Are you in the business of offering or maintaining personal health records? Does your company offer products or services that interact with personal health records – for example, an online weight tracking program that sends information to a personal health record or pulls information from it? If that describes your line of work – and if you’re not covered by the Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach involving information in a personal health record not secured in a certain way.

Under the law, 16 C.F.R. Part 318, you must:

1. Notify everyone whose information was breached;
2. In many cases, notify the media; and
3. Notify the Federal Trade Commission (FTC).

The FTC has designed this form to make it easier for you to report a breach to them. For more on notifying the people whose information was breached, visit www.ftc.gov/healthbreach.

Download the FTC Rule, as published in the Federal Register, HERE.  (PDF format, 88 pgs, 387KB)

Download the FTC Breach Notification Form, HERE. (PDF format, 3 pgs, 198KB)