Code of Federal Regulations (Last Updated: October 10, 2024) |
Title 16 - Commercial Practices |
Chapter I - Federal Trade Commission |
SubChapter C - Regulations Under Specific Acts of Congress |
Part 318 - Health Breach Notification Rule |
§ 318.5 - Methods of notice.
-
§ 318.5 Methods of notice.
(a) Individual notice. A vendor of personal health records or PHR related entity that discovers a breach of security shall provide notice of such breach to an individual promptly, as described in § 318.4 (regarding timeliness of notification), and in the following form:
(1) Written notice , by first-class mail to the individual at the last known address of the individual, or by email, if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification . Written notice may be sent by electronic mail if the individual has specified electronic mail as the primary method of communication. Any written notice sent by electronic mail must be Clear and Conspicuous. Where notice via electronic mail is not available or the individual has not specified electronic mail as the primary method of communication, a vendor of personal health records or PHR related entity may provide notice by first-class mail , and the individual does not exercise that choiceat the last known address of the individual. If the individual is deceased, the vendor of personal health records or PHR related entity that discovered the breach must provide such notice to the next of kin of the individual if the individual had provided contact information for his or her next of kin, along with authorization to contact them. The notice may be provided in one or more mailings as information is available.
(2) If, after making reasonable efforts to contact all individuals to whom notice is required under § 318.3(a), through the means provided in paragraph (a)(1) of this section, the vendor of personal health records or PHR related entity finds that contact information for ten or more individuals is insufficient or out-of-date, the vendor of personal health records or PHR related entity shall provide substitute notice, which shall be reasonably calculated to reach the individuals affected by the breach, in the following form:
(i) Through a conspicuous posting for a period of 90 days on the home page of its Web sitewebsite; or
(ii) In major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting shall include a toll-free phone number, which shall remain active for at least 90 days, where an individual can learn whether or not if the individual's unsecured PHR identifiable health information may be have been included in the breach.
(3) In any case deemed by the vendor of personal health records or PHR related entity to require urgency because of possible imminent misuse of unsecured PHR identifiable health information, that entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (a)(1) of this section.
(b) Notice to media. A As described in § 318.3(a)(3), a vendor of personal health records or PHR related entity shall provide notice to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach.
(c) Notice to FTC. Vendors of personal health records and PHR related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than ten business days following the date of discovery of the breachas described in § 318.4(b) (regarding timing of notice to FTC). If the breach involves the unsecured PHR identifiable health information of fewer than 500 individuals, the vendor of personal health records or PHR related entity may maintain a log of any such breach , and submit such a log annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar yearas described in § 318.4(b) (regarding timing of notice to FTC), documenting breaches from the preceding calendar year. All notices pursuant to this paragraph (c) shall be provided according to instructions at the Federal Trade Commission's Web sitewebsite.