Health Breach Notification Rule

Vendors of personal health records and related entities must notify individuals, the FTC, and in some cases the media following the discovery of a breach of unsecured individually identifiable health information. Notification must be provided without unreasonable delay and in no case later than 60 calendar days after discovery.

The rule applies to vendors of personal health records not covered by HIPAA, including health apps and wearable fitness devices. Notification must describe the breach, types of information involved, and steps individuals can take to protect themselves.