Pub. L. No. 111-5, 123 Stat. 115, codified in relevant part at 42 U.S.C. § 17937 and 17953
This Act directs the FTC to issue a rule requiring certain entities that obtain consumers' personal information but are not subject to the Health Insurance Portability & Accountability Act ("HIPAA"), Pub. L. No. 104-191, 110 Stat. 1936, such as many vendors of personal health records and third party service providers, to notify affected individuals and the FTC (which notifies the Secretary of Health and Human Services) in the event of a data breach or inadvertent disclosure of unsecured identifiable health information in personal health records.