FTC Health Breach Notification Rule: Requirements, Timelines, and Compliance Guide

Applicability to Personal Health Record Vendors

The FTC Health Breach Notification Rule (HBNR) applies to organizations not covered by HIPAA that offer or maintain a personal health record (PHR). A PHR is an electronic record of identifiable health information with the technical capacity to draw data from multiple sources and managed by or primarily for the individual. Vendors of PHRs, PHR related entities, and certain third-party service providers fall within scope. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

PHR related entities and service providers

PHR related entities include companies that offer products or services through a PHR vendor’s online services or that access or send unsecured PHR identifiable health information to a PHR. Third-party service providers that use, maintain, disclose, or dispose of such information for PHR vendors or related entities are also covered. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule?utm_source=openai))

What counts as a “breach of security”

A breach is the unauthorized acquisition of unsecured PHR identifiable health information in a PHR. It includes both data security incidents and unauthorized disclosures (for example, sharing covered data with advertising platforms without valid authorization), not just hacking. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule?utm_source=openai))

Breach Notification Requirements and Timelines

Notify affected individuals

You must notify each affected U.S. person without unreasonable delay and no later than 60 calendar days after discovering the breach. The clock starts when someone in your organization knows, or reasonably should have known, of the incident. This forms the core breach notification timeline under the rule. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

How to deliver notices

Notice may be by first-class mail or email. If you notify by email, you must also use at least one additional electronic channel (such as text message, in‑app message, or a clear banner on your site or app). Notices must be clear, conspicuous, and reasonably understandable. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Substitute notice

If you cannot reach 10 or more affected people due to insufficient or outdated contact information, provide substitute notice via a 90‑day conspicuous website posting or a notice in major print or broadcast media where those people likely live, and include a toll‑free number active for at least 90 days. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Third-party service providers

Service providers to PHR vendors or related entities must notify the designated client official (or a senior official) without unreasonable delay and within 60 calendar days of discovery, identify each affected person, and obtain acknowledgment of receipt. The client then must handle individual, FTC, and media notifications. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

FTC Notification Procedures

When to notify the FTC

Use the FTC’s online Notice of Breach of Health Information. For breaches involving 500 or more people, notify the FTC at the same time as individual notices—without unreasonable delay and no later than 60 days after discovery. For fewer than 500 people, submit your breach log to the FTC within 60 days after the end of the calendar year. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Practical steps

• Assemble key facts early (discovery date, affected headcount, jurisdictions, data types, and remedial measures) to align your FTC filing with consumer notices.
• Designate internal owners for the breach log submission and set reminders tied to the calendar year-end.
• Retain records of notices sent, delivery methods used, and any substitute notice.

Media Notification Obligations

If a breach affects 500 or more residents of a particular state, the District of Columbia, or a U.S. territory or possession, you must notify prominent local media without unreasonable delay and no later than 60 days after discovery. Media notification is in addition to, not a substitute for, individual notices—these are separate media notification requirements. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Content Requirements for Notifications

What your notice must include

• A concise description of what happened, including the breach date (if known) and discovery date.
• The full name or identity (or a description, if disclosure would create risk) of any third parties that acquired unsecured PHR identifiable health information due to the breach.
• The types of information involved (for example, diagnoses, medications, lab results, insurance data, Social Security numbers, account data, dates of birth, or health‑app usage).
• Steps individuals should take to protect themselves, tailored to the data involved.
• What you are doing to investigate, mitigate harm, and prevent recurrence (for example, security improvements or credit monitoring).
• How people can contact you—provide at least two methods such as a toll‑free number, email address, website, in‑app channel, or postal address.

Notices must be clear, conspicuous, and reasonably understandable; when using email, pair it with another electronic channel as noted above. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Annual Reporting for Small Breaches

For incidents affecting fewer than 500 people, maintain a running breach log and complete the FTC breach log submission within 60 days after the calendar year ends. Treat this annual report as a compliance obligation on par with your incident response plan, and ensure accuracy and consistency with any individual notices sent during the year. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

Penalties and Enforcement Actions

Failure to comply with the HBNR can lead to FTC civil penalties, injunctive relief, and ongoing compliance obligations. The maximum civil penalty for certain FTC Act violations is adjusted annually for inflation and is $53,088 per violation as of January 17, 2025. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2025/02/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2025?utm_source=openai))

Recent enforcement illustrates the stakes: GoodRx agreed to a $1.5 million civil penalty and injunctive terms for failing to notify consumers of unauthorized disclosures; Easy Healthcare (Premom) agreed to a $100,000 civil penalty and restrictions on data sharing. These cases underscore that unauthorized disclosures can constitute a reportable breach. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising?utm_source=openai))

Conclusion

The HBNR sets clear, time‑bound duties: notify individuals and, when applicable, the FTC and media; include specific content; and submit an annual breach log for small incidents. Build processes now—classification of PHR data, incident response, notice drafting, and recordkeeping—to meet these compliance obligations confidently and on time.

FAQs

What entities are subject to the FTC Health Breach Notification Rule?

Vendors of personal health records, PHR related entities, and third‑party service providers that handle unsecured PHR identifiable health information—so long as they are not covered by HIPAA—are subject to the rule. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

How soon must affected individuals be notified after a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

When must the FTC be notified of a health breach?

For breaches involving 500 or more people, notify the FTC at the same time you send individual notices and within 60 days of discovery. For fewer than 500 people, submit your annual breach log to the FTC within 60 days after the end of the calendar year. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0))

What are the consequences of non-compliance with the rule?

Non‑compliance can result in FTC civil penalties, injunctions, and long‑term compliance obligations, as reflected in actions like GoodRx and Premom. Penalty maximums are inflation‑adjusted; as of January 17, 2025, it is $53,088 per violation. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2025/02/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2025?utm_source=openai))