Introduction

The Federal Trade Commission’s (FTC) Health Breach Notification Rule ( the “FTC Rule”) codifies a federal data breach notification standard in the rules of the Code of Federal Regulations (CFR), pursuant to the FTC’s authority under section 13407 of the American Recovery and Reinvestment Act of 2009, a law intended to encourage the use of health information technology. 

Applicability

The FTC Rule covers three types of entities—(1) a vendor of personal health records (PHR); (2) a PHR-related entity; and (3) a third-party service provider for a vendor of PHR or a PHR-related entity. The FTC Rule does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. 

A breach under this rule means an unauthorized acquisition of unsecured PHR identifiable health information. This term not only includes personally identifiable health information but has also been extended to information that has been provided by the individual and that identifies them. The term “unsecured” means that the information has not been protected through the use of an HHS approved technology or methodology (e.g. encryption).

Requirements

Vendors of PHR and the PHR-related entities must each notify the data subject and the FTC about the breach. In cases that involve 500 or more data subjects within a single state, prominent news media must be notified. Third-party service providers are only required to notify the vendor of PHR or PHR-related entities to which they provide services. In all cases, notification shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. The only exception is where law enforcement makes a determination that notification would impede a criminal investigation or cause damage to national security.

Notification to affected data subjects must state basic information about the breach, the information that was taken, what actions the data subject may take to protect against use of the information, and what actions the entity is taking to investigate, mitigate harm, and protect against further breaches. The notification must also provide contact information that data subjects can use to make inquiries.

Notification to affected data subjects must be sent by first class mail. Notices may be sent via email only if the data subject was given an opportunity to choose notification by mail but did not make that selection. Alternative means of notice, such as a website posting or major print/broadcast media, are available when the entity determines that ten or more data subjects have provided insufficient or out-of-date contact information.

Enforcement & Liability

A violation of the FTC Rule constitutes an unfair and deceptive act under § 18(a)(1)(B) of the Federal Trade Commission Act (FTCA). The FTC enforces violations of the FTCA in administrative enforcement actions and in federal court by agreement with the U.S. Dept. of Justice (DOJ).