September 8, 2009
September 2009

HHS and the FTC Issue Final Regulations for Breach Notification Requirements
What Health Care Providers Need to Know to Take Immediate Action

On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (the Act) into law. The Act includes ways to strengthen privacy and security provisions for health information, including provisions that require individuals to be notified following a breach of unsecured protected health information (PHI).

Pursuant to the Act, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) recently promulgated two sets of final regulations governing the breach notification requirements for HIPAA-covered entities and vendors of personal health records (vendors of PHR), respectively. These regulations become effective September 23, 2009.