The Federal Trade Commission (FTC) has released the final rules concerning breach notifications for Personal Health Information (PHI) that were required under the American Recovery and Reinvestment Act of 2009 which was passed in February (otherwise known as the stimulus package). The Department of Health and Human Services (HHS) and the FTC were tasked with issuing rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information was breached. This closes a loophole in the Health Insurance Portability and Accountability Act (HIPAA) for web-based companies that gather health information. Until now, they had typically not been covered under HIPAA. The new rules go into effect 30 days after publication in the Federal Register. The FTC plans to begin enforcement 180 days after that.

 Some interesting items in the new rules:

 ·         Encrypted data is considered secure (hope it's strong).

 ·         The media must be notified if more than 500 individuals have had their information accessed.

 ·         Companies have up to 60 calendars days to provide notifications.

 ·         Law enforcement can delay notifications if it would impede an investigation or be a threat to national security.

 ·         If the contact information for 10 or more individuals is out of date, alternate notice may be given via a posting on the vendor web site or through the media. (10 is not a lot. It might be 'easier' to find those and do the notification on your web site…and then save the postage.) Read the rules here.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365176,00.html

Read the rules here.

http://www.ftc.gov/os/2009/08/R911002hbn.pdf