The new FTC Rule was created in parallel to the HHS Rule. The idea is to impart similar notification requirements in the context of new web-based entities that collect health information. As a consequence, the FTC rule applies to “vendors of personal health records [“PHR”], PHR related entities, and third party service providers.”[6] If “unsecured” and “PHR individually identifiable health information” is breached, the FTC Rule requires notification of the respective customer (e.g., the individual, hospital, physician group, etc.), and possibly the FTC and media.[7] A “breach” generally occurs anytime there is an unauthorized acquisition of a personal health record that personally identifies the individual.[8] In order to avoid any redundancy, the definition of what constitutes “unsecured” information for the FTC Rule is the same as the HHS Rule.[9]

Providers and other entities that handle individual health records and information are well-advised to consult legal counsel in the event of a known or suspected breach. For more details, the HHS Rule may be found here, and the FTC Rule may be found here.