The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule requiring EHR companies to notify consumers and the FTC of data breaches.
Five notes:
1. The Health Breach Notification Rule went into effect in 2009 and requires non-HIPAA covered EHR vendors and service providers to alert individuals and the FTC of a breach of unsecured personally identifiable health data.
2. The rule requires EHR vendors and service providers to notify affected individuals within 60 days of the discovery of a breach. If more than 500 individuals are affected, the FTC must be notified within 10 business days.
3. The FTC is seeking comment on whether the rule should remain as is, be altered or eliminated.
4. The commission is requesting comment on issues such as the rule's timing requirements, implications for enforcement raised by mobile health apps and virtual assistants and whether the rule should address any developments in healthcare related to COVID-19.
5. The FTC will accept comment on the rules for 90 days after the review notice is published in the Federal Register.