If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

Read the full alert on the Faegre Drinker website.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Reed Abrahamson

As a member of the firm’s Privacy and Cybersecurity Team, Reed Abrahamson assists clients with identifying and addressing data privacy and security risks in business operations. A Certified Information Privacy Professional - United States (CIPP-US), he helps companies design and implement privacy and data security policies and programs, and advises clients on compliance issues related to the GDPR, CCPA, HIPAA, CAN-SPAM Act, TCPA, and other privacy laws. View Reed's full bio on the Faegre Drinker website.

About the Author: Peter Blenkinsop

Peter Blenkinsop advises clients on regulatory compliance, focusing on two distinct but overlapping areas: (i) information privacy and data protection, and (ii) medical research. View Peter's full bio on the Faegre Drinker website.