FTC Proposes Breach Notification Rule for Electronic Health Data
Time 2 Minute Read
Categories: Health Privacy, Information Security, Security Breach

Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission's proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.

The FTC's Rule will apply to vendors of personal health records and entities that offer products or services through the websites of such vendors. Also included in the Rule's scope are entities that are not covered by the Department of Health and Human Services' rules, but that offer products or services through the websites of DHHS-covered entities, and those that interface with an individual's personal health records. Because ARRA does not limit the FTC's enforcement authority to its enforcement jurisdiction under Section 5 of the FTC Act, the proposed FTC Rule would apply to these entities whether or not they would otherwise fall within the scope of the FTC's regulatory jurisdiction.

Public comments on the proposed rule are due by June 1, 2009. Currently, the rule is set to apply to breaches discovered on or after September 18, 2009.

Tags: Federal Trade Commission, HIPAA, Protected Health Information
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company

The U.S. Department of Health and Human Services’ Office for Civil Rights recently announced a settlement with health care software company MMG Fusion to resolve the company’s alleged noncompliance with the HIPAA Privacy, Security and Breach Notification Rules.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 4 Minute Read
HHS Final Rule on 42 CFR Part 2 Requires Targeted Updates to HIPAA Privacy Notices

Recent changes to 42 CFR Part 2 mean many covered entities must update their HIPAA Notices of Privacy Practices by February 16, 2026.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
HHS OCR Settles HIPAA Security Rule Investigation with Top of the World Ranch Treatment Center for $103,000

On February 19, 2026, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $103,000 settlement with Top of the World Ranch Treatment Center, an Illinois substance use disorder treatment provider, to resolve alleged noncompliance with the HIPAA Security Rule’s risk analysis requirement.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
FTC Issues COPPA Policy Statement Encouraging Adoption of Age-Verification Technologies

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page