On August 24, 2009, the Department of Health and Human Services (HHS) issued an interim final rule with comment period to implement an American Recovery and Reinvestment Act of 2009 provision requiring notification of breaches of unsecured protected health information. For purposes of determining what information is “unsecured protected health information,” HHS also is updating its guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. The interim final rule is effective September 23, 2009. HHS will accept comments on the interim final rule until October 23, 2009, while comments on information collection requirements associated with the rule are due by September 8, 2009. In a related development, on August 25, 2009, the Federal Trade Commission (FTC) published a final rule that requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached, in compliance with the ARRA. The FTC rule is effective September 24, 2009, and full compliance is required by February 22, 2010. A Reed Smith analysis of the FTC rule is posted here, and a summary of the HHS rule is available here.