The Federal Trade Commission announced today that it will publish a Federal Register notice of a proposed rule that requires that consumers be notified when the security of their electronic health information is breached (the “Proposed Rule”).
The Proposed Rule is a first step in the implementation of the American Recovery and Reinvestment Act of 2009’s (the “Act”) breach notification requirement. The Act requires that the Department of Health and Human Services and the FTC study and, in early 2010, publish a report on potential privacy, security, and breach notification requirements to be applicable to vendors of personal health records and any third-party entities from which those vendors purchase services.
In the interim, the Act requires that the FTC issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached; that temporary rule is the Proposed Rule announced today. Most importantly, the Proposed Rule defines what actions trigger the notice, as well as the timing, method, and content of notice. The notice will be published in the Federal Register shortly, and is available now on the FTC’s web site.