May 14, 2020

FTC Seeks Comment on Health Breach Notification Rule

The FTC is seeking comments from industry stakeholders on proposed changes to the Health Breach Notification Rule. The Rule, which went into effect in 2009, requires vendors of personal health records and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.  The rule requires such entities to provide the notifications within 60 days after discovery of the breach, however, if more than 500 individuals are affected by a breach, entities must notify the FTC within 10 business days.