Last week, the Federal Trade Commission published a Notice of Proposed Rulemaking regarding notification for security breaches involving electronic health information. The FTC issued the proposal pursuant to certain health information technology provisions in the American Recovery and Reinvestment Act, signed into law on February 17th, 2009. The Commission’s proposal includes a requirement that vendors of personal health records notify U.S. citizens and residents if their personal health information is subject to a security breach. In addition, vendors must notify the FTC no later than five business days following the discovery of a breach that affects 500 or more individuals, or, for breaches affecting fewer than 500 individuals, maintain a log to be submitted annually to the Commission.
The FTC’s Rule will apply to vendors of personal health records and entities that offer products or services through the websites of such vendors. Also included in the Rule’s scope are entities that are not covered by the Department of Health and Human Services’ rules, but that offer products or services through the websites of DHHS-covered entities, and those that interface with an individual’s personal health records. Because ARRA does not limit the FTC’s enforcement authority to its enforcement jurisdiction under Section 5 of the FTC Act, the proposed FTC Rule would apply to these entities whether or not they would otherwise fall within the scope of the FTC’s regulatory jurisdiction.
Public comments on the proposed rule are due by June 1, 2009. Currently, the rule is set to apply to breaches discovered on or after September 18, 2009.