While it has yet to rule on whether PHRs should be covered under HIPAA, the Federal Trade Commission (FTC) has voted 4-0 and issued a final rule that requires certain "Web-based businesses" to alert consumers if there is a security breach of their electronic health information. If 500 or fewer consumers' health information is breached, then the health service provider must alert the consumers only. If more than 500 consumers' health data is breached then the service provider must also alert the media, according to the FTC ruling.

Interestingly, the FTC explains that the new rule applies to these groups: vendors of personal health records, which it defines as "online repositories that people can use to keep track of their health information" and entities that offer third-party applications for personal health records." The FTC describes these third part applications as devices like blood pressure cuffs or pedometers, which consumers can use to upload health and fitness data into their personal health records.

"Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors' offices, hospitals, and insurance companies," the FTC's press release states. "The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the Commission to issue a rule requiring these entities to notify consumers if the security of their health information is breached."

For more on the FTC's final rules regarding data breaches and PHRs, read the agency's press release here.