On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by the HHS Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and CMS. This guidance relates to two breach notification regulations – one forthcoming rule to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and one issued April 20 by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities. If entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached. In addition to this guidance, HHS has issued a request for information (RFI) soliciting public comment on the ARRA breach notification provisions to inform future rulemaking and updates to the guidance. Comments must be submitted by May 21, 2009. The guidance is applicable upon issuance (April 17, 2009,), but will apply to breaches 30 days after publication of forthcoming interim final regulations. If HHS determines that the guidance should be modified based on public comments, the Department will issue updated guidance prior to or concurrently with the regulations. The FTC rule, which requires vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached, is subject to public comment through June 1, 2009.