Legal Updates

8/19/2009

FTC Finalizes Security Breach Notification Rules, HHS Delayed

As required by the American Recovery and Reinvestment Act of 2009 (ARRA), on August 17, 2009 the Federal Trade Commission (FTC) timely issued final guidance regarding security breach notification requirements for certain web-based entities that collect personal health information.

Specifically, the final FTC rule only focuses on regulating vendors of personal health records (PHRs) and online applications designed to interact with such PHRs that are not commonly otherwise regulated under the privacy and security rules of Health Insurance Portability and Accountability Act (HIPAA). Accordingly, the FTC’s rules expand the scope of entities that must take certain actions in the event of a PHR security breach, but the rules do not apply to HIPAA Covered Entities or Business Associates.

The Department of Health and Human Services (HHS) is charged with issuing and enforcing similar security breach notification requirements for HIPAA Covered Entities and Business Associates by August 17, 2009, but it has not done so at the time of this publication. HHS has not commented on when such guidance will be issued, but we will keep you appraised of any developments. In the meantime, if you have any questions, please contact the authors or any member of McGuireWoods Healthcare or Employee Benefits teams. For information on this and related regulatory and business matters, please visit our Stimulus Package page.

If you would like to receive our legal news updates by e-mail, please use our online sign-up form.

McGuireWoods news is intended to provide information of general interest to the public and is not intended to offer legal advice about specific situations or problems. McGuireWoods does not intend to create an attorney-client relationship by offering this information, and anyone's review of the information shall not be deemed to create such a relationship. You should consult a lawyer if you have a legal matter requiring attention.