FTC seeks comments on health-care vendor notification rule

The Federal Trade Commission is seeking comments as to whether changes should be made to a rule that requires when health care vendors notify individuals and others that a data breach has occurred.

Under the current decade-old law, vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act must notify individuals, the FTC and in some cases the media of a breach of unsecured personally identifiable health data, the FTC said Friday.

The rule now requires these entities to provide notifications within 60 days after the discovery of the breach and, if more than 500 individuals are affected, notify the FTC within 10 business days.

The FTC said it is seeking comment on issues including whether the rule has resulted in under-notification, over-notification or an efficient level of notification, and whether its definitions should be modified to reflect legal, economic and technological changes.