September 14th, 2009 or "thereafter"
The American Recovery and Reinvestment Act of 2009 was signed into law on February 17, 2009. The "Breach" notification portion of the law goes into effect 30 days after the Secretary of HHS "promulgates" "interim final regulations". Although those are not "promulgatedt" yet, a date can be calculated.
The way I calculate this, August 16th would be when the last day "interim final regulations" could be published, add 30 days, and the notification requirements "will apply to breaches of unsecured PHI" on September 14th, 2009 or "thereafter".
American Recovery and Reinvestment Act of 2009, Subtitle D—Privacy, Sec. 13402. Notification in the case of breach.
Unusable, Unreadable, or Indecipherable? No Breach reporting required