The Federal Trade Commission is seeking comment on whether proposed changes should be made to a decade-old rule that requires certain companies that provide or service personal health records to notify consumers and the Commission of a data breach.
The Health Breach Notification Rule, which went into effective in 2009, requires vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPPA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. Currently, the Rule requires such entities to provide notifications within 60 days after discovery of the breach. If more than 500 individuals are affected by a breach, however, entities must notify the FTC within 10 business days.
The Health Breach Notification Rule review is part of the FTC’s periodic review of its rules to ensure they are keeping pace with changes in the economy, technology, and business models. In addition to standard questions about the Rule’s effectiveness and benefits, and whether it should be retained, changed or eliminated, the FTC also is seeking comment on such issues as:
- whether the Rule has resulted in under-notification, over-notification, or an efficient level of notification;
- whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes;
- whether the timing requirements and methods for reporting a breach are adequate;
- the implications for enforcement raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools; and
- whether and how the Rule should address any developments in health care products or services related to COVID-19.
The FTC will be accepting comment on these questions for 90 days after the Rule review notice is published in the Federal Register. Instructions on how to file comments can be found in the Federal Register notice. Once processed, the comments on the Rule review will be posted to Regulations.gov.
The Commission voted 5-0 to publish the Rule review notice in the Federal Register.