As required by the American Recovery and Reinvestment Act of 2009 (ARRA),
on August 17, 2009 the Federal Trade Commission (FTC) timely issued
guidance regarding security breach notification requirements for certain
web-based entities that collect personal health information.
Specifically, the final FTC rule only focuses on regulating vendors of
personal health records (PHRs) and online applications designed to interact with
such PHRs that are not commonly otherwise regulated under the privacy and
security rules of Health Insurance Portability and Accountability Act (HIPAA).
Accordingly, the FTC’s rules expand the scope of entities that must take certain
actions in the event of a PHR security breach, but the rules do not apply to
HIPAA Covered Entities or Business Associates.
The Department of Health and Human Services (HHS) is charged with issuing and
enforcing similar security breach notification requirements for HIPAA Covered
Entities and Business Associates by August 17, 2009, but it has not done so at
the time of this publication. HHS has not commented on when such guidance will
be issued, but we will keep you appraised of any developments. In the meantime,
if you have any questions, please contact the authors or any member of McGuireWoods
or Employee Benefits
teams. For information on this and related regulatory and business matters,
please visit our Stimulus Package