Checklist: How to Prepare for the FTC Health Breach Notification Rule

Understand Rule Applicability

You should first determine whether your organization falls under the FTC Health Breach Notification Rule. The Rule generally covers vendors of personal health records, PHR-related entities that interact with those records, and third-party service providers supporting them—especially direct-to-consumer health apps and connected devices that are not regulated by HIPAA.

A personal health record is typically an electronic record of health information that a consumer can manage and that can draw data from multiple sources. If you collect, use, or share such information, treat it as in-scope. Also assess the role of contractors and analytics partners; their actions can trigger vendor compliance requirements under the Rule.

Focus on “unsecured health information,” which means data not adequately protected (for example, unencrypted or improperly destroyed). A “breach” includes unauthorized acquisition or disclosure of such information, which can include improper sharing for advertising or analytics without valid authorization.

Develop Breach Response Plan

Document clear, step-by-step data breach response procedures so you can move quickly from detection to notification. Name decision owners, legal and communications leads, and an executive sponsor who can approve consumer notification mandates and filings that meet FTC reporting obligations.

Core components

• Detection and triage: establish severity levels, automatic alerts, and 24/7 escalation paths.
• Containment and forensics: isolate affected systems, preserve logs, and retain an independent investigator under counsel.
• Assessment: determine whether unsecured health information was involved, identify affected individuals, and map data flows across vendors.
• Timelines: set internal clocks that align to breach notification timelines so drafts, approvals, and translations are ready before deadlines.
• Communication kits: maintain pre-approved consumer notice templates, FAQs, and scripts for support channels.
• Regulatory workflow: prepare an internal checklist for FTC submissions and, where applicable, media notifications.
• Post-incident improvements: log root causes, implement remedial actions, and update training and controls.

Implement Data Security Measures

Reducing breach risk starts with a disciplined security baseline. Your goal is to keep personal health records protected end to end and to minimize the footprint of sensitive data you hold.

Technical safeguards

• Encryption: protect data in transit and at rest with modern cryptography and sound key management to avoid “unsecured health information.”
• Identity and access: enforce least privilege, strong authentication (MFA), session timeouts, and role-based access controls across admin and support tools.
• Application security: adopt secure SDLC, code reviews, SAST/DAST, secret scanning, SBOMs, and prompt patching of libraries and devices.
• Network protections: segment environments, use zero-trust principles, harden APIs, and limit egress to approved destinations.
• Logging and detection: centralize logs, monitor anomalies, and retain evidence needed for investigations and reporting.
• Data lifecycle: minimize collection, apply retention limits, tokenization or pseudonymization where feasible, and validated deletion workflows.

Organizational safeguards

• Vendor compliance requirements: incorporate security and breach-notice obligations into contracts with third-party service providers and verify them with audits.
• Privacy governance: maintain data inventories, records of processing, and DPIAs for high-risk features.
• Resilience: test backups, practice restoration, and ensure business continuity plans support timely notifications.

Establish Notification Protocols

Translate legal requirements into precise playbooks so your team can execute without hesitation. Build workflows that trigger consumer notification mandates, vendor communications, and FTC reporting obligations when a breach is confirmed.

Who to notify and when

• Consumers: notify affected individuals without unreasonable delay, following established breach notification timelines, and use plain language they can act on.
• FTC: prepare your breach report for electronic submission and ensure leadership signs off promptly.
• Media: if large numbers of people in a state or jurisdiction are affected, be ready to notify prominent media outlets as required.
• Vendors and service providers: require third-party service providers to alert you quickly and share incident artifacts you need for accurate counts and notices.

What to include

• What happened, when it occurred, and how it was discovered.
• What unsecured health information or data elements were involved.
• How many people were affected and in which jurisdictions.
• Steps you are taking to mitigate harm and prevent recurrence.
• Specific actions individuals can take and multiple ways to contact you.

Train Personnel on Compliance

Everyone who touches health data should understand the Rule and their role in protecting consumers. Training reduces mistakes that lead to incidents and accelerates response when issues arise.

• Role-based curricula for engineering, product, marketing, customer support, and incident responders.
• Tabletop exercises that rehearse data breach response procedures, decision points, and approvals under real timelines.
• Playbooks for risky scenarios, such as analytics integrations, advertising, or data sharing with partners.
• New-hire onboarding, annual refreshers, and spot training after policy or product changes.

Monitor and Audit Security Controls

Continuous oversight ensures your program works as designed and adapts to new threats. Use metrics to prove effectiveness and to prioritize improvements before a breach occurs.

• Control monitoring: validate encryption, access reviews, patch SLAs, and API security posture.
• Testing: run vulnerability scans, pen tests, red-team exercises, and fix findings promptly.
• Audit trails: maintain reliable logs and evidence to support investigations and regulatory reports.
• Third-party risk: perform due diligence, review attestations, and track remediation for vendors handling personal health records.
• Program health: report KPIs such as mean time to detect, mean time to contain, coverage of critical controls, and training completion rates.

Conclusion

By clarifying applicability, rehearsing a practical response plan, hardening systems, and formalizing notifications, you can meet FTC reporting obligations confidently and protect consumers. Treat breach notification timelines as design constraints, and require vendor compliance requirements upfront so you can execute accurately when seconds matter.

FAQs.

What entities are subject to the FTC Health Breach Notification Rule?

The Rule generally applies to vendors of personal health records, PHR-related entities that furnish products or services through a PHR, and third-party service providers to those entities. It most often covers direct-to-consumer health apps and connected devices that collect, use, or share health information outside HIPAA. If you operate or support a consumer-accessible record that aggregates health data from multiple sources, you should assume the Rule may apply.

How soon must breaches be reported to the FTC?

Report as soon as possible after discovery. For breaches affecting 500 or more individuals, notify the FTC promptly—no later than 10 business days after discovery. For breaches affecting fewer than 500 individuals, maintain a breach log and submit it to the FTC within 60 days after the end of the calendar year. Separately, notify affected consumers without unreasonable delay and no later than 60 calendar days after discovery.

What information must be included in breach notifications?

Consumer notices should plainly explain what happened, the date or date range, the types of unsecured health information involved, the number of affected individuals if known, what you are doing to mitigate harm, specific protective steps consumers can take, and how to contact your organization. Reports to the FTC should include your organization’s details, incident description and timing, data elements involved, number of affected individuals by state or jurisdiction, whether media notice is required, and whether any third-party service providers were implicated.

What security measures are recommended to prevent breaches?

Prioritize encryption in transit and at rest, strong authentication and least-privilege access, secure SDLC and rapid patching, API and network segmentation, continuous logging and monitoring, and rigorous data minimization and retention limits. Complement technical controls with vendor compliance requirements, privacy governance, tabletop exercises, and ongoing employee training to reduce the likelihood and impact of incidents.