View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
FTC | RIN: 3084-AB56 | Publication ID: Spring 2023 |
Title: Health Breach Notification Rule | |
Abstract:
On May 22, 2020, the Commission initiated periodic review of the Health Breach Notification Rule (Rule). 85 FR 31085 (May 22, 2020). The comment period closed on August 20, 2020. The Commission staff has reviewed the comments and anticipates Commission action by June 2023. On September 15, 2021, the Commission issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. This Rule requires vendors of personal health records (PHR) and PHR-related entities to provide: (1) notice to consumers who's unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach; (2) notice to the Commission; and (3) in some cases, the media. Under the Rule, PHR vendors and PHR-related entities must notify both the FTC and affected consumers "without unreasonable delay and in no case later than 60 calendar days" after discovery of the breach. Among other information, the notices must provide consumers with a description of the types of unsecured health information that were involved in the breach. The FTC's Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). Also, the FTC's Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Entities covered by HIPAA must comply with HHS’ breach notification rule in the event of a security breach. |
|
Agency: Federal Trade Commission(FTC) | Priority: Substantive, Nonsignificant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Prerule Stage |
Major: Undetermined | Unfunded Mandates: No |
CFR Citation: 16 CFR 318 | |
Legal Authority: sec. 13407 of the American Recovery and Reinvestment Act of 2009 |
Legal Deadline:
None |
|||||||||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Undetermined | Government Levels Affected: None |
Small Entities Affected: Businesses | Federalism: No |
Included in the Regulatory Plan: No | |
RIN Information URL: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule | |
RIN Data Printed in the FR: No | |
Related RINs: Previously reported as 3084-AB17 | |
Agency Contact: Elisa Jillson Attorney Federal Trade Commission 600 Pennsylvania Avenue NW, Washington, DC 20580 Phone:202 326-3001 Email: ejillson@ftc.gov Ryan Mehm Attorney Federal Trade Commission 600 Pennsylvania Avenue NW, Washington, DC 20580 Phone:202 326-2918 Email: rmehm@ftc.gov Ronnie Solomon Attorney Federal Trade Commission 600 Pennsylvania Avenue NW, Washington, DC 20580 Phone:202 326-2098 Email: rsolomon@ftc.gov |