Health Breach Notification Rule

Under the FTC's Health Breach Notification Rule, companies that have had a security breach must: 1. Notify everyone whose information was breached; 2. In many cases, notify the media; and 3. Notify the FTC.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Under the FTC’s Rule, companies that have had a security breach must:

  1. Notify everyone whose information was breached;
  2. In many cases, notify the media; and
  3. Notify the FTC.

The FTC has designed a standard form for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it’s received notice under the Rule. A brochure for businesses, Complying with the FTC’s Health Breach Notification Rule, explains who’s covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.