By Joseph Goedert

Provisions in the economic stimulus bill, impose new consumer protection requirements on vendors of personal health records.

The vendors must notify affected individuals following the discovery of a breach of unsecured identifiable health information in PHRs. Vendors also must notify the Federal Trade Commission.

Further, a third-party service provider that provides services to a PHR vendor or covered entities that offer PHRs must notify affected vendors or entities of a breach. "Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired or disclosed during such breach," according to the legislation.

The FTC shall treat violations as unfair and deceptive acts or practices under the Federal Trade Commission Act. The legislation requires the FTC to publish interim final regulations within 180 days of enactment.

The requirements will remain in effect unless Congress enacts new legislation governing PHR breach notifications.

For more information, see Sec. 13407 of H.R. 1, the American Recovery and Reinvestment Act of 2009, at

This article was originally published on

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access