On January 21, 2022, the Federal Trade Commission published two new resources for complying with the Health Breach Notification Rule (the “Rule”). In September 2021, the FTC issued a Policy Statement clarifying that the Rule applies to makers of health apps, connected devices and similar products. As we previously blogged, the Rule requires vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access.

The FTC published The Health Breach Notification Rule: The Basics For Business, which provides a brief overview of the Rule and what it requires. The FTC also published Complying With the FTC’s Health Breach Notification Rule, which provides more detail regarding applicability of the Rule, what triggers notification, and what measures are required in the event of a breach. This publication also provides FAQs with answers to commonly asked questions about the Rule, such as penalties for violating the Rule and the relationship between the Rule and state breach notification laws.