FTC Issues Proposed Notification Rules for Breach of Health Records

The Federal Trade Commission (FTC) today posted its proposed rule implementing new breach notification requirements for health records, imposed by the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC rule will apply to vendors of personal health records and related entities not covered by HIPAA (the Health Insurance Portability and Accountability Act). The Department of Health and Human Services is required to issue by August 17 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA. The FTC is the first agency to publish details for implementation of the new privacy and security provisions in ARRA. CDT will be drafting comments to the FTC proposed rule. Public comments are due on June 1, 2009.