FTC Seeks Comment as Part of Review of Health Breach Notification Rule

The Federal Trade Commission is seeking comment on whether proposed changes should be made to a decade-old rule that requires certain companies that provide or service personal health records to notify consumers and the Commission of a data breach.

The Health Breach Notification Rule, which went into effective in 2009, requires vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPPA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. Currently, the Rule requires such entities to provide notifications within 60 days after discovery of the breach. If more than 500 individuals are affected by a breach, however, entities must notify the FTC within 10 business days.

The Health Breach Notification Rule review is part of the FTC’s periodic review of its rules to ensure they are keeping pace with changes in the economy, technology, and business models. In addition to standard questions about the Rule’s effectiveness and benefits, and whether it should be retained, changed or eliminated, the FTC also is seeking comment on such issues as:

  • whether the Rule has resulted in under-notification, over-notification, or an efficient level of notification;
  • whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes;
  • whether the timing requirements and methods for reporting a breach are adequate;
  • the implications for enforcement raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools; and
  • whether and how the Rule should address any developments in health care products or services related to COVID-19.

The FTC will be accepting comment on these questions for 90 days after the Rule review notice is published in the Federal Register. Instructions on how to file comments can be found in the Federal Register notice. Once processed, the comments on the Rule review will be posted to Regulations.gov.

The Commission voted 5-0 to publish the Rule review notice in the Federal Register.

IR Press

Recent Posts

OCC Announces Enforcement Actions for November 2024

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today released enforcement actions taken against…

4 hours ago

Treasury Sanctions Gazprombank and Takes Additional Steps to Curtail Russia’s Use of the International Financial System

Treasury imposes sanctions on dozens of Russian banks, securities registrars, and finance officials; OFAC issues…

20 hours ago

Acting Comptroller Testifies on State of the Federal Banking System

WASHINGTON—Acting Comptroller Michael J. Hsu today testified on the state of the federal banking system…

1 day ago

Remarks by Assistant Secretary for International Finance Brent Neiman on the U.S. Cross-Border Payments Agenda

As Prepared for Delivery Thank you very much for the opportunity to be here today, and…

3 days ago

Remarks by Assistant Secretary for Investment Security Paul Rosen at the Third Annual CFIUS Conference

As Prepared for Delivery Good afternoon.  I’d like to start by thanking our panelists today for…

3 days ago