Business Blog
Revised Health Breach Notification Rule resources spell out companies’ legal obligations
Shoppers can find a plethora of apps, trackers, and sensors that hold or capture almost every conceivable form of personal health information. If your business or nonprofit offers products like that or provides certain services to entities that do – and you aren’t subject to HIPAA – you may be covered by the FTC’s Health Breach Notification Rule (HBNR). The FTC has two new publications to help determine if the Rule applies to you and the steps you must take if there’s a breach. The FTC also unveiled another new resource to help you meet your compliance obligations.
Entities covered by the Health Breach Notification Rule must notify their customers, the FTC, and, in some cases, the media if there’s a breach of unsecured, individually identifiable health information. In September 2021, the Commission issued a Policy Statement clarifying that the Rule applies to makers of health apps, connected devices, and similar products. A breach under the HBNR includes both cybersecurity intrusions and instances of unauthorized access – for example, when sensitive health information is disclosed without the user’s authorization.
Looking for a sticky note-sized recap of what the Rule requires? Health Breach Notification Rule: The Basics For Business offers a quick introduction. If you need more detailed guidance, Complying With the FTC’s Health Breach Notification Rule addresses who’s covered, what triggers notification, and what to do if a breach occurs, including the who, when, how, and what of notification. In addition, you’ll find FAQs with answers to questions HBNR-covered organizations are asking.
Even if a business isn’t covered by the Health Breach Notification Rule, the FTC has used Section 5’s prohibition on deceptive and unfair practices to challenge illegal conduct related to the use of consumers’ health information. Of course, prevention is the best medicine, so we’ve created a new Health Privacy page where you’ll find cases, blog posts, and other materials to help companies – especially small businesses – honor established legal standards. The page includes a can’t-miss-it link that entities covered by the Rule can use to report breaches of health information.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.