Are you in the business of offering or maintaining personal health records? Does your company offer products or services that interact with personal health records – for example, an online weight tracking program that sends information to a personal health record or pulls information from it? If that describes your line of work – and if you’re not covered by the Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach involving information in a personal health record not secured in a certain way.

Under the law, 16 C.F.R. Part 318, you must:

  1. Notify everyone whose information was breached;
  2. In many cases, notify the media; and
  3. Notify the Federal Trade Commission (FTC).

The FTC has designed this form to make it easier for you to report a breach to them. For more on notifying the people whose information was breached, visit

Download the FTC Rule, as published in the Federal Register, HERE.  (PDF format, 88 pgs, 387KB)

Download the FTC Breach Notification Form, HERE. (PDF format, 3 pgs, 198KB)


Comments are closed.