What are the FTC Recommendations in their 2024 Health Breach Notification Rule Changes?
In April of 2024, the Federal Trade Commission (“FTC”) announced the finalization of updates to the Health Breach Notification Rule (“Rule”), aiming to enhance and modernize its provisions. These changes clarify the rule's application to health apps and similar technologies, broaden the scope of information that entities must provide to consumers in case of a health data breach, and strengthen notification requirements.
Under the revised Rule, vendors of personal health records (“PHR”) and related entities not covered by HIPAA are mandated to notify affected individuals, the FTC, and in certain cases, the media, following the discovery of a breach involving unsecured personally identifiable health data. Additionally, third-party service providers to these vendors and entities must notify them of breaches they discover.
The key revisions include:
· Definitions Update: The rule now explicitly covers health apps and technologies not governed by HIPAA, with revised definitions such as "PHR identifiable health information," "covered health care provider," and "health care services or supplies."
· Security Breach Clarification: It clarifies that a breach includes unauthorized acquisition or disclosure of identifiable health information due to a data security incident.
· Expanded Scope of PHR Related Entities: The definition now specifies entities offering products and services via vendors' online platforms, clarifying which entities qualify under the rule.
· Enhanced Notification Requirements: The updated rule allows broader use of electronic notifications and expands the required content of breach notifications to consumers, including disclosure of third-party recipients of breached information.
· Notification Timing: For breaches affecting 500 or more individuals, entities must notify affected parties and the FTC simultaneously, within 60 days of discovering the breach.
· Improvements in Clarity and Compliance: Changes aimed at improving readability and promoting compliance with the rule.
These updates will take effect 60 days after publication in the Federal Register.
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. These may not be the most recent versions. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.