1. Home
  2. About TMA
  3. TMA Publications

FTC Mandates Vendors Notify Patients of Breaches in Health Information
By Alisa Pierce

The Federal Trade Commission (FTC) has amended its Health Breach Notification Rule to require vendors of personal health records (PHR) and related entities not covered by HIPAA to notify individuals, the FTC, and, at times, the media, when a breach in protected health information (PHI) occurs. The change will take effect July 29. 

Physicians do not have to notify patients if their PHI is leaked via a PHR vendor that is not a business associate of the physician. That responsibility falls to the vendors themselves.  

Previously, PHR vendors were not required to disclose when they shared PHI with a third party without permission from a patient. Now, FTC will require all PHR vendors – including developers of everyday health and wellness apps – to share when a breach of PHI occurs due to “unauthorized disclosures” with third parties. Vendors must also alert the media if more than 500 residents are affected by a breach. 

Developers covered by the rule must provide consumers and FTC notice within 60 days of discovering a breach. Developers that fail to comply with the rule could face civil penalties of $51,744 per violation. 

TMA applauds FTC for requiring health application vendors to protect the health information of patients and notify users of a breach, just as physicians are required to comply with state and federal breach notification rules.  

The association also commends FTC for heeding TMA’s suggestion on the final rule, submitted in comments last year, to amend FTC’s previously proposed definition for PHR vendors as “health care providers.”  

“Expanding the definition of ‘health care provider’ as proposed by FTC to encompass others … will create unnecessary confusion among consumers,” TMA stated in its comments.  

Following TMA’s comments, FTC modified the definition of “PHR identifiable health information” and added two new definitions for “covered health care provider” and “health care services or supplies” to better distinguish that term from “health care provider” in other contexts.  

TMA will continue to monitor the new rule’s implementation and agrees with FTC that patients should have assurances from PHR vendors that their information is safe and only shared as the patient directs.   

The final rule will go into effect 60 days after its publication in the Federal Register, which will be July 29. For more information, email the Knowledge Center or call (800) 880-7955.             

Last Updated On

November 07, 2024

Originally Published On

June 24, 2024

Alisa Pierce

Reporter, Division of Communications and Marketing

(512) 370-1469
alisa.pierce[at]texmed[dot]org  
Alisa Pierce

Alisa Pierce is a reporter for Texas Medicine. After graduating from Texas State University, she worked in local news, covering state politics, public health, and education. Alongside her news writing, Alisa covered up-and-coming artists in Central Texas and abroad as a music journalist. As a Texas native, she enjoys capturing the landscape on her film camera while hiking her way across the Lonestar State.

More stories by Alisa Pierce  

TMA Membership

What could a TMA Membership mean for you, your practice, and your patients?

Join TMA Now

Related Categories

Health information technology

Texas Medicine 

End-of-life care has always been challenging. This issue takes a look at long-overdue legislative improvements for physicians and patients, how to do advanced care planning with patients and get paid for it, and education on the state's death registry. Plus, read tips on how to manage inbox overload and prevent spread of travel-related illnesses with thorough travel questioning. 

Nov_24_TM_Cover

 

Get the latest issue.