FTC Guide: Complying with FTC’s Health Breach Notification Rule
January 2022
The Federal Trade Commission (“FTC”) released a guide Complying with the Health Breach Notification Rule, which outlines the responsibilities of companies that collect and manage personal health information but are not covered by HIPAA. As health apps and connected devices become more prevalent, the need for clear regulations regarding the protection of consumer health data has intensified. Under this rule, organizations that deal with personal health records (PHRs), including vendors, related entities, and third-party service providers, are required to notify affected individuals, the FTC, and sometimes the media in the event of a breach involving unsecured, identifiable health information.
A breach is defined as the unauthorized acquisition of this health information, which can occur through various means, including theft or unapproved access by employees. The rule specifically applies to electronic records and excludes breaches involving only paper records. Notifications must be made to affected individuals without unreasonable delay and within 60 days of discovering the breach. If the breach affects 500 or more individuals, the FTC must be notified within 10 business days; for smaller breaches, the notification can be included in an annual report.
Organizations are advised to provide clear, comprehensible notifications detailing what happened, what information was involved, potential risks for identity theft, and steps individuals can take to protect themselves. In cases where direct notification is impossible due to outdated contact information, substitute notifications via public media or website postings are required. Additionally, the rule allows for penalties for non-compliance, which can reach significant amounts per violation.
The FTC's guidance emphasizes the importance of consumer protection in the evolving landscape of digital health information and holds companies accountable for safeguarding sensitive health data.
For more information, see here: https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0
AND
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. These may not be the most recent versions. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.