Notice of Breach of Health Information

Are you in the business of offering or maintaining “personal health records” as defined in the FTC’s Health Breach Notification Rule? Does your company offer products or services that interact with personal health records – for example, an online weight tracker that sends health information to a personal health record or pulls information from it? If that describes your business or product – and if you’re not covered by the Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach involving information in a personal health record not secured in a certain way. Under the law, 16 C.F.R. Part 318, you must:

1. Notify everyone whose information was breached
2. Notify the Federal Trade Commission (FTC); and
3. In some cases, notify the media.

The FTC has designed this form for you to report a breach to us. For more on notifying the people whose information was breached, visit Complying with FTC’s Health Breach Notification Rule.

For all breaches

Submit this online form by clicking “Start Form” below. Make sure to complete all fields. Include your own contact information. Don’t include any personally identifiable information involved in the breach. You should receive a reply email within two to five business days with instructions for the secure electronic submission of encrypted documents.

Timelines

For breaches involving the records of 500 or more people

Submit this online form at the same time you notify the people whose information was breached. Under the Rule, that means as soon as you can and no later than 60 days after discovering the breach.

For breaches involving the records of fewer than 500 people

Submit this online form by the 60th day of the calendar year following the breach. For example, if you discover a breach involving fewer than 500 people on September 30, 2024, submit this online form to the FTC no later than 60 days into the calendar year of 2025. If you experience multiple breaches like this in one calendar year – for example, one on September 30th in 2024 involving fewer than 500 people and another on November 1st in 2024 involving fewer than 500 people – submit this online form for each breach, and submit it to the FTC no later than 60 days into the calendar year of 2025.

Questions?

Email the FTC at Healthbreach@ftc.gov, or call us at (202) 326-2918.

Paperwork Reduction Act Statement

Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number and expiration date. The OMB control number is 3084-0150 and the expiration date is 06/30/27.