Requirements / 07f440d00f1fded3

This is a normalized obligation summary extracted deterministically from regulatory text. The structured fields below are parsed from the source—not AI-generated summaries.

Mandatory FINAL

Obligation Structure

Actor: entity
Modality: Mandatory
Duty: records or PHR related entity shall provide notice to pro provide notice to
Conditions: if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is

Source Text

As described in § 318.3(a)(3), a vendor of personal health records or PHR related entity shall provide notice to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach.

Source Document: 2024-10855

Agency: Federal Trade Commission

CFR Parts: 16 CFR 318

Requirement Type: other

Lifecycle History

2/12/2026 ADDED — → FINAL 2024-10855

Subscribe to Updates

RSS Feed for this Obligation

Get notified when this obligation is modified in proposed, final, or codified rules.

Stable ID: 07f440d00f1fded3