The Federal Trade Commission (“FTC†or “Commissionâ€) is issuing this final rule, as required by the American Recovery and Reinvestment Act of 2009 (the “Recovery Act†or “the Actâ€). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.
DATES: This rule is effective [insert date 30 days after date of publication in the FEDERAL REGISTER]. Full compliance is required by [insert date 180 days after date of publication in the FEDERAL REGISTER].
The rule can be found on the FTC’s site (pdf, 88 pp.). There will be more coverage of this after everyone has a chance to read through it.
See also the Health Breach Notification form (pdf) and the FTC’s press release.