FTC Health Breach Notification Rule Explained: Triggers, Reporting Steps, Penalties

Definition of Health Information Breach

The FTC Health Breach Notification Rule (HBNR) applies to U.S. vendors of personal health records (PHRs), PHR-related entities, and their service providers that are not regulated by HIPAA. It is triggered by a breach of security involving unsecured identifiable health information in a personal health record.

What the rule covers

• Personal health records (PHRs): Consumer-facing electronic records primarily managed by or for an individual that can draw data from multiple sources.
• PHR-related entities: Companies that offer products or services through a PHR vendor’s site, app, or platform and can access PHR data.
• Service providers: Vendors handling PHR data on behalf of covered entities.

What counts as a “breach”

A breach is the acquisition of unsecured identifiable health information without the individual’s authorization. This includes external attacks, internal misuse, inadvertent disclosures, and sharing health data with advertising or analytics platforms without valid authorization.

What “unsecured” means

Information is unsecured if it is not rendered unusable, unreadable, or indecipherable through strong encryption or proper destruction. If encrypted data are compromised along with the keys, they are treated as unsecured.

When the clock starts

The timeline begins upon discovery—when you know, or reasonably should know, that an unauthorized acquisition occurred.

Notification Requirements for Consumers and FTC

Consumer notification timelines

You must notify affected consumers without unreasonable delay and no later than 60 calendar days after discovery. This consumer notification timeline applies to all breaches meeting the rule’s criteria.

How to notify consumers

Send clear, plain-language notices by first-class mail or by email if the individual has agreed to electronic notice. If contact information is insufficient, you must provide substitute notice (see Reporting Procedures and Timelines).

FTC notification thresholds

• 500 or more individuals affected: Notify the FTC as soon as possible and no later than 10 business days after discovery.
• Fewer than 500 individuals: Record the incident and submit a cumulative annual report to the FTC within 60 days after the end of the calendar year.

These breach notification thresholds are separate from consumer notices; you must notify consumers in all qualifying breaches regardless of size.

Media Notification Triggers

If a breach involves 500 or more residents of a single state or jurisdiction, you must provide notice to prominent media serving that area. Media notification requirements align with the consumer notice deadline and must occur without unreasonable delay and no later than 60 calendar days after discovery.

Media notice is in addition to, not a substitute for, individual consumer notice and required FTC reporting.

Required Content of Breach Notifications

Consumer notices

Your notice to consumers should be concise, accurate, and actionable. Include:

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The categories of unsecured identifiable health information involved (for example, conditions, medications, test results, precise location, device identifiers).
• Steps the individual should take to protect themselves (password changes, monitoring accounts, credit/security freezes, contacting relevant providers or payers).
• What you are doing to investigate the breach, mitigate harm, and prevent future incidents.
• How to reach you for more information (toll-free number, email, postal address, or website). Ensure the notice uses plain language and is not combined with marketing content.

FTC and media notices

Regulatory and media notices generally summarize the same core elements and may include aggregate impact (such as number of affected individuals and jurisdictions). Provide enough detail for authorities and the public to understand scope, risks, and mitigation without disclosing sensitive data that could increase harm.

Penalties for Non-Compliance

Failing to comply with the FTC Health Breach Notification Rule can result in enforcement actions, court orders, and civil penalties. The FTC may seek monetary relief and injunctive provisions (such as comprehensive privacy and security programs, assessments, and ongoing reporting obligations).

Civil penalty limits for violations of FTC rules are adjusted annually for inflation. Per-violation penalties can exceed tens of thousands of dollars, and continuing violations can compound exposure. Late, incomplete, or misleading notices, or failure to maintain required records, can each constitute violations.

Recent enforcement actions underscore heightened scrutiny of undisclosed sharing of health data with third parties, especially for advertising or analytics, and reinforce that timely, complete breach notifications are mandatory.

