Best Practices to Reduce Risk Under the FTC Health Breach Notification Rule

Scope of the Health Breach Notification Rule

The FTC Health Breach Notification Rule applies primarily to Personal Health Records Vendors, PHR-related entities, and their third-party service providers that handle consumer health data outside of HIPAA. If you operate a health app, wearable, fitness tracker, or online service that stores or processes consumer health information, the rule likely applies to you.

A personal health record (PHR) is an electronic record of health information that is managed or shared by or for an individual. PHR identifiable health information can include data you collect directly from users, device sensors, or integrated platforms, as well as inferences about health conditions or behaviors.

The rule focuses on protecting unsecured PHR identifiable health information. If information is not rendered unusable to unauthorized parties (for example, through robust encryption and safeguarded keys), it is considered “unsecured,” and the notification obligations can apply when incidents occur.

Definition of Breach of Security

A breach of security is the unauthorized acquisition of unsecured PHR identifiable health information in a PHR. “Unauthorized” includes outside attacks, insider misuse, accidental disclosures, and sharing with analytics or advertising partners without the individual’s authorization.

Information is “unsecured” if it is not protected in a way that makes it unreadable or indecipherable to unauthorized persons. Strong encryption, appropriate key management, and secure destruction reduce risk, but access or disclosure before protection is applied can still constitute a breach.

Common breach scenarios include credential stuffing, lost or stolen devices, misdirected emails or exports, insecure SDKs or pixels that transmit health data, and configuration mistakes in cloud storage. The vendor must be alerted by third-party service providers when they discover an incident affecting the vendor’s data.

Notification Requirements and Timing

When a breach of security occurs, you must notify affected individuals and the FTC; if more than 500 residents of a state or jurisdiction are affected, you must also notify prominent media serving that area. Ensuring Notification Timeline Compliance requires disciplined investigation and documentation from day one.

Key timing rules include: provide individual notices without unreasonable delay and no later than 60 calendar days after discovery; for incidents affecting 500 or more individuals, notify the FTC as soon as possible and no later than 10 business days after discovery; for breaches affecting fewer than 500 individuals, maintain a breach log and submit an annual summary to the FTC within 60 days after the end of the calendar year. Third-party service providers should notify the vendor without unreasonable delay so the vendor can meet these deadlines.

• Day 0–1: Confirm breach, secure systems, preserve logs, engage counsel and forensics.
• Day 1–10: If 500+ affected, file the FTC notice; begin drafting individual notifications.
• By Day 60: Complete individual notifications and, where applicable, media notices.
• Annually: For <500 incidents, include the event in your year-end FTC submission within 60 days after December 31.

Content Requirements for Notifications

Notices to individuals should be clear, concise, and actionable. At minimum, explain what happened (including dates), the types of PHR identifiable health information involved, how the breach may affect the individual, steps you recommend (for example, password changes or fraud alerts), what you are doing to mitigate harm and prevent recurrences, and how to reach your incident response team.

Notices to the FTC and any required media should summarize the incident, the number of affected individuals, the jurisdictions involved, the categories of information, whether any third parties acquired the data, and the remedial steps taken. Keep copies of the consumer notice you send and align the facts across all channels.

Write in plain language, avoid technical jargon, and provide accessibility features and translations where appropriate. Consistent content improves comprehension and reduces inbound confusion during a stressful event.

Use of Electronic Notifications

The rule allows electronic delivery when notices are reasonably calculated to reach the individual. Effective Electronic Messaging Notification can include email, SMS, push notifications, and in-app messaging, provided the message is clear, conspicuous, and not bundled with marketing. Use an unambiguous subject line like “Breach Notice” and link directly to help resources.

Use multiple channels when you are unsure which contact method is current, and fall back to first-class mail if electronic delivery fails or is unavailable. Maintain delivery logs and bounces, verify sending domains, and test templates in advance to prevent formatting or deliverability issues during a live incident.

Honor user communication preferences, present the full notice without forcing account logins, and ensure that URLs or phone numbers in the notice route to trained staff who can answer breach-specific questions.

Enforcement and Penalties

Violations of the Health Breach Notification Rule are enforceable by the FTC. The agency can seek FTC Civil Penalties for rule violations, as well as injunctive relief, mandated privacy and security programs, assessments by independent experts, and consumer redress where appropriate.

Aggravating factors include delayed or incomplete notification, misleading statements, poor documentation, and the absence of a tested Incident Response Plan. Repeated or reckless practices, or deceptive representations about privacy or security, increase enforcement risk and potential remedies.

Align your program with state breach laws and broader FTC Act obligations. A coordinated approach reduces conflicts between timelines and avoids contradictory public statements during a crisis.

Best Practices for Compliance

Create a robust Incident Response Plan

Define roles, decision rights, and 24/7 contact paths for legal, security, engineering, and communications. Establish internal SLAs for triage, forensics, containment, consumer notification drafting, and board updates. Run tabletop exercises focused on health-data scenarios.

Inventory PHR data and systems

Maintain a current data map that distinguishes PHR data from other consumer data and flags Unsecured PHR Identifiable Health Information. Document where data resides, who has access, what third parties receive it, and which controls protect it.

Strengthen technical safeguards

Apply least privilege, strong authentication, encryption in transit and at rest with protected keys, secure software development practices, and data loss prevention. Segment production systems, rotate secrets, and monitor for anomalous exports or SDK behavior that could leak health data.

Implement Third-Party Data Security Monitoring

Screen vendors, SDKs, and pixels for data flows involving health information. Use contracts that restrict use, require prompt breach reporting, and allow audits. Continuously monitor third-party integrations and revoke access quickly if risk changes.

Prove Notification Timeline Compliance

Pre-build decision trees and notification templates, including media Q&A. Track discovery time stamps, investigative milestones, and sign-offs. Use a runbook that maps Day 0, Day 10, and Day 60 deliverables and captures evidence for regulators.

Prepare for Electronic Messaging Notification

Warm email domains, secure an SMS short code, and deploy in-app messaging that can reach active users quickly. Localize content, ensure accessibility, and log delivery outcomes so you can demonstrate reach and remediate undeliverable notices.

Train and test continuously

Provide role-based training for engineers, marketers, and support agents on health-data handling. Conduct recurring tabletop exercises and red-team simulations that include third-party failures and cross-jurisdiction incidents.

Conclusion

By clarifying scope, tightening security controls, monitoring third parties, and rehearsing your response, you reduce the likelihood and impact of breaches and meet the rule’s timing and content requirements. Treat notification readiness as an always-on capability, not a one-time project.

FAQs

What constitutes a breach under the FTC Health Breach Notification Rule?

A breach is the unauthorized acquisition of unsecured PHR identifiable health information in a personal health record. It can result from hacking, insider misuse, accidental disclosure, or sharing data with third parties without the individual’s authorization.

When must notifications be sent after a breach is discovered?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If 500 or more individuals are affected, you must notify the FTC as soon as possible and no later than 10 business days after discovery; smaller incidents are logged and reported annually within 60 days after year-end.

What information must be included in breach notifications?

Explain what happened and when, what types of information were involved, potential impacts, steps individuals should take, what your organization is doing to mitigate harm and prevent recurrences, and how to contact you. Align facts across consumer, FTC, and any media notices.

What are the penalties for non-compliance with the rule?

The FTC can seek civil penalties, injunctions, and long-term compliance obligations, and may require independent assessments and consumer redress in appropriate cases. Delays, incomplete notices, or deceptive statements can increase enforcement risk and penalty exposure.