The Federal Trade Commission on Aug. 25 published in the Federal Register its final rule governing the reporting of data breaches by vendors of personal health records and online applications that interact with PHRs.
The rule has been available for more than a week but publication starts the clock on compliance (see The rule is effective Sept. 24, 2009, with full compliance required by Feb. 22, 2010. The rule explains the selected dates as follows:
"Two commenters expressed concern that the effective compliance date of 30 calendar days from the date of publication of this final rule would not allow covered entities sufficient time to come into compliance. In response, the Commission notes that the effective compliance date is mandated by the Recovery Act. Moreover, as discussed above, the Commission believes that in many instances the rule will apply to entities that already have obligations to provide notification of data breaches under certain state laws covering medical breaches. As a result, these entities can build upon their existing programs in order to come into compliance with this final rule. Nevertheless, the Commission has determined that it will use its enforcement discretion to refrain from imposing sanctions for failure to provide the required notifications for breaches that are discovered before February 22, 2010."
The Department of Health and Human Services recently published a separate rule that governs notification of data breaches by HIPAA-covered entities (see
The official final FTC rule is available at
This article can also be found at

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access