Health Breach Notification Rule

OMB 3084-0150

The Health Breach Notification Rule ("Rule"), 16 C.F.R. Part 318, requires vendors of personal health records and PHR related entities to provide: (1) notice to consumers whose unsecured personally identifiable health information has been breached; and (2) notice to the Commission. The Rule only applies to electronic health records and does not include recordkeeping requirements. The Rule requires third party service providers (i.e., those companies that provide services such as billing or data storage) to notify vendors of personal health records and PHR related entities following the discovery of a breach; those entities in turn must provide notification to consumers and the Commission. To notify the FTC of a breach, the Commission developed a form for entities subject to the Rule to complete and return to the agency.

The latest form for Health Breach Notification Rule expires 2022-06-30 and can be found here.

Latest Forms, Documents, and Supporting Material

Document Name
Form Not Applicable Notice for Health Applications (Non-Labor Costs for Breaches without Forensic Services) Form and Instruction
Form Not Applicable Notice for Health Applications (Non-Labor Costs for Breaches that include Forensic Services) Form and Instruction
Form Not Applicable Major Breaches Form and Instruction
Form Not Applicable Single-person Breaches Form and Instruction
HBNR_2024_Supporting Statement_Final .pdf Supporting Statement A
Notice for Health Applications (Non-Labor Costs for Breaches without Forensic Services) Form and Instruction
Notice for Health Applications (Non-Labor Costs for Breaches that include Forensic Services) Form and Instruction
Major Breaches Form and Instruction
Single-person Breaches Form and Instruction

All Historical Document Collections

202403-3084-001 Approved without change	Revision of a currently approved collection	2024-05-30
202305-3084-001 Comment filed on proposed rule and continue	Revision of a currently approved collection	2023-06-09
202205-3084-001 Approved without change	Extension without change of a currently approved collection	2022-06-06
201905-3084-001 Approved without change	Extension without change of a currently approved collection	2019-05-02
201601-3084-001 Approved without change	Extension without change of a currently approved collection	2016-02-03
201208-3084-004 Approved without change	Extension without change of a currently approved collection	2012-08-24
200909-3084-002 Approved without change	New collection (Request for a new OMB Control Number)	2009-09-22
200904-3084-002 Comment filed on proposed rule	New collection (Request for a new OMB Control Number)	2009-04-20

OMB Details

Single-person Breaches

Federal Enterprise Architecture: Economic Development - Business and Industry Development

Form Not Applicable

Notice of Breach of Health Information

www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/r2911002_hbn_092015.pdf

Form and instruction

Review document collections for all forms, instructions, and supporting documents - including paper/printable forms.