The Federal Trade Commission (FTC) has posted on its website a final rule requiring certain entities not covered under HIPAA to notify consumers when the security of their individually identifiable health information is breached.
The rule has been published with an effective date of Sept. 24, 2009. However, FTC has announced it will not enforce any actions for failures to provide the required notifications until Feb. 22, 2010.
This final rule has a few changes from previous discussions. The most notable was an effort to make the requirements agree between the FTC Rule (which applies to entities not covered under HIPAA) and the HHS Rule (which applies to covered entities and business associates). Included in this effort were steps taken to ensure that the FTC Rule does not overlap with the HHS Rule resulting in multiple notifications being sent. (The HHS final interim rule on breach notification for unsecured PHI has been published with an effective date of Sept. 23, 2009).
Click here to read the Health Breach Notification Rule, 16 CFR Part 318, 74 Fed. Reg. 42961 (Aug. 25, 2009)
