Overview of the American Recovery and Reinvestment Act of 2009 (Recovery Act)
(Recovery Act) was signed into law by President Obama on February 17th, 2009. It is an unprecedented effort to jumpstart our economy, create or save millions of jobs, and put a down payment on addressing long-neglected challenges so our country can thrive in the 21st century. The Act is an extraordinary response to a crisis unlike any since the Great Depression, and includes measures to modernize our nation's infrastructure, enhance energy independence, expand educational opportunities, preserve and improve affordable health care, provide tax relief, and protect those in greatest need.
Implementing the American Recovery and Reinvestment Act of 2009
The Recovery Act sets forth two requirements for the FTC, both relating to health information technology:
- The Act requires that the Department of Health and Human Services (“HHSâ€) do a study and report, in consultation with the FTC, on privacy, security, and breach notification requirements for vendors of personal health records and third parties that offer products and services through the web sites of vendors of personal health records.
- The Act contains interim provisions that require notification to the FTC and to American citizens or residents for certain security breaches with respect to individually identifiable health information contained in a personal health record. The Act requires the agency to enforce breach notification requirements with respect to vendors of personal health records, as well as third parties that offer products or services through the websites of vendors of personal health records. Additionally, the FTC must adopt a rule implementing these breach notification provisions.
The Commission’s responsibilities under the Recovery Act do not involve the receipt or disbursement of any funds under the Act.
Agency Plans and Reports
The FTC plans to work with HHS on the study and report described above. The agencies plan to submit this report to Congress within one year of the enactment of the Act. The FTC also plans to adopt a rule implementing the interim breach notification provisions within six months of the enactment of the Act.