Two government agencies have issued regulations governing when healthcare providers must notify customers of data breaches.
The Department of Health and Human Services (HHS) has issued an interim final rule requiring that healthcare providers and other entities covered under the Health Insurance Portability and Accountability Act (HIPAA) to promptly notify individuals whose information is disclosed in a data breach when more than 500 people are affected. The media and the HHS must also be notified.
The Federal Trade Commission (FTC) has issued a final regulation that serves as a companion to the HHS interim final rule. The FTC rule applies the data breach notification requirements to vendors of personal health records not covered by HIPAA.