Skip to Main Content

February 09, 2022    

Evaluating the FTC’s Interpretation of the Health Breach Notification Rule

This Briefing is brought to you by AHLA’s Health Information and Technology Practice Group.
  • February 09, 2022
  • Adam H. Greene , Davis Wright Tremaine LLP
  • Ty Kayam , Microsoft

On August 25, 2009, the Federal Trade Commission (FTC) issued the Health Breach Notification Rule (Breach Rule), which requires vendors of personal health records and related entities to provide notice to consumers following a breach. After over a decade without any enforcement of the Breach Rule, the FTC issued a policy statement in September 2021 clarifying that health apps and connected device companies must comply with the Rule. While the FTC describes this policy statement as a clarification of the Breach Rule, there are arguments that the policy statement actually expands the scope of the Breach Rule beyond the FTC’s statutory authority. In January 2022, the FTC followed up its policy statement with compliance resources that reinforce its interpretation. This briefing explores the history of the Breach Rule and the FTC’s September policy statement and analyzes whether the FTC’s “clarification” of the definition of “personal health record” exceeds the FTC’s statutory authority.


You must be logged in to access this content.