In the last week of August, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) officially published their final rules concerning consumer notification of breaches of protected health information (“PHI”). Congress mandated that both rules be issued under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, part of the American Recovery and Reinvestment Act of 2009.
The HITECH Act expanded the reach of the health data breach notification rules to personal health record (PHR) vendors and entities that market devices that allow consumers to upload their own health information. Some examples of these types of devices are body composition analyzers, blood pressure cuffs and pedometers. This marks the first time that federal medical privacy regulations have been applied to organizations that are not “covered entities” or their business associates, and also marks the first time that HHS and the FTC have been directed by Congress to engage in coordinated rulemaking.
