Health Breach Notification Rule

Document Headings Document headings vary by document type but may contain the following: the agency or agencies that issued and signed a document the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to the agency docket number / agency internal file number the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details. Federal Trade Commission 16 CFR Part 318 RIN 3084-AB56 ( printed page 47028) AGENCY: Federal Trade Commission. ACTION: Final rule. SUMMARY: The Federal Trade Commission (“FTC” or “Commission”) is amending the Commission's Health Breach Notification Rule (the “HBN Rule” or the “Rule”). The HBN Rule requires vendors of personal health records (“PHRs”) and related entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. DATES: The amendments are effective July 29, 2024. ADDRESSES: Relevant portions of the record of this proceeding, including this document, are available at https://www.ftc.gov and https://www.regulations.gov . FOR FURTHER INFORMATION CONTACT: Ryan Mehm, (202) 326-2918, rmehm@ftc.gov , and Ronnie Solomon, (202) 326-2098, rsolomon@ftc.gov , Bureau of Consumer Protection, Federal Trade Commission. SUPPLEMENTARY INFORMATION: The amendments: (1) clarify the Rule's scope, including its coverage of developers of many health applications (“apps”); (2) clarify what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources; (3) revise the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures; (4)…