Five notes:
1. The Health Breach Notification Rule went into effect in 2009 and requires non-HIPAA covered EHR vendors and service providers to alert individuals and the FTC of a breach of unsecured personally identifiable health data.
2. The rule requires EHR vendors and service providers to notify affected individuals within 60 days of the discovery of a breach. If more than 500 individuals are affected, the FTC must be notified within 10 business days.
3. The FTC is seeking comment on whether the rule should remain as is, be altered or eliminated.
4. The commission is requesting comment on issues such as the rule’s timing requirements, implications for enforcement raised by mobile health apps and virtual assistants and whether the rule should address any developments in healthcare related to COVID-19.
5. The FTC will accept comment on the rules for 90 days after the review notice is published in the Federal Register.
More articles on cybersecurity:
7 hospitals whose employees wrongfully viewed patient records
AMA’s guide for restoring public trust in data sharing
Lurie Children’s sued for medical records privacy breach
