HomePrivacy PolicyHealth Breach Notification Rule

FTC Health Breach Notification Rule Policy

Simple Advocate LLC · Effective Date: January 1, 2026 · Last Updated: January 12, 2026

1. Purpose of This Policy

This policy establishes Simple Advocate LLC's responsibilities under the Federal Trade Commission (FTC) Health Breach Notification Rule (16 CFR Part 318) ("HBNR").

Because Simple Advocate operates as a Personal Health Record (PHR) provider, we are required to notify users, the FTC, and in some cases the media if there is a breach of unsecured, personally identifiable health information.

This policy guides:

  • What qualifies as a breach
  • How we investigate potential breaches
  • Who must be notified
  • Notification timelines
  • Documentation and reporting procedures

This policy is published for transparency and reflects Simple Advocate's internal breach response procedures. It is intended to explain how we comply with federal notification requirements and does not require any action by users unless they are directly notified of an incident.

2. Scope

This policy applies to:

  • All Simple Advocate staff, contractors, vendors, and service providers
  • All systems, databases, files, and backups containing user-uploaded health or personal information
  • Any incidents involving unauthorized acquisition, disclosure, or access to health information

It applies regardless of whether HIPAA applies, because PHRs fall under FTC jurisdiction.

3. Definitions

  • Personal Health Record (PHR): An electronic record of identifiable health information that is controlled, managed, or shared by the individual.
  • PHR Related Entity: A company that interacts with a PHR vendor in ways that expose user data (e.g., cloud hosting, analytics).
  • Unsecured Health Information: Health information that is not encrypted or has been compromised despite encryption.
  • Breach: The unauthorized acquisition of personally identifiable health information. A breach occurs if the information was accessed by an unauthorized party, was used without permission, was disclosed improperly, or was acquired due to error, theft, cyberattacks, or policy violations.
  • Discovery Date: The first day Simple Advocate knew or should have known of a breach.

4. Events That Trigger the HBNR

Simple Advocate must follow this policy if any of the following occur:

  • A hacker gains access to user documents
  • An employee accesses user files without authorization
  • A vendor improperly accesses or shares information
  • A technical error exposes user data
  • Data is emailed, shared, or transmitted to an unauthorized recipient
  • Lost or stolen devices contain unencrypted data
  • Ransomware or malware compromises user-uploaded files
  • A misconfiguration allows public access to stored documents

If there is any doubt, the event is treated as a potential breach until verified.

5. Incident Response Process

Upon discovery or suspicion of a breach, Simple Advocate will immediately:

Step 1: Contain the Incident

  • Disable affected user accounts, system access, or features
  • Block unauthorized access
  • Secure compromised servers or databases
  • Lock down affected vendor connections

Step 2: Launch an Investigation

Determine:

  • What information was accessed
  • Whether the data was encrypted
  • Who had access
  • For how long
  • Whether the data was copied, viewed, or used

Step 3: Document Findings

All details will be recorded in the Incident & Breach Log, including:

  • Date discovered
  • Nature of the breach
  • Systems affected
  • Individuals affected
  • Investigation results
  • Corrective actions taken

Step 4: Determine Notification Requirements

If there is a reasonable likelihood that personal health information was accessed or acquired without authorization, HBNR notification is required.

6. Notification Requirements Under HBNR

6.1 Notification to Individuals

Simple Advocate must notify each affected individual without unreasonable delay and no later than 60 days after breach discovery.

Notifications will include:

  • A brief description of the breach
  • The types of information involved
  • The date or estimated date of the breach
  • How the breach was discovered
  • Steps Simple Advocate is taking to prevent future incidents
  • Steps users can take to protect themselves
  • A toll-free number or email for questions

Notifications may be delivered via email (primary method), in-app notice, or postal mail (if required).

6.2 Notification to the Federal Trade Commission

If a breach involves any number of users, Simple Advocate must notify the FTC:

  • Within 60 days if the breach affects 500 or more users
  • Annually (within 60 days of the end of the calendar year) if the breach affects fewer than 500 users

Notification is submitted through the FTC's online breach reporting portal.

6.3 Media Notification (when required)

If a breach affects more than 500 residents of a single state or jurisdiction, Simple Advocate must:

  • Notify major media outlets serving the affected area
  • Notify users directly
  • Notify the FTC

Media notification must also occur within 60 days.

7. Vendor Responsibilities

Vendors that store or process user data on behalf of Simple Advocate must:

  • Maintain strong privacy and security practices
  • Notify Simple Advocate within 5 business days of discovering a breach
  • Cooperate with investigations
  • Sign appropriate BAAs or Data Protection Agreements
  • Support user notification processes as needed

Failure to comply may result in termination of the vendor relationship.

8. Risk Assessment

For any suspected incident, Simple Advocate conducts a risk assessment to determine:

  • Whether data was actually viewed or acquired
  • The likelihood of misuse
  • The identity of unauthorized parties
  • Whether encryption or safeguards were compromised
  • Whether the incident poses a risk of harm

Only incidents involving actual or likely exposure trigger formal notification.

9. Documentation & Recordkeeping

Simple Advocate will maintain documentation for 6 years, including:

  • Incident investigation notes
  • Risk assessments
  • Notifications sent
  • Vendor communications
  • Breach log entries

10. Safeguards to Prevent Breaches

Simple Advocate implements:

  • Encryption of data at rest and in transit
  • Multi-factor authentication
  • Access controls and role-based permissions
  • Regular vulnerability scans
  • Vendor security audits
  • Device and network security requirements
  • Continuous monitoring and logging

Security controls are reviewed and updated regularly.

11. Policy Training

All workforce members receive training on:

  • Identifying suspicious activity
  • Reporting potential incidents
  • Safe handling of user data
  • Security and privacy obligations

Training occurs at onboarding and annually thereafter.

12. Policy Review & Updates

This policy may be updated to reflect:

  • FTC regulatory changes
  • New security practices
  • Changes in system architecture
  • New vendor relationships
  • Expanded product features

Users will be notified of material updates.

13. Contact for Questions or Reports

If you suspect a breach or have questions about this policy: [email protected]

Related Policies

© Simple Advocate, 2026 · www.mysimpleadvocate.com