WASHINGTON – The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.

The rule applies to vendors of personal health records as well as businesses that offer third-party applications for PHRs. The applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records.

Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to healthcare service providers such as doctors' offices, hospitals and insurance companies.

Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The ARRA requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the law requires that the commission issue a rule requiring these entities to notify consumers if the security of their health information is breached. The commission announced a proposed rule in April 2009, collected public comments until June 1 and issued the final rule Monday.

The rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.

The rule also specifies the timing, method and content of notification, and in the case of certain breaches involving 500 or more people requires notice to the media. Entities covered by the rule must notify the FTC.