WPF urges FTC Chair and Commissioners to update FTC Health Breach Notification Rule

The FTC held an historic open FTC Commission meeting on July 1, 2021, during which the Chair and Commissioners conducted their business openly and provided an opportunity for public comments. The World Privacy Forum was selected to provide a public comment, which focused on the need to update the Health Breach Notification Rule.

Our live public comments to the Commission will be made public. Here is a copy of our comments, in PDF or text, with additional background documents included.

July 1, 2021
Chair Khan and Commissioners,

Thank you for the opportunity to make a public comment at this Open FTC Commission meeting.

The FTC Health Breach Notification Rule implements the American Recovery and Reinvestment Act of 2009. Congress asked the FTC to craft a rule applicable to a vendor of PHRs or to a PHR-related entity in connection with a product or service offered by that entity. The FTC crafted an excellent rule, consistent with the limits provided by Congress.

Fifteen years ago, PHR technology was clunky, and data transfers could be challenging. Today, there is significant expansion in health data ecosystems outside of HIPAA and include apps, smartwatches, mobile devices, and personal health records among other devices and mechanisms.

The health ecosystem data flows outside of HIPAA protections have escaped the boundaries of the original rule. The World Privacy Forum requests that the Commission re-examine the Health Breach Notification rule to update it. The impacts of the global pandemic have put an exclamation point on the importance of this issue.

Related documents: