In compliance with the American Recovery and Reinvestment Act ("ARRA"), the FTC voted today to publish a proposed breach notification rule for electronic health information. The rule would require vendors and related entities to notify consumers and the FTC when the security of personal health information is breached. In addition, service providers to these entities would be required to notify the entities of breaches, and the entities would in turn notify the consumers. The proposed rule also contains additional requirements governing the standard for determining when notice must be given as well as the timing, content, and method of the notice.

ARRA also requires the Department of Health and Human Services, in consultation with the FTC, to study and publish a report on potential privacy, security, and notification requirements for vendors of personal health information and related entities by February 2010. Until this report is published, the FTC is required to establish this temporary rule.

The rule will be published in the Federal Register in the near future, but the text of the proposed rule can be found on the FTC website at the following address: http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf. Comments will be accepted until June 1, 2009.