The Federal Trade Commission (FTC) recently announced a review and open comment period for the Health Breach Notification Rule, 16 C.F.R. Part 318 (the “Rule”), which requires vendors of personal health records (PHR) and related entities that aren’t covered by HIPAA to provide notice for breaches of personally identifiable health data. Since its adoption by the FTC in 2009, the Rule has been largely overshadowed by HIPAA and its implementing regulations. The FTC is now considering whether the Rule should be updated, or even pared back, to keep up with the times. The public comment period will extend until August 20, 2020.
Given the patchwork of data breach laws now in place in every state, an expansion of the Rule could very well add to the already difficult task that is data breach notification analysis for companies operating in the healthcare sector.
Read our client alert.