FTC Finalizes Security Breach Notification Rules, HHS Delayed

August 19, 2009

As required by the American Recovery and Reinvestment Act of 2009 (ARRA), on August 17, 2009 the Federal Trade Commission (FTC) timely issued final guidance regarding security breach notification requirements for certain web-based entities that collect personal health information.

Specifically, the final FTC rule only focuses on regulating vendors of personal health records (PHRs) and online applications designed to interact with such PHRs that are not commonly otherwise regulated under the privacy and security rules of Health Insurance Portability and Accountability Act (HIPAA). Accordingly, the FTC’s rules expand the scope of entities that must take certain actions in the event of a PHR security breach, but the rules do not apply to HIPAA Covered Entities or Business Associates.

The Department of Health and Human Services (HHS) is charged with issuing and enforcing similar security breach notification requirements for HIPAA Covered Entities and Business Associates by August 17, 2009, but it has not done so at the time of this publication. HHS has not commented on when such guidance will be issued, but we will keep you appraised of any developments. In the meantime, if you have any questions, please contact the authors or any member of McGuireWoods Healthcare or Employee Benefits teams. For information on this and related regulatory and business matters, please visit our Stimulus Package page.