On August 17th the Federal Trade Commission finalized a rule about personal health records to be part of the economic stimulus law (ARRA).  The rule states that online personal health record (PHR) vendors must notify consumers about security breaches of their health information. 

This means that online PHR vendors such as Google Health and Microsoft HealthVault must abide by this new regulation.  Although these vendors must follow the new security PHR rule, they are not required to follow the HIPAA privacy and security conditions.  The good news is that by February 2010, the HHS and FTC will disclose prospective privacy, security and breach notification guidelines for these online businesses that are not required to follow HIPAA requirements.

As a result to the February 2010 deadline – the FTC is requiring the online business vendors to alert consumers when there is a breach in their electronic health information.  No matter what the circumstance is, the vendor is the contact that must disclose the information to the consumer.