Skip to Content

On Friday, May 8, the Federal Trade Commission released a request for public comment on the Health Breach Notification Rule. This Rule, which went into effect in 2009, mandates the disclosure of data breaches by vendors that handle personal health data but are not covered by the Health Insurance Portability and Accountability Act.

Opportunity for Public Comments

The Agency is seeking comment on a variety of issues, including:

  • Whether the Rule has resulted in under or over-notification
  • Whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes
  • Whether the timing requirements and methods for reporting a breach should be altered
  • The implications for enforcement raised by direct-to-consumer technologies
  • Whether and how the Rule should address developments in healthcare products and services related to COVID-19

The FTC will accept comments on these questions for 90 days once the Rule review notice is published in the Federal Register.

What does the current Rule require?

As currently written, the Rule requires covered companies to notify the FTC within 10 days after discovering a breach if more than 500 people are affected, and within 60 days if fewer individuals are affected.

To date, the Rule has not garnered much attention, with no enforcement actions over the past decade, and only two companies notifying the FTC about breaches affecting more than 500 people.

While the request for comment is part of the Agency’s standard review process, it comes at a time when telehealth services are growing, and more technologies are being used to treat patients from afar, including virtual assistants and health apps.

Our Privacy, Cybersecurity and Data Management Team will continue to monitor the latest telehealth developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this particular topic.