Does your business or organization have a mobile app, website, Internet-connected device or similar technology that holds consumers’ health information? Do you provide products or services or send or receive data to or from that kind of product? Do you deal with health information while providing services to companies that offer those products?
The Federal Trade Commission’s Health Breach Notification Rule requires companies that experience a breach of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media. On April 26, 2024, the Commission announced a series of amendments that, among other things, underscores the Rule's application to most health apps and similar technologies. The amendments are effective starting July 29, 2024.
Companies should report breaches to the FTC by submitting the online form: Notice of Breach of Health Information. The FTC periodically posts a list of breaches. Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to $51,744 per violation.
Complying with the FTC’s Health Breach Notification Rule explains who’s covered by the Rule and offers guidance on what to do in case of a breach.
The FTC’s Health Breach Notification Rule applies only to identifying health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule doesn’t apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a breach, entities covered by HIPAA must comply with the U.S. Department of Health & Human Services (HHS) Breach Notification Rule.