The U.S. Department of Health and Human Services (HHS) issued its interim final rule concerning notification of breaches of health information by HIPAA-covered entities. The rule was published in the Federal Register yesterday, and will become effective 30 days from then.
The Federal Trade Commission recently issued a companion breach notification rule that covers vendors of personal health records and certain other entities not covered under HIPAA.
HHS’ rule can be found here (pdf).