Applicability to Health Apps and Devices

The rule squarely applies to many digital health businesses outside HIPAA, including mobile health apps, telehealth platforms, mental health and fertility trackers, nutrition and fitness services, direct-to-consumer lab and genetic offerings, and connected health devices compliance programs (such as glucose monitors, wearables, and at-home diagnostics).

Key applicability principles

• Not just “clinical” data: Inferences about health (for example, pregnancy or mental health status) derived from app activity, sensors, or ad identifiers can be covered health information.
• Cross-source aggregation: If your product pulls data from multiple sources and is consumer-managed, it likely functions as a PHR.
• Third-party sharing: Disclosing health data to adtech, analytics, or other partners without proper authorization can trigger the rule.

Practical compliance actions

• Map data flows and minimize collection of identifiable health information.
• Encrypt data at rest and in transit; protect encryption keys; securely dispose of data you no longer need.
• Obtain affirmative, informed authorization for disclosures; honor withdrawals promptly.
• Contractually bind service providers to security and breach-notification duties; vet their controls.
• Test incident response plans specific to health data and connected devices.

Reporting Procedures and Timelines

Step-by-step playbook

1. Contain and investigate (Day 0–3): Secure systems, preserve logs, and determine whether unsecured identifiable health information was acquired without authorization. Engage privacy, security, and legal stakeholders immediately.
2. Assess scope (Day 1–10): Identify affected individuals, data categories, and jurisdictions. Decide whether media notice is required and whether FTC notification thresholds are met.
3. Draft notices (Day 5–20): Prepare plain-language consumer notices and corresponding FTC/media summaries. Establish call-center and email support.
4. Notify the FTC (≤10 business days if 500+): Submit breach details through the FTC’s reporting process. For fewer than 500 individuals, log the incident for year-end reporting.
5. Notify consumers (≤60 calendar days): Deliver notices by mail or agreed-upon email without unreasonable delay. If contact information is insufficient for 10 or more individuals, provide substitute notice via a prominent website posting for at least 90 days or through major media where affected individuals reside, and include a toll-free number.
6. Media notice (≤60 calendar days if triggered): Contact prominent state or jurisdictional outlets when 500+ residents in that area are affected.
7. Recordkeeping and annual report: Maintain incident files, copies of notices, and decision memos. For breaches affecting fewer than 500 individuals, submit the annual log to the FTC within 60 days after the end of the calendar year (for example, breaches occurring in 2025 must be reported by March 1, 2026).

Operational tips

• Create pre-approved notice templates aligned to the rule’s required content.
• Designate a breach coordinator and escalation paths; run tabletop exercises quarterly.
• Centralize a breach register to track consumer notification timelines, media notification requirements, and FTC reporting milestones.
• Continuously improve controls based on post-incident lessons learned.

Conclusion

The FTC Health Breach Notification Rule requires swift, transparent action when unsecured identifiable health information is compromised. Knowing the triggers, meeting consumer and FTC deadlines, satisfying content requirements, and documenting decisions will reduce risk and demonstrate accountability during enforcement actions.

FAQs

What triggers the FTC Health Breach Notification Rule?

The rule is triggered by the unauthorized acquisition of unsecured identifiable health information in a personal health record. That includes hacking, internal misuse, inadvertent disclosures, or sharing health data with partners (such as advertising or analytics providers) without valid authorization.

How soon must breaches be reported to the FTC?

If a breach affects 500 or more individuals, you must notify the FTC as soon as possible and no later than 10 business days after discovery. For breaches affecting fewer than 500 individuals, record them and submit a cumulative annual report within 60 days after the end of the calendar year.

What information must be included in breach notifications?

Provide a plain-language description of what happened (including breach and discovery dates, if known), the types of information involved, steps individuals should take, what your organization is doing to investigate and mitigate harm, and clear contact methods (toll-free number, email, address, or website).

What penalties exist for failing to comply with the rule?

Non-compliance can lead to FTC enforcement actions, court orders, and significant civil penalties. Per-violation civil penalty limits are adjusted annually for inflation and can be substantial, especially when violations continue over time or involve incomplete or late notifications.