The new FTC Rule was created in parallel to the HHS Rule. The idea is to impart similar notification requirements in the context of new web-based entities that collect health information. As a consequence, the FTC rule applies to “vendors of personal health records [“PHR”], PHR related entities, and third party service providers.” If “unsecured” and “PHR individually identifiable health information” is breached, the FTC Rule requires notification of the respective customer (e.g., the individual, hospital, physician group, etc.), and possibly the FTC and media. A “breach” generally occurs anytime there is an unauthorized acquisition of a personal health record that personally identifies the individual. In order to avoid any redundancy, the definition of what constitutes “unsecured” information for the FTC Rule is the same as the HHS Rule.
Providers and other entities that handle individual health records and information are well-advised to consult legal counsel in the event of a known or suspected breach. For more details, the HHS Rule may be found here, and the FTC Rule may be found here.