Print
Category: Health News

Washington, DC - Next on the FTC’s regulatory review calendar: the Health Breach Notification Rule. In place since 2009, the Rule requires vendors of personal health records and related entities that aren’t covered by HIPAA to notify individuals, the FTC, and, in some cases, the media when there has been a breach of unsecured personally identifiable health data. We’d like your perspectives on how the Rule has been working.

As it now stands, companies must provide notifications required by the Rule within 60 days of discovering the breach. However, if more than 500 people are affected, the FTC must be notified within 10 days. The Rule includes other specifics on the timing, method, and content of the notice.

You’ll want to read the Federal Register Notice for details, but here are some of the issues we hope you’ll weigh in on:

Once the notice runs in the Federal Register, you’ll have 90 days to file your comment, which will appear on Regulations.gov.