Data breach notification
Healthcare and life sciences companies face data breach notification obligations across a patchwork of overlapping federal and state authorities, with the U.S. Department of Health and Human Services Office for Civil Rights enforcing the HIPAA Breach Notification Rule and the U.S. Federal Trade Commission asserting jurisdiction over non-covered entities under the Health Breach Notification Rule, which was substantially updated in 2024 to capture health apps and connected devices. State attorneys general are layering additional timelines and recipient-class requirements on top of federal floors, leaving compliance teams to reconcile conflicting clocks across jurisdictions before a single breach notice goes out.
Watch
- FTC Health Breach Notification Rule 2024 amendments: scope expansion to health apps
- HHS OCR enforcement pattern on 60-day HIPAA notification clock violations
- State AG notification timelines shorter than federal floor in CA, TX, and NY
- Proposed HHS rule to tighten breach risk assessment standards under HIPAA Security Rule
Recent material activity in Healthcare & Life Sciences
Active monitoring in place across Healthcare & Life Sciences. Material developments related to data breach notification will appear here as they are published.