Business Blog
Asking for your insights into the Health Breach Notification Rule
Next on the FTC’s regulatory review calendar: the Health Breach Notification Rule. In place since 2009, the Rule requires vendors of personal health records and related entities that aren’t covered by HIPAA to notify individuals, the FTC, and, in some cases, the media when there has been a breach of unsecured personally identifiable health data. We’d like your perspectives on how the Rule has been working.
As it now stands, companies must provide notifications required by the Rule within 60 days of discovering the breach. However, if more than 500 people are affected, the FTC must be notified within 10 days. The Rule includes other specifics on the timing, method, and content of the notice.
You’ll want to read the Federal Register Notice for details, but here are some of the issues we hope you’ll weigh in on:
- Is there a continuing need for the Rule? Why or why not?
- Have there been developments in the legal, economic, and technological landscape that suggest it’s time for modifications?
- If so, what changes should be made? And what would the impact be on consumers and businesses, including small businesses?
- Are the timing requirements and reporting methods adequate?
- As the healthcare industry adopts standardized application programming interfaces (APIs) to help people access their health information on mobile devices, will the number of entities covered by the Rule increase?
- Has that Rule harmonized with the requirements of HIPAA?
- Does the Rule accomplish the goal of advancing the use of health information technology while strengthening the privacy and security protections for that data?
- Does the Rule appropriately address direct-to-consumer technologies – for example, mobile health apps, virtual assistants, and platform health tools?
- Have there been developments in health care products or services related to COVID-19 that should be addressed?
Once the notice runs in the Federal Register, you’ll have 90 days to file your comment, which will appear on Regulations.gov.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.