FTC Breach Notification Rule Is Now in Effect

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

Authored by Melissa Bianchi