The Federal Trade Commission has its ARRA homework well under way. Yesterday it announced its notice of proposed rulemaking (NPRM) on data breach notification.

The American Recovery and Reinvestment Act establishes the first federal requirements on health data breach reporting and notification. It assigns the Department of Health and Human Services to oversee organizations that qualify as covered entities and business associates under HIPAA. It assigns the FTC to oversee everyone else, including vendors of personal health records.

Both HHS and FTC are required to publish final interim regulations by August 16. The provisions become effective 30 days after publication.

According to an FTC press release, the proposed rule:

  • Requires “vendors of personal health records and related entities” to notify consumers of a breach
  • Requires a service provider to a PHR vendor to notify the vendor of a breach, which in turn must notify its customers
  • Defines the triggers for a notice, as well as the timing, method, and content of the notice
  • Requires that entities notify the FTC of a breach, which will in turn post the information on its Web site and share with HHS

The NPRM will appear in the Federal Register shortly, according to FTC.

Public comments on the notice of proposed rulemaking are due by June 1. AHIMA’s commentary will available on this site in advance of that date.

Update April 20: HHS released its required guidance on rendering protected health information unreadable on April 17. The guidance relates to both HHS’s and the FTC’s breach notification regulations. HHS is accepting comments until May 21.