View Rule

On May 22, 2020, the Commission initiated periodic review of the Health Breach Notification Rule (Rule). 85 FR 31085 (May 22, 2020). The comment period closed on August 20, 2020. The Commission staff is reviewing comments and intends to submit a recommendation to the Commission by Fall 2021.

This Rule requires vendors of personal health records (PHR) and PHR-related entities to provide: (1) notice to consumers whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach; and (2) notice to the Commission. Under the Rule, PHR vendors and PHR-related entities must notify both the FTC and affected consumers "without unreasonable delay and in no case later than 60 calendar days" after discovery of the breach. Among other information, the notices must provide consumers with steps they can take to protect themselves from harm.

The FTC's Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). Also, the FTC's Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Entities covered by HIPAA must comply with HHS’ breach notification rule in the event of a security breach.