Feds unveil new rules for patient ID protection

Today marks the first day that the Federal Trade Commission will begin enforcing new identity theft rules for a number of industries including health care (Source: “Shield against ID theft grows,” Columbus Dispatch, May 1, 2009).

Under the new rules, health care providers must have a plan to verify a patient’s identity. The new rules also set more stringent standards for protecting paper medical records.

At the same time, the FTC announced last week that it is seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached (Source: “FTC Publishes Proposed Breach Notification Rule for Electronic Health Information,” TMC News/FTC news release, Apr 17, 2009) .

Among the HIT-related provisions in the American Recovery and Reinvestment Act is a requirement that the Department of Health and Human Services conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. The report must be completed by February 2010.

The FTC has created a special Web site to elicit public comments on its proposed EHR rules. The site will be open until June 1, after which the Commission will issue a final interim rule to be enforced until the HHS report is completed.