Breach Reporting Rule Covers Companies Collecting and Processing Health Data: FTC Provides New Guidance

Written by

Achieved Compliance

Companies collecting and processing health data that don't fall under the requirements of the Health Information Protection and Portability Act (“HIPPA”) will want to pay close attention to new resources published on January 21, 2022 by the Federal Trade Commission. These documents provide guidance to help organizations comply with the Health Breach Notification Rule (the “Rule”).

As explained by the FTC in September 2021, the Rule applies to makers of health apps, connected devices and similar products.

The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to those entities to notify consumers and the FTC (and in certain cases, the media) when a breach of unsecured identifiable health information occurs. For example, such a breach would include instances of cybersecurity intrusions and other unauthorized access.

One of these resources – “The Health Breach Notification Rule: The Basics for Business” – provides a brief overview of the Rule and what it requires. On September 15, 2021, the FTC issued a statement clarifying that the Rule applies to most health apps and similar technologies.

The FTC notes that this document will be of interest to companies that provide products or services or send or receive data to or from apps and connected devices, or that deal with health information while providing services to companies that offer those products. Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to $46,517 per violation per day.

The second – “Complying with the FTC’s Health Breach Notification Rule” – provides more detail about when the Rule applies, when notification is required, how to notify people and what must be included in the notification, and other measures companies must take in the event of a breach. The publication provides FAQs that provide important information about various aspects of the Rule, such as possible penalties for violations, the relationship between the Rule and state breach notification laws, and what constitutes as a security breach.

PRIVACY BLOG

Kentucky Poised to Enact State Privacy Law

The Launch of the Third Coordinated Enforcement Framework Action

Adoption of the New EU-U.S. Data Privacy Framework Approaches: What Companies Can Do Now to Prepare

Ireland Data Protection Commission Fines WhatsApp Ireland $266 Million for GDPR Transparency Violations

China Passes Personal Information Protection Law

Colorado Privacy Act Signed by Governor

European Commission Publishes Final Version of SSC, Imposes Obligations on Data Controllers and Processors

Dutch Data Protection Authority Imposes €525,000 Fine for Failure to Appoint Article 27 Representative

Companies that Comply with GDPR Reap Benefits in Jurisdictions Beyond the EU

European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

House of Representatives to Consider New Privacy Bill

On Sunday 7 April, U.S. House of Representative Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. released a new bill – the American Privacy Rights Act (APRA).