Citation[]
Health Breach Notification Rule, 16 C.F.R. §318.
Overview[]
The Rule requires entities to provide data security breach notification to an individual if they have a reasonable basis to believe the data can be linked to that individual.
Under the Rule, companies that have had a security breach must:
- Notify everyone whose information was breached;
- In many cases, notify the media; and
- Notify the FTC.
The FTC has designed a [standard form] for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it received notice under the Rule. A brochure for businesses, "Complying with the FTC's Health Breach Notification Rule," explains who is covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.
The Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In case of a security breach, entities covered by HIPAA must comply with HHS' breach notification rule.