FTC’S HEALTH BREACH NOTIFICATION RULE

What is the FTC HEALTH BREACH NOTIFICATION RULE?

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

Under the FTC’s Health Breach Notification Rule, companies that have had a security breach must: 1. Notify everyone whose information was breached; 2. In many cases, notify the media; and 3. Notify the FTC.

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Under the FTC’s Rule, companies that have had a security breach must:

  1. Notify everyone whose information was breached;
  2. In many cases, notify the media; and
  3. Notify the FTC.

The FTC has designed a standard form for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it’s received notice under the Rule. A brochure for businesses, Complying with the FTC’s Health Breach Notification Rule, explains who’s covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.

The FTC’s Health Breach Notification Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule. – August 2009 

COMPLYING WITH THE FTC’S HEALTH BREACH NOTIFICATION RULE

More and more, personal medical information is online. For most hospitals, doctors’ offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. But many web-based businesses that collect people’s health information aren’t covered by HIPAA. These include online services people use to keep track of their health information and online applications that interact with those services.

The Federal Trade Commission (FTC), the nation’s consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured, individually identifiable electronic health information. FTC enforcement began on February 22, 2010.

Is your business covered by the Health Breach Notification Rule? Do you know your legal obligations if you experience a security breach?

WHO’S COVERED BY THE HEALTH BREACH NOTIFICATION RULE

The Rule applies if you are:

  • vendor of personal health records (PHRs);
  • PHR-related entity; or
  • third-party service provider for a vendor of PHRs or a PHR-related entity.


Vendor of personal health records.
 For the purposes of the Rule, your business is a vendor of personal health records if it “offers or maintains a personal health record.” A personal health record is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” For example, if you have an online service that allows consumers to store and organize medical information from many sources in one online location, you’re a vendor of personal health records. You’re not a vendor of personal health records if you’re covered by HIPAA.

PHR-related entity. Your business is a PHR-related entity if it interacts with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record. Many businesses that offer web-based apps for health information fall into this category. For example, if you have an app that helps consumers manage their medications or lets them upload readings from a device like a blood pressure cuff or pedometer into a personal health record, your business is a PHR-related entity. However, if consumers can simply input their own information on your site in a way that doesn’t interact with personal health records offered by a vendor – for example, if your site just allows consumers to input their weight each week to track their fitness goals – you’re not a PHR-related entity. You’re not a PHR-related entity if you’re already covered by HIPAA.

Third-party service provider. Your business is a third-party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR-related entities. For example, if a vendor of personal health records hires your business to provide billing, debt collection, or data storage services related to health information, you’re a third-party service provider, and covered by the Rule.

WHAT TRIGGERS THE NOTIFICATION REQUIREMENT

The Rule requires that you provide notice when there has been an unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record. How those terms are defined is important:

  • Unauthorized acquisition. If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule. For example, say a thief steals an employee’s laptop containing unsecured personal health records or someone on your staff downloads personal health records without approval. Those are probably unauthorized acquisitions that trigger the Rule’s notification requirement.
  • PHR-identifiable health information. The notification requirements apply only when you’ve experienced a breach of PHR-identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone. For example, say someone hacks into a company database that contains zip codes, dates of birth, and medication information. Even though the database didn’t contain names, it would be reasonable to believe the information could be used to identify people in the database. But what if a hacker gains access to a database that contains only city and medication data and finds out that ten anonymous individuals in New York City have been prescribed a widely-used drug? That probably wouldn’t be considered PHR-identifiable health information because it couldn’t reasonably be used to identify specific people.
  • Unsecured information. The Rule applies only to unsecured health information, defined by the U.S. Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. If your employee loses a laptop containing only encrypted personal health records, for example, you wouldn’t be required to provide notification.
  • Personal health record. A personal health record is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records – not electronic records – the FTC’s Rule doesn’t require any notification. However, because many states have notification laws that might apply, it’s wise to consult your attorney.

WHAT TO DO IF A BREACH OCCURS

If your business is a vendor of personal health records or a PHR-related entity and there’s a security breach, the Rule spells out your next steps. You must notify:

  1. each affected person who is a citizen or resident of the United States;
  2. the Federal Trade Commission; and
  3. in some cases, the media.

Here are the details of the Rule’s main requirements about who you must notify and when you must notify them, how you must notify them, and what information to include.

 

WHO you must notify and WHEN you must notify them

People: If you experience a breach of unsecured personal health information, you must notify each affected person “without unreasonable delay” – and within 60 calendar days after the breach is discovered. The countdown begins the day the breach becomes known to someone in your company – or the day someone should reasonably have known about it. Although the Rule requires you to notify people within 60 calendar days, it also requires you to act without unreasonable delay. That means if a company discovers a breach and gathers the necessary information within, say, 30 days, it is unreasonable to wait until the 60th day to notify the people whose information was breached.

The FTC: The Rule requires you to notify the FTC, but the timing depends on the number of people affected.

If the breach involves the information of 500 people or more, you must notify the FTC as soon as possible and within 10 business days after discovering the breach. To report the breach to the agency, you must use the form at www.ftc.gov/healthbreach.

If the breach involves the information of fewer than 500 people, you have more time. Indeed, you must send the same standard form to the FTC – along with forms documenting any other breaches during the same calendar year involving fewer than 500 people – within 60 calendar days following the end of the calendar year. So, if your company experiences one breach in April affecting the records of 100 people and a second breach in September affecting the records of 50 people, the 60-day countdown begins January 1st of the next year.

The media: When at least 500 residents of a particular state, the District of Columbia, or a U.S. territory or possession are affected by a breach, notification takes on an extra dimension. Without unreasonable delay – and within 60 calendar days after the breach is discovered – you must notify prominent media outlets serving the relevant locale, including Internet media where appropriate. This media notice is a supplement to your notice to people whose information was breached, not a substitute for individual notices.

If your company is a third-party service provider to a vendor of personal health records or a PHR-related entity, you have notice requirements under the Rule, too. As a preliminary matter, the Rule requires those clients to tell you up front that they’re covered by the Rule. If you experience a breach, you must notify an official designated in your contract with your client – or if there is no designee, a senior official of the company – without unreasonable delay and within 60 calendar days of discovering the breach. You must identify for your client each person whose information may be involved in the breach. But it isn’t sufficient to simply send the notice and assume the ball is in your client’s court. You must get an acknowledgment that they received your notice. They, in turn, must notify the people affected by the breach, the FTC, and, in certain cases, the media.

 

HOW to notify people

The best practice in notifying people is to find out from your customers in advance – perhaps when they sign up for your service – if they’d prefer to hear about a security breach by email or by first-class mail. If you collect only email addresses from your customers, you can send them a message – or let new customers know when they sign up – that you intend to contact them by email about any security breaches. However, remember that if you plan to use email as your default method, you must give your customers the opportunity to choose first-class mail notification instead and that option must be clear and conspicuous. If email is a customer’s preference, explain how to set up any spam filters so they will get your messages.

What if you’ve made reasonable efforts to reach people affected by the breach, but you haven’t been able to contact each of them? If you fail to contact 10 or more people because of insufficient or out-of-date contact information, you must provide substitute notice through:

  1. a clear and conspicuous posting for 90 days on your home page; or
  2. a notice in major print or broadcast media where those people likely live.

Both of these forms of substitute notice must include a toll-free phone number that has to be active for at least 90 days so people can call to find out if their information was affected by the breach.

 

WHAT information to include

Regardless of the form of notification, your notice to individuals must be easy to understand and must include the following information:

  • a brief description of what happened, including the date of the breach (if you know) and the date you discovered the breach;
  • the kind of PHR-identifiable health information involved in the breach – insurance information, Social Security numbers, financial account data, dates of birth, medication information, etc.
  • if the breach puts people at risk for identity theft or other possible harm, suggested steps they can take to protect themselves. Your advice must be relevant to the kind of information that was compromised. In some cases, for example, you may want to refer people to the FTC’s identity theft website, www.ftc.gov/idtheft. In addition:
    • if the breach involves health insurance information, you might suggest that people contact their healthcare providers if bills don’t arrive on time in case an identity thief has changed the billing address, pay attention to the Explanation of Benefit forms from their insurance company to check for irregularities, and contact their insurance company to notify them of possible medical identity theft or to ask for a new account number.
    • if the breach includes Social Security numbers, you might suggest that people get a free copy of their credit report from www.annualcreditreport.com, monitor it for signs of identity theft, and place a fraud alert on their credit report. If they spot suspicious activity, they should contact their local police and, if appropriate, get a credit freeze.
    • if the breach includes financial information – for example, a credit card or bank account number – you might suggest that people monitor their accounts for suspicious activity and contact their financial institution about closing any accounts that may have been compromised.
  • a brief description of the steps your business is taking to investigate the breach, protect against future breaches, and mitigate the harm from the breach; and
  • how people can contact you for more information. Your notice must include a toll-free telephone number, email address, website, or mailing address.

ANSWERS TO QUESTIONS ABOUT THE HEALTH BREACH NOTIFICATION RULE

Here are answers to some questions businesses have asked about the FTC’s Health Breach Notification Rule:

Why did the FTC implement the Health Breach Notification Rule?

As part of the American Recovery and Reinvestment Act of 2009 – which advances the use of health information technology – Congress directed the FTC and HHS to study potential privacy, security and breach notification requirements and make recommendations. In the meantime, Congress directed the FTC to implement a temporary rule – the Health Breach Notification Rule – that non-HIPAA businesses must follow if there’s a security breach. FTC enforcement began on February 22, 2010.

It looks like someone accessed our database without our consent. We don’t know if they downloaded anything. Is that the kind of “unauthorized acquisition” that would trigger the Rule’s notification requirements?

It should trigger an examination on your part to determine your obligations under the Rule. There may be unauthorized access to data, but it’s not always clear at first blush whether the data also has been “acquired” – that is, downloaded or copied. In these cases the Rule has a rebuttable presumption: Where there has been unauthorized access, unauthorized acquisition is presumed unless you can show that it hasn’t – or couldn’t reasonably have – taken place. For example, if one of your employees accesses a customer’s personal health record without authorization, the Rule presumes that because the data was accessed, it has been “acquired,” and you must follow the breach notification provisions of the Rule. But you can overcome that presumption by establishing and enforcing a company policy – one that says if an employee inadvertently accesses a health record, he or she must not read or share the information, must log out immediately, and then must report the access to a supervisor right away. If the employee says he or she didn’t read or share the information and you conduct a reasonable investigation that corroborates the employee’s version of events, you may be able to overcome the presumption.

Consider another situation involving a lost laptop that contains personal health records. You could rebut the presumption of unauthorized acquisition if the laptop is recovered and forensic analysis shows that files were not opened, altered, transferred, or otherwise compromised.

Our business is in the “HIPAA business associate” category. Does the FTC’s Rule apply to us?

If your business acts solely as a “HIPAA business associate” – that is, if you handle only the protected health information of HIPAA-covered entities – the FTC’s Rule does not apply. Nor does it apply to HIPAA-covered entities, like a hospital, doctor’s office, or health insurance company. If you are a HIPAA-covered entity or act only as a HIPAA business associate, your responsibilities are in the HHS breach notification rule.

The HHS rule requires HIPAA-covered entities to notify people whose unsecured health information is breached. If you are a business associate of a HIPAA-covered entity and you experience a security breach, you must notify the HIPAA-covered entity you’re working with. Then they must notify the people affected by the breach.

We’re a HIPAA business associate, but we also offer personal health record services to the public. Which Rule applies to us?

If your company is a HIPAA business associate that also offers personal health record services to the public, you may be subject to both the HHS and FTC breach notification rules. For example, say you have your own website that offers individual customers an online service to collect their health information and you sign a HIPAA business associate agreement with an insurance company to maintain the electronic health records of its customers. In the case of a breach affecting all your users, both the FTC Rule and HHS Rule would apply. Under the FTC’s Rule, you must notify the people who use the service on your website. In addition, you must notify the insurance company so that it can notify its customers.

If you have a direct relationship with all the people affected by the breach – your customers and the customers of the insurance company – you should contract with the insurance company to notify both your clients and theirs. People are more likely to pay attention to a notice from a company they recognize.

What’s the relationship between the FTC’s Health Breach Notification Rule and state breach notification laws?

The FTC’s Rule preempts contradictory state breach notification laws, but not those that impose additional – but non-contradictory – breach notification requirements. For example, some state laws require breach notices to include advice on monitoring credit reports or contact information for consumer reporting agencies. While these content requirements are different from the FTC Rule’s requirements, they’re not contradictory. In this example, you could comply with both federal and state requirements by including all the information in a single breach notice. The FTC Rule doesn’t require you to send multiple breach notices to comply with state and federal law.

What’s the penalty for violating the FTC’s Health Breach Notification Rule?

The FTC will treat each violation of the Rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation. Businesses that violate the Rule may be subject to a civil penalty of up to $46,517 per violation. The maximum civil penalty amount has increased from $43,792 to $46,517 for violations of Sections 5(l), 5(m)(1)(A), and 5(m)(1)(B) of the FTC Act on 1/06/2022 according to this press release FTC Publishes Inflation-Adjusted Civil Penalty Amounts for 2022 | Federal Trade Commission

Law enforcement officials have asked us to delay notifying people about the breach. What should we do?

If law enforcement officials determine that notifying people would impede a criminal investigation or damage national security, the Rule allows you to delay notifying them, as well as the FTC and if required, the media.

Where can I learn more about the FTC’s Health Breach Notification Rule?

Visit www.ftc.gov/healthbreach.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Your Opportunity to Comment

The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.

[Note: Edited January 2021 to reflect Inflation-Adjusted Civil Penalty Maximums.] 

Courtesy of: https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule

PART 318 - HEALTH BREACH NOTIFICATION RULE

Authority: Public Law 111-5, 123 Stat. 115 (2009).
Source: 74 FR 42980, Aug. 25, 2009, unless otherwise noted.

§ 318.1 Purpose and scope.

(a) This part, which shall be called the “Health Breach Notification Rule,” implements section 13407 of the American Recovery and Reinvestment Act of 2009. It applies to foreign and domestic vendors of personal health records, PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

(b) This part preempts state law as set forth in section 13421 of the American Recovery and Reinvestment Act of 2009.

§ 318.2 Definitions.

(a) Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

(b) Business associate means a business associate under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.

(c) HIPAA -covered entity means a covered entity under the Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936, as defined in 45 CFR 160.103.

(d) Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

(e) PHR identifiable health information means “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information:

(1) That is provided by or on behalf of the individual; and

(2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

(f) PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that:

(1) Offers products or services through the Web site of a vendor of personal health records;

(2) Offers products or services through the Web sites of HIPAA-covered entities that offer individuals personal health records; or

(3) Accesses information in a personal health record or sends information to a personal health record.

(g) State means any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa and the Northern Mariana Islands.

(h) Third party service provider means an entity that:

(1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and

(2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.

(i) Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009.

(j) Vendor of personal health records means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.

§ 318.3 Breach notification requirement.

(a) In general. In accordance with §§ 318.4, 318.5, and 318.6, each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:

(1) Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and

(2) Notify the Federal Trade Commission.

