(a) In general. Except as provided in paragraph (d) of this section (exception for law enforcement), all notifications required under § 318.3(a)(1) (required notice to individuals), (a)(3) (required notice to media), and (b) (required notice by third party service providers), shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
(b) Timing of notice to FTC. All notifications required under § 318.5(c) (regarding notice to FTC) involving the unsecured PHR identifiable health information of 500 or more individuals shall be provided contemporaneously with the notice required by paragraph (a) of this section. All logged notifications required under § 318.5(c) (regarding notice to FTC) involving the unsecured PHR identifiable health information of fewer than 500 individuals may be sent annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar year.
(c) Burden of proof. The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay.
(d) Law enforcement exception. If a law enforcement official determines that a notification, notice, or posting required under this part would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This paragraph (d) shall be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under § 164.528(a)(2).
source: 74 FR 42980, Aug. 25, 2009, as amended at 89 FR 47054, May 30, 2024, unless otherwise noted.
cite as: 16 CFR 318.4