We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Enforcement of HHS and FTC Breach Notification Rules Begin Today

22 February 2010

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

Cybersecurity in the Health Sector

The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...

02 May 2016
Loading data