(b) Third party service providers. A third party service provider shall, following the discovery of a breach of security, provide notice of the breach to an official designated in a written contract by the vendor of personal health records or the PHR related entity to receive such notices or, if such a designation is not made, to a senior official at the vendor of personal health records or PHR related entity to which it provides services, and obtain acknowledgment from such official that such notice was received. Such notification shall include the identification of each customer of the vendor of personal health records or PHR related entity whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, acquired during such breach. For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this Part.

(c) Breaches treated as discovered. A breach of security shall be treated as discovered as of the first day on which such breach is known or reasonably should have been known to the vendor of personal health records, PHR related entity, or third party service provider, respectively. Such vendor, entity, or third party service provider shall be deemed to have knowledge of a breach if such breach is known, or reasonably should have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of such vendor of personal health records, PHR related entity, or third party service provider.

§ 318.4 Timeliness of notification.

(a) In general. Except as provided in paragraph (c) of this section and § 318.5(c), all notifications required under §§ 318.3(a)(1), 318.3(b), and 318.5(b) shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.

(b) Burden of proof. The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this Part, including evidence demonstrating the necessity of any delay.

(c) Law enforcement exception. If a law enforcement official determines that a notification, notice, or posting required under this Part would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This paragraph shall be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under such section.

§ 318.5 Methods of notice.

(a) Individual notice. A vendor of personal health records or PHR related entity that discovers a breach of security shall provide notice of such breach to an individual promptly, as described in § 318.4, and in the following form:

(1) Written notice, by first-class mail to the individual at the last known address of the individual, or by email, if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not exercise that choice. If the individual is deceased, the vendor of personal health records or PHR related entity that discovered the breach must provide such notice to the next of kin of the individual if the individual had provided contact information for his or her next of kin, along with authorization to contact them. The notice may be provided in one or more mailings as information is available.

(2) If, after making reasonable efforts to contact all individuals to whom notice is required under § 318.3(a), through the means provided in paragraph (a)(1) of this section, the vendor of personal health records or PHR related entity finds that contact information for ten or more individuals is insufficient or out-of-date, the vendor of personal health records or PHR related entity shall provide substitute notice, which shall be reasonably calculated to reach the individuals affected by the breach, in the following form:

(i) Through a conspicuous posting for a period of 90 days on the home page of its Web site; or

(ii) In major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting shall include a toll-free phone number, which shall remain active for at least 90 days, where an individual can learn whether or not the individual’s unsecured PHR identifiable health information may be included in the breach.

(3) In any case deemed by the vendor of personal health records or PHR related entity to require urgency because of possible imminent misuse of unsecured PHR identifiable health information, that entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (a)(1) of this section.

(b) Notice to media. A vendor of personal health records or PHR related entity shall provide notice to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach.

(c) Notice to FTC. Vendors of personal health records and PHR related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than ten business days following the date of discovery of the breach. If the breach involves the unsecured PHR identifiable health information of fewer than 500 individuals, the vendor of personal health records or PHR related entity may maintain a log of any such breach, and submit such a log annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar year, documenting breaches from the preceding calendar year. All notices pursuant to this paragraph shall be provided according to instructions at the Federal Trade Commission’s Web site.

§ 318.6 Content of notice.

Regardless of the method by which notice is provided to individuals under § 318.5 of this part, notice of a breach of security shall be in plain language and include, to the extent possible, the following:

(a) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

(b) A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code);

(c) Steps individuals should take to protect themselves from potential harm resulting from the breach;

(d) A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and

(e) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.

§ 318.7 Enforcement.

A violation of this part shall be treated as an unfair or deceptive act or practice in violation of a regulation under § 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

§ 318.8 Effective date.

This part shall apply to breaches of security that are discovered on or after September 24, 2009.

§ 318.9 Sunset.

If new legislation is enacted establishing requirements for notification in the case of a breach of security that apply to entities covered by this part, the provisions of this part shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.

Source: eCFR :: 16 CFR Part 318 — Health Breach Notification Rule

Print Friendly, PDF & Email