DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health Breach Notification Rule: FTC wants your insights into proposed changes

Posted on May 19, 2023 by Dissent

From the FTC:

The Health Breach Notification Rule has been in place since 2009. Given the pace of innovation, that seems like a century in tech years. Since then, we’ve seen an explosion in the popularity of health apps, fitness trackers, and other health-related monitors. To keep up with technological developments and evolving business practices, the FTC is proposing changes to the Rule and welcomes your comments.

The Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers. When there’s been an unauthorized acquisition of a person’s unsecured, personally identifiable health information, PHR vendors and PHR related entities must (among other things) notify the FTC, consumers and, in some cases, the media. If your company is a third party service provider to a PHR vendor or a PHR related entity, you have notice requirements under the Rule, too. (Read Complying with FTC’s Health Breach Notification Rule for details.)

It’s worth noting that companies that violate the Rule may be liable for civil penalties of up to $50,120 per violation. For example, GoodRx recently paid a $1.5 million civil penalty for violating the Rule.As part of the FTC’s periodic regulatory review process, we asked for your feedback in 2020 about how the Health Breach Notification Rule is working. Based on your comments – and major developments in the health information ecosystem – the FTC is proposing changes to the Rule. You’ll want to read the Federal Register Notice for details, but here are some of the revisions under consideration:

  • Revising some definitions to make it clear the Rule applies to health apps and similar technologies not covered by HIPAA;
  • Clarifying that a “breach of security” under the Rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of a “PHR related entity”;
  • Clarifying what “drawn from multiple sources” means in the definition of “personal health record”;
  • Authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach; and
  • Expanding what needs to be in the notice to consumers – for example, requiring an explanation about the potential harm stemming from the breach and the names of any third parties that might have acquired the information.

The proposed Rule changes and recent law enforcement actions reflect the high priority the FTC places on protecting the privacy of consumers’ health information and letting consumers know what’s happening with their sensitive information. Once the Notice runs in the Federal Register, you’ll have 60 days to file a public comment. Save a step and file online through Regulations.gov.

Category: Commentaries and AnalysesLegislationOf Note

Post navigation

← Phishing attack affects Texas patients; at least 130,000 impacted
Rackspace gets San Antonio federal judge to toss proposed class-action suit over ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.