Are you in the business of offering or maintaining personal health records? Does your company offer products or services that interact with personal health records – for example, an online weight tracking program that sends information to a personal health record or pulls information from it? If that describes your line of work – and if you’re not covered by the Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach involving information in a personal health record not secured in a certain way.
Under the law, 16 C.F.R. Part 318, you must:
- Notify everyone whose information was breached;
- In many cases, notify the media; and
- Notify the Federal Trade Commission (FTC).
The FTC has designed this form to make it easier for you to report a breach to them. For more on notifying the people whose information was breached, visit www.ftc.gov/healthbreach.
Download the FTC Rule, as published in the Federal Register, HERE. (PDF format, 88 pgs, 387KB)
Download the FTC Breach Notification Form, HERE. (PDF format, 3 pgs, 198KB)