Skip Navigation

FTC Seeks Data Breach Notification Comments

Bookmark and Share

Of the many changes to HIPAA contained in the ARRA (Stimulus Package) is the creation of what amounts to the first national data breach notification requirement.  Another provision creates an entirely new class of Covered Entities not previously subject to HIPAA. Because this new class of non-traditional Covered Entities is not subject to the jurisdiction of Health and Human Services (HHS), the Federal Trade Commission (FTC) is responsible for issuing the rules related to how the data breach notification requirement will be implemented for these non-traditional Covered Entities.  

To that end, the FTC has issued their preliminary rule identifying how those HIPAA Covered Entities under their jurisdiction will have to comply.  Of the many noteworthy provisions in the FTC rule, just released for public comment, Covered Entities will be required to provide notification of data breaches related to hard copy disposal in addition to electronic releases. The FTC has also stated its intention to work with HHS to ensure that the final rulemakings from both agencies do not conflict. Given that, the FTC rule serves as a good indication of what the HHS rule may look like. 

The deadline for comment is June 1, 2009, however, NAID will release its comments early in May in the event that NAID members wish to correspondingly respond on their own.