The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.
Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.
The Rule can be found HERE http://www.ftc.gov/os/2009/08/R911002hbn.pdf There is also a breach notification form that can be found HERE http://www.ftc.gov/os/2009/08/R911002hbnform.pdf