View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

FTC RIN: 3084-AB56 Publication ID: Spring 2024 
Title: Health Breach Notification Rule 
Abstract:

On May 22, 2020, the Commission initiated periodic review of the Health Breach Notification Rule (Rule). 85 FR 31085 (May 22, 2020). The Commission requested comment on, among other things, whether changes should be made to the Rule in light of technological changes, such as the proliferation of apps and similar technologies. The comment period closed on August 20, 2020. The Commission received 26 public comments.

 

The Rule requires vendors of personal health records (PHR) and PHR-related entities to provide: (1) notice to consumers whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach; (2) notice to the Commission; and (3) in some cases, the media. The Rule also requires third party service providers to vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach.

 

The FTC's Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). Also, the FTC's Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Entities covered by HIPAA must comply with HHS’ breach notification rule in the event of a security breach.

 

On September 15, 2021, the Commission issued a Policy Statement underscoring that the Rule covers health apps and similar technologies. Since the issuance of the Policy Statement, the Commission has brought two enforcement actions alleging violations of the Rule.

 

Having considered the public comments from the May 2020 periodic review, the Policy Statement, and recent enforcement actions brought under the Rule, the Commission proposed on June 9, 2023, to amend the Rule and requested comment on the proposed changes. 88 FR 37819 (June 9, 2023). The comment period closed on August 8, 2023. On May 30, 2024, the Commission issued a Final Rule that strengthens and modernizes the Rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data. 89 FR 47028 (May 30, 2024). The Final Rule becomes effective on July 29, 2024.

 

 
Agency: Federal Trade Commission(FTC)  Priority: Substantive, Nonsignificant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 16 CFR 318   
Legal Authority: sec. 13407 of the American Recovery and Reinvestment Act of 2009   
Legal Deadline:  None
Timetable:
Action Date FR Cite
Rule Review; Request for Comments  05/22/2020  85 FR 31085   
Rule Review Comment Period End  08/22/2020 
Policy Statement on Health Apps  09/15/2021 
NPRM  06/09/2023  88 FR 37819   
NPRM Comment Period End  08/08/2023 
Commission Announces Final Rule  04/26/2024 
Final Rule  05/30/2024  89 FR 47028   
Final Rule Effective  07/29/2024 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: None 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: No 
RIN Information URL: https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule  
RIN Data Printed in the FR: No 
Related RINs: Previously reported as 3084-AB17 
Agency Contact:
Ryan Mehm
Attorney
Federal Trade Commission
600 Pennsylvania Avenue NW,
Washington, DC 20580
Phone:202 326-2918
Email: rmehm@ftc.gov

Ronnie Solomon
Attorney
Federal Trade Commission
600 Pennsylvania Avenue NW,
Washington, DC 20580
Phone:202 326-2098
Email: rsolomon@ftc.gov