The Federal Trade Commission just updated its Health Breach Notification Rule to revise definitions and clarify its coverage to include developers of health mobile apps and other technology. The rule, which requires vendors to notify affected consumers and the FTC following a data breach affecting personal health records, also requires additional information in notices to consumers, including names or descriptions of third parties that obtained their “unsecured” identifiable health data. Among other revisions, the new rule clarifies that the term “breach of security,” which triggers notification requirements, includes data security breaches and unauthorized disclosures.
The FTC’s Health Breach Notification Rule, originally issued in 2009, applies to foreign and domestic vendors of personal health records, related entities, and third party service providers, not covered under the Health Insurance Portability and Accountability Act (HIPAA), that hold information connected to the personal health records of U.S. citizens or residents. The revised rule is scheduled to go into effect 60 days after its published in the Federal Register.