The HHS Interim Final Health Breach Notification Rule took effect on Sept. 23, 2009. The HHS Rule applies to both HIPAA-covered entities and their business associates. Under the Rule, when a breach of unsecured protected health information (“PHI”) occurs HIPAA-covered entities must notify affected individuals, the media (if the breach affects more than 500 people), and HHS, and business associates must notify the applicable HIPAA-covered entity. Though the rule officially takes effect today, HHS will not begin enforcing the rule for 180 days (March 23, 2010).

Click here to read Sonnenschein's E-Alert on the HHS Rule.

HHS is accepting comments from the public on the Interim Final Rule until Oct. 23, 2009. Those interested in filing comments can do so electronically at the Regulations.gov website.

The FTC Final Health Breach Notification Rule takes effect on Sept. 24, 2009. The FTC Rule applies to personal health record ("PHR") vendors, PHR related entities and third party service providers, and requires those entities to notify affected individuals, the media (if the breach affects more than 500 people), and the FTC when unsecured PHI is breached. Like HHS, the FTC has stated that enforcement of the rule will not begin until 180 days after publication of the Final Rule in the Federal Register (March 24, 2010).

Click here to read Sonnenschein's E-Alert on the FTC Rule.

The FTC is accepting comments from the public on the Final Rule until Oct. 24, 2009. Those interested in filing comments may do so electronically at the Regulations.gov website.