The proposed rule requiring EMR Vendors to notify individuals if there is a breach of security re their health records is logical, morally justified and should apply to all entities electronically storing sensitive personal ID information.. ID theft is pandemic. Hospitals in particular are especially vulnerable. The student health service at Berkeley was hacked for 160,000 records dating to 1999. They did not need a ruling to begin notifications, but that may not be applicable to all. There needs to be timeliness requirements and penalties for non-compliance. The legal ramifications for non-compliance are obvious. The ruling , however, addresses the problem of identity theft after the fact. There are advanced solutions for mitigating ID theft and one such solution is the biometric fingerprint solution just entering the market from Me4Sure, Inc. One impediment to the adoption of EMRs is the security vulnerability issue. I hope that these comments will be useful and helpful.