Attorney

3084-AB56 202310 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 3084 Federal Trade Commission FTC Health Breach Notification Rule

On May 22, 2020, the Commission initiated periodic review of the Health Breach Notification Rule (Rule). 85 FR 31085 (May 22, 2020). The Commission requested comment on, among other things, whether changes should be made to the Rule in light of technological changes, such as the proliferation of apps and similar technologies. The comment period closed on August 20, 2020. The Commission received 26 public comments.

The Rule requires vendors of personal health records (PHR) and PHR-related entities to provide: (1) notice to consumers whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach; (2) notice to the Commission; and (3) in some cases, the media. Under the Rule, PHR vendors and PHR- related entities must notify both the FTC and affected consumers "without unreasonable delay and in no case later than 60 calendar days" after discovery of the breach. The Rule also requires third party service providers to vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach.

The FTC's Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). Also, the FTC's Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Entities covered by HIPAA must comply with HHS’ breach notification rule in the event of a security breach.

On September 15, 2021, the Commission issued a Policy Statement underscoring that the Rule covers health apps and similar technologies. Since the issuance of the Policy Statement, the Commission has brought two enforcement actions alleging violations of the Rule.

Having considered the public comments from the May 2020 periodic review, the Policy Statement, and recent enforcement actions brought under the Rule, the Commission proposed on June 9, 2023, to amend the Rule, in seven ways and requested comment on the proposed changes. 88 FR 37819 (June 9, 2023). The comment period closed on August 8, 2023, and staff is reviewing the comments.

]]> Substantive, Nonsignificant Previously Published in The Unified Agenda Proposed Rule Stage Undetermined No 16 CFR 318 sec. 13407 of the American Recovery and Reinvestment Act of 2009 No Rule Review; Request for Comments 05/22/2020 85 FR 31085 Rule Review Comment Period End 08/22/2020 Policy Statement on Health Apps 09/15/2021 NPRM 06/09/2023 88 FR 37819 NPRM Comment Period End 08/08/2023 FTC Staff Review of Public Comments 12/00/2023 Undetermined Businesses None No No https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rulehttps://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule No No 3084-AB17 Previously reported as Elisa Jillson Attorney 3084 Federal Trade Commission FTC 202 326-3001 ejillson@ftc.gov 600 Pennsylvania Avenue NW, Washington DC 20580 Ryan Mehm Attorney 3084 Federal Trade Commission FTC 202 326-2918 rmehm@ftc.gov 600 Pennsylvania Avenue NW, Washington DC 20580 Ronnie Solomon Attorney 3084 Federal Trade Commission FTC 202 326-2098 rsolomon@ftc.gov 600 Pennsylvania Avenue NW, Washington DC 20580