The FTC announced that it has approved a Federal Register notice seeking public comment on a proposed rule requiring certain vendors of personal health records and related organizations to notify consumers when the security of their electronic health information has been breached. The ARRA requires HHS to conduct a study and report, in consultation with the FTC, on potential privacy, security and breach notification requirements for vendors of personal health records and related entities. The study/report must be completed by February 2010. While the study/report is being completed, the FTC has issued a temporary rule that stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which, in turn, must notify consumers of the breach. The rule also details the timing, metho d and content of the notice. It also requires entities to notify the FTC of any breaches so the FTC may post the information on its website and notify HHS. Please see here for more details.