Health Breach Notification Rule

The Health Breach Notification Rule defines when health records providers have to report which security issues to whom, within what time frame and in what form. This article provides a brief overview of the requirements of the US Federal Trace Commission (FTC).

Health Breach Notification Rule: Who must report

The Health Breach Notification Note is addressed to manufacturers and providers of personal health records. This can also be a medical device manufacturer or a website operator. Even “third-party providers” such as the provider of data storage for such health data fall under the scope of the Health Breach Notification Rule.

However,

organizations that are already subject to the Health Insurance Portability and Accountability Act (HIPAA) and
non-commercial providers are excluded.

The FTC wants to close a regulatory gap that arises from the fact that there are providers that are not subject to HIPAA.

When you need to do something

You must comply with the requirements of the Health Breach Notification Rule if

you belong to the group of providers mentioned above, and
unauthorized access to health data has taken place (e.g., through a hacker attack) and
the data was unsecured as defined by the US Department of Health and Human Services, e.g., because it was not encrypted and
the data allows for the identification of individuals and
the data was available in electronic form (i.e., no paper was stolen).

What you need to do

They must inform

any data subjects who are US citizens or residents,
the FTC and,
in some cases, the media.

How quickly you need to inform

The FTC specifies the deadlines to be met when providing information within the Health Breach Notification Rule:

Affected individuals: without unreasonable delay and within 60 days of discovery.
FTC: within 10 days if more than 500 individuals are affected, otherwise 60 days after the end of the calendar year.
Media: without unreasonable delay and within 60 days if 500 individuals in one state are affected.

What information you need to report/submit

You will need to provide the following information:

Description of what happened
Time of discovery
What data was affected
Possible risks for those affected (including identity theft)
Further action
Contact details for further information.

Change history:

2016-04-19: First version of the article published

Name	Borlabs Cookie
Provider	Owner of this website, Imprint
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Cookie Name	borlabs-cookie
Cookie Expiry	1 Year

Name	Google Tag Manager
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used to control advanced script and event handling.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Years

Accept	Google Analytics
Name	Google Analytics
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used for website analytics. Generates statistical data on how the visitor uses the website.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Months

Accept	YouTube
Name	YouTube
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Used to unblock YouTube content.
Privacy Policy	https://policies.google.com/privacy?hl=en&gl=en
Host(s)	google.com
Cookie Name	NID
Cookie Expiry	6 Month