Pub. L. 111-5, 123 Stat. 115, codified in relevant part at 42 U.S.C. §§ 17937 and 17954
This Act directs the FTC to issue a rule requiring entities that obtain consumers' personal information but are not subject to the Health Insurance Portability & Accountability Act ("HIPAA") (Pub. L. No. 104-191, 110 Stat. 1936 (1996)), such as many vendors of personal health records and third party service providers, to notify affected individuals and the FTC (which notifies the Secretary of Health and Human Services) in the event of a data breach or inadvertent disclosure of unsecured identifiable health information in personal health records. The Act also directs the Secretary of Health and Human Services, consulting with the FTC, to complete a study and report on privacy and security requirements for such entities.