United States of America: Adopted FTC Health Breach Notification Rule

On 17 August 2009, the Federal Trade Commission (FTC) adopted the Health Breach Notification Rule outlining notification requirements for vendors of personal health records, such as platforms allowing consumers to access health data and third-party applications for personal health records. In particular, the Rule requires entities to notify the consumers and the FTC of data breaches without unreasonable delay and no later than 60 days after the discovery of unauthorised data access and within 10 days if more than 500 consumers will be affected. The Rule came into force on 24 September 2009, and the FTC stated that it would enforce it starting on 22 February 2010 to enable entities to implement the new security procedures.