The IT Law Wiki

Health Breach Notification Rule

32,085pages on
this wiki
Add New Page
Add New Page Talk0

Citation Edit

Health Breach Notification Rule, 16 C.F.R. §318.

Overview Edit

The Rule requires entities to provide data security breach notification to an individual if they have a reasonable basis to believe the data can be linked to that individual.

Under the Rule, companies that have had a security breach must:

The FTC has designed a [standard form] for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it received notice under the Rule. A brochure for businesses, "Complying with the FTC's Health Breach Notification Rule," explains who is covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.

The Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS' breach notification rule.

Also on Fandom

Random Wiki