The Federal Trade Commission (FTC) posted its proposed rule today implementing new breach notification requirements for health records, which were required to be promulgated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  The FTC rule will apply to vendors of personal health records and related entities not covered directly by HIPAA.  

The Department of Health and Human Services is required to issue by August 17, 2009 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA, namely Covered Entities (health care providers; health plans; clearinghouses) and now, as a result of the HITECH Act, Business Associates.  

To review the text of the FTC’s proposed rule, click herePublic comments are due on June 1, 2009.