Next on the FTC’s regulatory review calendar: the Health Breach Notification Rule. In place since 2009, the Rule requires vendors of personal health records and related entities that aren’t covered by HIPAA to notify individuals, the FTC, and, in some cases, the media when there has been a breach of unsecured personally identifiable health data. We’d like your perspectives on how the Rule has been working.
As it now stands, companies must provide notifications required by the Rule within 60 days of discovering the breach. However, if more than 500 people are affected, the FTC must be notified within 10 days. The Rule includes other specifics on the timing, method, and content of the notice.
You’ll want to read the Federal Register Notice for details, but here are some of the issues we hope you’ll weigh in on:
- Is there a continuing need for the Rule? Why or why not?
- Have there been developments in the legal, economic, and technological landscape that suggest it’s time for modifications?
- If so, what changes should be made? And what would the impact be on consumers and businesses, including small businesses?
- Are the timing requirements and reporting methods adequate?
- As the healthcare industry adopts standardized application programming interfaces (APIs) to help people access their health information on mobile devices, will the number of entities covered by the Rule increase?
- Has that Rule harmonized with the requirements of HIPAA?
- Does the Rule accomplish the goal of advancing the use of health information technology while strengthening the privacy and security protections for that data?
- Does the Rule appropriately address direct-to-consumer technologies – for example, mobile health apps, virtual assistants, and platform health tools?
- Have there been developments in health care products or services related to COVID-19 that should be addressed?
Once the notice runs in the Federal Register, you’ll have 90 days to file your comment, which will appear on Regulations.gov.