WPF advises FTC regarding health data breach notification rule

The World Privacy Forum filed comments regarding the US Federal Trade Commission’s 2023 Notice of Proposed Rulemaking regarding Health Breach Notification. This marks the second set of comments WPF has filed, our first being in 2009 regarding the first iteration of the Health Breach Rule.

The comments are technical, and focus on the fundamental challenges that the unregulated segment of the health data ecosystem poses to consumers. Additionally, the comments discuss at length certain definitional and scope issues with the proposed rule. Of these issues, the greatest challenge in the rule are the definitional challenges. The comments discuss these challenges at length, and propose a solution of “the 80-20 rule.” WPF suggested that instead of attempting to cover 100 percent of all problems with difficult definitional boundaries, that the Commission cover 80 percent of the problems cleanly, with both clear and enforceable definitional boundaries.

WPF also requested that the FTC hold a workshop to seek solutions to consumer health data breach problems, and that the FTC create a public listing of all breaches in a portal similar to what HHS does with its breaches.

Related documents: