FTC Proposed Amendments to Health Breach Notification Rule
The U.S. Federal Trade Commission (FTC) is proposing to amend its Health Breach Notification Rule (HBNR; 16 C.F.R. 318). The HBNR currently requires vendors of personal health records (PHR) and related entities not covered by the Health Insurance Portability and Accountability Act (HIPPA; Pub. L. No. 104-191, August 21, 1996) “to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.” The proposed amendments will revise several definitions, including “breach of security” and “PHR related entity”; clarify “what it means for a personal health record to draw PHR identifiable health information from multiple sources”; “authorize the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers”; and expand the required content provided in the notice to consumers. Public comments will be received through August 8, 2023. For additional information, see the 5/18/2023 FTC press release and 88 Fed. Reg. 37819, June 9, 2023.