DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health Breach Notification Rule: FTC wants your insights into proposed changes

Posted on May 19, 2023 by Dissent

From the FTC:

The Health Breach Notification Rule has been in place since 2009. Given the pace of innovation, that seems like a century in tech years. Since then, we’ve seen an explosion in the popularity of health apps, fitness trackers, and other health-related monitors. To keep up with technological developments and evolving business practices, the FTC is proposing changes to the Rule and welcomes your comments.

The Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers. When there’s been an unauthorized acquisition of a person’s unsecured, personally identifiable health information, PHR vendors and PHR related entities must (among other things) notify the FTC, consumers and, in some cases, the media. If your company is a third party service provider to a PHR vendor or a PHR related entity, you have notice requirements under the Rule, too. (Read Complying with FTC’s Health Breach Notification Rule for details.)

It’s worth noting that companies that violate the Rule may be liable for civil penalties of up to $50,120 per violation. For example, GoodRx recently paid a $1.5 million civil penalty for violating the Rule.As part of the FTC’s periodic regulatory review process, we asked for your feedback in 2020 about how the Health Breach Notification Rule is working. Based on your comments – and major developments in the health information ecosystem – the FTC is proposing changes to the Rule. You’ll want to read the Federal Register Notice for details, but here are some of the revisions under consideration:

  • Revising some definitions to make it clear the Rule applies to health apps and similar technologies not covered by HIPAA;
  • Clarifying that a “breach of security” under the Rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of a “PHR related entity”;
  • Clarifying what “drawn from multiple sources” means in the definition of “personal health record”;
  • Authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach; and
  • Expanding what needs to be in the notice to consumers – for example, requiring an explanation about the potential harm stemming from the breach and the names of any third parties that might have acquired the information.

The proposed Rule changes and recent law enforcement actions reflect the high priority the FTC places on protecting the privacy of consumers’ health information and letting consumers know what’s happening with their sensitive information. Once the Notice runs in the Federal Register, you’ll have 60 days to file a public comment. Save a step and file online through Regulations.gov.

Related posts:

  • FTC Finalizes Changes to the Health Breach Notification Rule
  • FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule
Category: Commentaries and AnalysesLegislationOf Note

Post navigation

← Phishing attack affects Texas patients; at least 130,000 impacted
Rackspace gets San Antonio federal judge to toss proposed class-action suit over ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Breaches have consequences (sometimes)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.