Who Must Comply with the FTC Health Breach Notification Rule?

The Federal Trade Commission Health Breach Notification Rule applies to businesses that handle consumer-facing personal health records in the United States and to companies that support them. If your product or service collects, stores, or transmits health information tied to an individual—and you are not already covered by HIPAA—you likely have obligations under this Rule.

Vendors of Personal Health Records

Who qualifies as a PHR vendor

A vendor of personal health records operates a product or service that maintains a personal health record (PHR): an electronic record of identifiable health information managed for an individual and capable of drawing data from multiple sources (for example, user input plus device data). Typical examples include consumer health or wellness apps, fertility and period trackers, mental health or therapy platforms, telehealth portals offered directly to consumers, connected medical devices, and direct-to-consumer testing dashboards.

PHR Vendor Obligations

• Map the PHR data you collect, where it flows, who can access it, and why—then document your PHR Vendor Obligations and Breach Notification Requirements.
• Secure PHR identifiable health information with encryption and access controls; anything not properly protected may be “unsecured PHR identifiable health information” (often described as Unsecured Personally Identifiable Health Information).
• Limit sharing to what is necessary and consistent with Health Information Disclosure Rules and your privacy disclosures; avoid unauthorized disclosures to advertising or analytics partners.
• Implement an incident response plan that enables rapid breach assessment, consumer notification, and timely reporting to the FTC and, where applicable, the media.
• Flow down security and notification duties to contractors and monitor their Third-Party Service Provider Compliance.

PHR-Related Entities

Who is a PHR-related entity

PHR-related entities are businesses that offer products or services through a PHR vendor’s website, service, or app—or that send information to or access information from a personal health record. Examples include integrations that import wearable or sensor data into a PHR, platforms that enable messaging, or services that analyze or enrich health metrics for the PHR.

Core responsibilities

• Protect any PHR identifiable health information you handle and restrict uses and disclosures to what consumers authorized.
• Coordinate with the PHR vendor on incident response so breach determinations and consumer notices are consistent and complete.
• Maintain records supporting consent, data flows, and security controls to demonstrate compliance with Health Information Disclosure Rules.

Third-Party Service Providers

Who counts as a third-party service provider

Third-party service providers deliver services—such as cloud hosting, email/SMS delivery, analytics, payment processing, customer support, or data storage—that involve access to PHR identifiable health information on behalf of a PHR vendor or PHR-related entity.

Third-Party Service Provider Compliance

• Notify your customer (the PHR vendor or PHR-related entity) of any breach affecting PHR information without unreasonable delay and no later than 60 calendar days after discovery, identifying affected consumers where possible.
• Implement technical and organizational measures appropriate to the sensitivity of the data, including encryption, logging, and access governance.
• Contractually commit to security, cooperation in investigations, and timely breach reporting; support audits and continuous monitoring.

Breach Notification Requirements

What triggers the Rule

A “breach of security” generally means the unauthorized acquisition of PHR identifiable health information that is not secured—i.e., Unsecured Personally Identifiable Health Information. This includes not only hacking or theft, but also unauthorized disclosures (for example, sharing health data with advertising or analytics partners without valid consumer authorization).

Who must be notified and when

• Individuals: Notify each affected person without unreasonable delay and no later than 60 calendar days after discovery of the breach.
• Federal Trade Commission: For incidents affecting 500 or more individuals, notify the FTC as soon as possible and no later than 10 business days after discovery. For fewer than 500 individuals, maintain a breach log and submit it to the FTC within 60 days after the end of the calendar year.
• Media: If a breach affects 500 or more residents of a single state or jurisdiction, provide notice to prominent media serving that area within the same general timeline as individual notice.
• Third-party service providers: Notify the relevant PHR vendor or PHR-related entity without unreasonable delay and no later than 60 calendar days after discovery so they can fulfill downstream notices.

If the compromised information was properly encrypted or otherwise rendered unusable, unreadable, or indecipherable to unauthorized persons, notice may not be required.

Notification Procedures

Immediate response steps

• Contain and investigate: stop additional exposure, preserve logs, and determine the scope and nature of the unauthorized acquisition.
• Assess whether the data was unsecured and whether consumer authorization covered the disclosure.
• Engage legal and security teams to make a breach determination and start drafting notices that satisfy the Rule’s Breach Notification Requirements.

