The Federal Trade Commission (“FTC” or “Commission”) is issuing this final rule, as required by the American Recovery and Reinvestment Act of 2009 (the “Recovery Act” or “the Act”). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
DATES: This rule is effective [insert date 30 days after date of publication in the FEDERAL REGISTER]. Full compliance is required by [insert date 180 days after date of publication in the FEDERAL REGISTER].
The rule can be found on the FTC’s site (pdf, 88 pp.). There will be more coverage of this after everyone has a chance to read through it.
See also the Health Breach Notification form (pdf) and the FTC’s press release.