The Federal Trade Commission (FTC) has issued a final rule requiring certain Web-based personal health record (PHR) vendors to notify consumers when the security of their electronic health information has been breached.

Under the rule, PHR vendors and PHR-related entities must notify their customers in case of any breach of unsecured, individually identifiable health information. In addition, any third-party service providers of these vendors must notify them in case of a breach, so they, in turn, can notify their customers.

The final rule also specifies the timing, method and content of notification, and in cases of a breach involving 500 or more people, calls for the media to be notified.

Under the American Recovery and Reinvestment Act (ARRA) of 2009, the Department of Health and Human Services (HHS) is required to conduct a study and create a report by February 2010 on the potential privacy, security and breach-notification requirements for those vendors and PHR-related entities not covered by HIPPA. In the meantime, in order to fill that gap in coverage, the FTC was directed to come up with a breach-notification rule.

The FTC issued a proposed rule in April, collected public comments until June 1, and issued the final rule on August 17. The commission approved the rule by a vote of 4 to 0.