Are you in the business of offering or maintaining “personal health records†as defined in the FTC’s Health Breach Notification Rule? Does your company offer products or services that interact with personal health records – for example, an online weight tracker that sends health information to a personal health record or pulls information from it? If that describes your business or product – and if you’re not covered by the Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach involving information in a personal health record not secured in a certain way. Under the law, , you must:
- Notify everyone whose information was breached
- Notify the Â鶹´«Ã½ Trade Commission (FTC); and
- In some cases, notify the media.
The FTC has designed this form for you to report a breach to us. For more on notifying the people whose information was breached, visit Complying with FTC’s Health Breach Notification Rule.
This form is only for reporting a breach of health information by organizations covered by the FTC’s Health Breach Notification Rule.
To report a company or healthcare provider for the misuse or mistreatment of health information, for unreasonable data security or privacy practices, or for any other concerns involving health information, go to . Choose “Health,†and then “Any other health care problem.â€
If someone used your personal information to get medical care, or an identity thief used your medical benefits or health insurance, go to to create a personal recovery plan. For more information, read .
For all breaches
Submit this online form by clicking “Start Form†below. Make sure to complete all fields. Include your own contact information. Don’t include any personally identifiable information involved in the breach. You should receive a reply email within two to five business days with instructions for the secure electronic submission of encrypted documents.
Timelines
For breaches involving the records of 500 or more people
Submit this online form at the same time you notify the people whose information was breached. Under the Rule, that means as soon as you can and no later than 60 days after discovering the breach.
For breaches involving the records of fewer than 500 people
Submit this online form by the 60th day of the calendar year following the breach. For example, if you discover a breach involving fewer than 500 people on September 30, 2024, submit this online form to the FTC no later than 60 days into the calendar year of 2025. If you experience multiple breaches like this in one calendar year – for example, one on September 30th in 2024 involving fewer than 500 people and another on November 1st in 2024 involving fewer than 500 people – submit this online form for each breach, and submit it to the FTC no later than 60 days into the calendar year of 2025.
Questions About a Reporting a Breach?
Email the FTC at Healthbreach@ftc.gov, or call us at (202) 326-2918.
Privacy Act and Paperwork Reduction Act Statements
The form requires the person reporting the breach to provide certain information, including their name, contact phone number, and email address, as well as the name of their company and company address. The FTC may use this information to contact you to obtain additional information about the breach. The FTC Act and the Health Breach Notification Rule authorize the collection of this information. Do not include in your submission any personally identifiable information involved in the breach. To learn how we handle and safeguard your personal information, please read the FTC’s and the Privacy Act , to the extent they are applicable.
Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number and expiration date. The OMB control number is 3084-0150 and the expiration date is 06/30/27.
