Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an informative blog about the Statement and what it could mean for non-HIPAA covered health apps. Now that the dust has settled, we thought it would be a good time to do a deeper dive into the Rule and provide some food for thought regarding compliance with it.
For starters, let’s get one thing out of the way. For many years, the FTC has brought case after case regarding a range of health privacy issues, and there is no reason to think that will change, particularly given congressional interest in vastly increasing the agency’s funding for privacy work. It is worth noting that the Rule is one of the FTC’s