar.

The site offers consumer information on choosing a PHR, starting a PHR, and protecting your privacy. Community groups can also schedule local PHR presentations through AHIMA’s community education program.

Can health IT help reduce disparities in quality of care caused by racial and ethnic differences, geographic isolation, poverty, and low health literacy and consumer involvement? Authors of a new Journal web-exclusive story discuss the potential of personal health records to mitigate healthcare disparities.

HIM professionals can play four important roles, the authors write:

• Advocating, designing, and testing PHR products that are sensitive to underserved populations
• Promoting PHR use within their communities
• Training both consumers and providers in PHR use
• Helping secure personal health information to both safeguard individuals and build the trust that will encourage consumer acceptance of health IT

See “Healthcare Disparities and the Role of Personal Health Records” by Jennifer Garvin, Barbara Odom-Wesley, William J. Rudman, and Rachelle S. Stewart.

For a look at the need to improve data collection in support of efforts to reduce disparities, see the April 2009 Journal feature “Data Collection and Reporting for Healthcare Disparities.”

The Federal Trade Commission has its ARRA homework well under way. Yesterday it announced its notice of proposed rulemaking (NPRM) on data breach notification.

The American Recovery and Reinvestment Act establishes the first federal requirements on health data breach reporting and notification. It assigns the Department of Health and Human Services to oversee organizations that qualify as covered entities and business associates under HIPAA. It assigns the FTC to oversee everyone else, including vendors of personal health records.

Both HHS and FTC are required to publish final interim regulations by August 16. The provisions become effective 30 days after publication.

According to an FTC press release, the proposed rule:

• Requires “vendors of personal health records and related entities” to notify consumers of a breach
• Requires a service provider to a PHR vendor to notify the vendor of a breach, which in turn must notify its customers
• Defines the triggers for a notice, as well as the timing, method, and content of the notice
• Requires that entities notify the FTC of a breach, which will in turn post the information on its Web site and share with HHS

The NPRM will appear in the Federal Register shortly, according to FTC.

Public comments on the notice of proposed rulemaking are due by June 1. AHIMA’s commentary will available on this site in advance of that date.

Update April 20: HHS released its required guidance on rendering protected health information unreadable on April 17. The guidance relates to both HHS’s and the FTC’s breach notification regulations. HHS is accepting comments until May 21.

Washington State’s experiment in consumer-controlled health records has moved into a pilot phase, transforming the health record banking model from theory to testing. Earlier this month the Washington State Health Care Authority (HCA) announced the launch of three pilot sites that will try out the feasibility of a permanent statewide health record bank network.

Health record banks centrally store copies of consumer’s health records, which providers “deposit” into the accounts. Consumers control which providers can contribute information and which providers and individuals can view their records.

This model of health information exchange, where many providers send patient information to one central location, is seen as an alternative to the many-to-many exchange model, where several organizations directly exchange copies of patient’s records. If the pilot project is successful, Washington State hopes to show by example that health record banks are the ideal model for nationwide information exchange, says Juan Alaniz, health record bank pilot project manager for HCA. (more…)

Google Health, the Internet giant’s free online personal health record service, is nearing a year old. This week the company rolled out some changes to the service, some of which the company anticipated last spring.

Users may now share their health profiles with others, such as doctors and family. Account owners grant access to others via e-mail addresses. Viewers cannot edit or share a profile. Account owners control how much of the profile others see, another change.

Google’s list of partners continues to grow. Partners are primarily national pharmacy chains that can feed medication information into Google Health accounts. However, patients of the Cleveland Clinic and Beth Israel Deaconess Medical Center can import their records through those facilities’ patient portals.

PCASSO—the Patient Centered Access to Secure Systems Online project—was an early trailblazer in using the Internet to give patients and providers instant access to medical records. The project started in 1996, a time when most people considered the Internet an unsecure and scary place to post a person’s most private and sensitive information.

Now, more than 10 years since its creation, PCASSO can be more fully appreciated as an innovator in technology that many hospitals have only recently begun to adopt.

As complex health data exchanges such as health record banks, health information exchanges, and personal health records begin to gain ground, PCASSO deserves a retrospective look as an early project that promoted patient access to health records and demonstrated it could be done security over the Internet, says Dixie Baker, PhD, former principle investigator with the PCASSO project and senior vice president and chief technology officer for health solutions at Science Applications International Corporation. The project anticipated many of today’s security threats and incorporated a high level of protection that many contemporary portals do not. (more…)

Healthcare is badly in need of some cost-savings. A new study suggests that a change in the way we keep health records could save billions. Last week the industry got a look at a cost-benefit model for personal health records. According to the report, widespread use of PHRs could save the US healthcare industry between $13 and $21 billion a year.

The Center for Information Technology Leadership (CITL), a nonprofit IT research center based at Partners HealthCare System in Boston, offers the projections in the study “The Value of Personal Health Records.” The study describes an evidence-based model that estimates the industry costs and benefits of four different PHR architectures. The study is the first of its kind to examine the different PHR architectures and show their direct cost savings to healthcare providers and payers, CITL officials say. (more…)

Project HealthDesign is a Robert Wood Johnson Foundation program to push the design of next-generation personal health records. Nine design teams received grants to develop forward-looking PHR prototypes that meet unique needs of different patient populations. The prototypes were demonstrated two weeks ago—RWJF has posted a webcast. (more…)

Google Health, which previewed in February (see the June print story “The Great PHRontier”), went live with relatively little fanfare on May 19. The launch doesn’t mean that the personal health record service is finalized, says Missy Krasner, Google Health product marketing manager. “We are just at the beginning,” she says. (more…)