Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

FTC Seeks Input on Health Data Breach Notification Rule

May 8, 2020, 7:09 PM

The Federal Trade Commission is weighing potential changes to a decade-old rule governing when certain health tech companies must notify individuals of a data breach.

The FTC said Friday it’s seeking public comment on whether to modify its health breach notification rule, which requires personal health records vendors and other companies not covered by the Health Insurance Portability and Accountability Act to notify affected individuals, the agency, and in some cases, the media in the event of a health data breach.

The agency is asking for input on the rule’s effectiveness and benefits, and whether it should be left as is, changed, or eliminated altogether. It’s also requesting feedback on whether the rule should address developments in health-care products or services linked to the coronavirus and whether the timing requirements and ways to report a breach are adequate.

The rule, which took effect in 2009, typically gives entities 60 days to report a violation. However, if more than 500 individuals were impacted by the breach, the FTC must be notified within 10 business days.

The request for comment is part of the agency’s periodic review of rules to ensure it’s keeping pace with economic and technological changes, the FTC said in a statement. It comes as virtual health exchanges have become the new norm as Covid-19 surges.

The agency will receive comments for 90 days after the request is published in the Federal Register.

To contact the reporter on this story: Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Alexis Kramer at