This advisory discusses an FTC-issued Notice of Proposed Rulemaking (the “Proposed Rule” or the “Health Breach Notification Rule”) requiring vendors of personal health records (PHR) and related entities to notify individuals when the security of their individually identifiable health information is breached. The Proposed Rule establishes a new Part 318 of Title 16 of the Code of Federal Regulations for the health breach notification requirement that was mandated by Section 13407 of the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC is accepting comments on the Proposed Rule through June 1, 2009, after which the FTC will issue an interim final rule in early August, as required under ARRA.
The advisory is provided in PDF on the Alston & Bird website: http://www.alston.com/healthcare_ftc_phr_vendor_rule