Questions? Call Us: 857-328-0382

Schedule a free 15 min. consult cparrella@parrellahealthlaw.com

Not a Covered Entity? FTC’s Health Breach Notification Rule: What You Need to Know

Posted on December 9, 2024 by Parrella Health Law

By: Christopher A. Parrella, Esq., CPC, CHC, CPCO Parrella Health Law, Boston, Ma. A Health Care Provider Defense and Compliance Firm

In today’s tech-driven world, health apps and connected devices like fitness trackers and blood pressure monitors are increasingly part of our everyday lives. While many think of HIPAA as the primary protection for health information, it only applies to entities like hospitals, doctors’ offices, and insurance companies. But what about the health data collected by apps and devices that fall outside of HIPAA’s coverage? This is where the Federal Trade Commission (FTC)’s Health Breach Notification Rule steps in.

What is the Health Breach Notification Rule?

The Health Breach Notification Rule, enforced by the FTC, requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers to notify consumers, the FTC, and, in some cases, the media when there has been a breach of unsecured, individually identifiable health information. This rule applies to companies not covered by HIPAA but still handling sensitive health information.

With July 2024 amendments in place, businesses in this space must now be more vigilant than ever. The rule applies to a wide range of businesses, including makers of health apps, connected devices, and third-party service providers offering services related to personal health records.

Who Needs to Comply?

You are likely covered by the FTC’s rule if your business falls under one of these categories:

Vendor of personal health records: If your app or device collects health information and can sync with other health data sources, you’re probably a vendor of PHRs

PHR-related entity: If your business interacts with a vendor of PHRs, offering products or accessing identifiable health data, you fall under this category.

Third-party service provider: If your business provides services like billing, data storage, or IT support to vendors of PHRs, you must comply with the rule.

When is Notification Required?

If there’s an unauthorized acquisition of unsecured PHR identifiable health information, the notification process is triggered. For example:

A stolen laptop containing health data.

Unauthorized access to personal health records by a staff member.

Sharing identifiable health information with third parties without user consent.

Notifications must be provided to affected consumers, the FTC, and in some cases, the media. Depending on the scale of the breach, timelines for reporting can vary, but companies must act swiftly—typically within 60 days of discovery.

What Happens if a Breach Occurs?

If your company experiences a breach, here’s what you need to do:

  1. Notify the affected individuals within 60 days.
  2. Report the breach to the FTC using their online notification form.
  3. If the breach affects more than 500 people in a specific state or territory, notify the media as well.

Your notification should be clear and easy to understand, avoiding technical jargon, and include essential details such as the nature of the breach, the data involved, and steps the affected individuals can take to protect themselves.

Why Compliance Matters

Failure to comply with the FTC’s Health Breach Notification Rule can result in steep penalties, with fines of up to $51,744 per violation. The FTC takes data breaches seriously, especially in cases involving sensitive health information.

What to Do Next

If your business is covered by the Health Breach Notification Rule, it’s critical to have a breach response plan in place. This should include:

Proper data encryption and security measures to protect health information.

A clear process for reporting breaches internally and to affected parties.

Regular training for employees on data privacy and security best practices.

Have questions about your obligations under the Health Breach Notification Rule? At Parrella Health Law, we specialize in helping businesses navigate the complexities of health data privacy laws. If you need assistance ensuring your company is compliant, contact us at 857-328-0382 or reach out directly to Chris at cparrella@parrellahealthlaw.com.

Stay proactive—protect your business and your customers today.

Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *