Form Not Applicable Not Applicable Notice of Breach of Health Information

Federal Trade Commission
The nation’s consumer protection agency

Notice of Breach of Health Information
OMB Control No: 3084-0150

Are you in the business of offering or maintaining personal health records? Does your company offer products or services
that interact with personal health records – for example, an online weight tracking program that sends information to a
personal health record or pulls information from it? If that describes your line of work – and if you’re not covered by the
Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach
involving information in a personal health record not secured in a certain way. Under the law, 16 C.F.R. Part 318, you
must:
1.
Notify everyone whose information was breached;
2.
In many cases, notify the media; and
3.
Notify the Federal Trade Commission (FTC).
The FTC has designed this form to make it easier for you to report a breach to us. For more on notifying the people
whose information was breached, visit www.ftc.gov/healthbreach.
For all breaches
Complete this form. Include your own contact information. Don’t include any personally identifiable information involved
in the breach.
You have two options for submitting the form.
(1) Send it to:
Federal Trade Commission
Associate Director – HBN
Division of Privacy & Identity Protection
600 Pennsylvania Avenue, N.W.
Mail Stop CC-8232
Washington, DC 20580
Verify that the form arrived at the FTC by using a mailing method that gives you proof of delivery.
(2) Transmit your submission through our secure file transmission system. To do so, you must send an email to
[email protected] (link sends e-mail) with the subject line “HBN – Request to Submit Document.” Do not
include any details about the breach or the notification form in this request. You should receive a reply email
within two business days with instructions for the secure electronic submission of encrypted documents.
Timelines These timelines refer to when you must notify the FTC of the breach. If the law requires you to contact the
people whose information was breached, you must notify them as soon as you can – and no later than 60 days after
discovering the breach.
For breaches involving the records of 500 or more people
Complete this form and send it to the FTC within 10 business days of discovering the breach.
For breaches involving the records of fewer than 500 people
Complete this form and send it to the FTC by the 60th day of the calendar year following the breach. For
example, if you discover a breach involving fewer than 500 people on June 30, 2009, send this form to the FTC
no later than 60 days into the calendar year of 2010. If you experience two breaches like this in one calendar
year – one on June 30th and another on November 1st – complete a separate form for each breach, staple them
together, and send them to the FTC no later than 60 days into the calendar year of 2010.

Questions? Call the FTC at (202) 326-2252 or send a letter to the address above.
Paperwork Reduction Act Statement: Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and
a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.