Content of notices

• A concise description of what happened, including the dates of the breach and its discovery.
• The types of PHR identifiable health information involved (for example, diagnoses, medications, measurements, geolocation, or inferences).
• Steps affected individuals can take to protect themselves, such as account monitoring, credential resets, or fraud alerts.
• What your organization is doing to investigate, mitigate harm, and prevent further breaches.
• Clear contact methods for questions, including toll-free number or email, and how to obtain additional information.

Delivery methods

• Provide individual notices in plain language via first-class mail or email if the person has agreed to electronic notice.
• Use substitute notice (for example, a website homepage posting and media notice) if contact information is insufficient for a significant number of individuals.
• Submit FTC notifications through the Commission’s designated reporting channel and retain confirmation for your records.

Documentation and recordkeeping

• Maintain investigation files, risk analyses, drafts and final notices, mailing/email logs, and evidence supporting your determinations.
• Track remediation actions (patches, training, vendor changes) to support Federal Trade Commission Enforcement reviews.

Regulatory Enforcement

How the FTC enforces the Rule

Violations of the Health Breach Notification Rule are enforceable by the Federal Trade Commission under the FTC Act. The agency may seek injunctive relief, reporting and auditing obligations, deletion of improperly collected data, limits on future data use, and significant civil penalties calculated on a per-violation (and potentially per-day) basis.

Public breach listings and scrutiny

Breaches affecting 500 or more individuals are reported to the FTC and may appear on a public list, drawing regulatory and consumer scrutiny. Late, incomplete, or misleading notices can aggravate penalties and lead to long-term compliance obligations under consent orders.

Common pitfalls

• Treating unauthorized disclosure to advertising or analytics partners as “routine sharing” rather than a reportable breach.
• Assuming HIPAA coverage instead of analyzing whether the product is a consumer PHR subject to this Rule.
• Missing or vague consumer notices that omit required content or arrive after statutory deadlines.
• Failing to ensure Third-Party Service Provider Compliance through contracts, oversight, and monitoring.

Consumer Protection Measures

Build compliance into your product

• Data minimization: collect only what you need; define and enforce retention limits.
• Security by design: strong authentication, least-privilege access, encryption in transit and at rest, and continuous logging.
• Tracking controls: disable unauthorized SDKs, pixels, or scripts that could leak PHR identifiable health information.
• Vendor governance: perform diligence, require prompt incident notice, and audit critical service providers.
• Transparent disclosures: align privacy notices, consent flows, and in-product messaging with Health Information Disclosure Rules.
• Exercises and testing: rehearse breach response so you can meet notice timelines under real pressure.

Conclusion

If you build or support a consumer-facing personal health record, the Health Breach Notification Rule likely applies. Understand whether you are a PHR vendor, a PHR-related entity, or a third-party service provider; secure Unsecured Personally Identifiable Health Information; and be ready to notify individuals, the FTC, and the media on time. Strong privacy-by-design practices and rigorous vendor management are your best defenses against breaches and enforcement risk.

FAQs.

What entities are covered by the FTC Health Breach Notification Rule?

The Rule covers three groups: vendors of personal health records, PHR-related entities that access or send data to a PHR or offer services through a PHR, and third-party service providers that handle PHR identifiable health information on their behalf. It focuses on consumer-facing health technologies that are generally outside HIPAA.

When must breaches be reported under the Rule?

Provide individual notice without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more individuals, notify the Federal Trade Commission as soon as possible and no later than 10 business days after discovery; smaller incidents are logged and reported annually. Media notice is required if 500 or more residents of a state or jurisdiction are affected.

What information must be included in breach notifications?

Explain what happened, when it happened, and when it was discovered; describe the types of information involved; advise consumers on protective steps; outline what you are doing to mitigate harm and prevent recurrence; and provide clear contact information. These elements satisfy the Rule’s Breach Notification Requirements.

How does the Rule differ from HIPAA requirements?

HIPAA’s breach rule applies to covered entities (such as providers, health plans) and their business associates handling protected health information. The FTC Health Breach Notification Rule applies mainly to non-HIPAA, direct-to-consumer tools that maintain personal health records. Some activities that might not be permitted under HIPAA—like sharing health data with ad tech—can also trigger FTC enforcement and notification duties under this Rule.