Skip to main content

The Health Breach Notification Rule has been in place since 2009. Given the pace of innovation, that seems like a century in tech years. Since then, we’ve seen an explosion in the popularity of health apps, fitness trackers, and other health-related monitors. To keep up with technological developments and evolving business practices, the FTC is proposing changes to the Rule and welcomes your comments.

The Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers. When there’s been an unauthorized acquisition of a person’s unsecured, personally identifiable health information, PHR vendors and PHR related entities must (among other things) notify the FTC, consumers and, in some cases, the media. If your company is a third party service provider to a PHR vendor or a PHR related entity, you have notice requirements under the Rule, too. (Read Complying with FTC’s Health Breach Notification Rule for details.)

It’s worth noting that companies that violate the Rule may be liable for civil penalties of up to $50,120 per violation. For example, GoodRx recently paid a $1.5 million civil penalty for violating the Rule.

As part of the FTC’s periodic regulatory review process, we asked for your feedback in 2020 about how the Health Breach Notification Rule is working. Based on your comments – and major developments in the health information ecosystem – the FTC is proposing changes to the Rule. You’ll want to read the Federal Register Notice for details, but here are some of the revisions under consideration:

  • Revising some definitions to make it clear the Rule applies to health apps and similar technologies not covered by HIPAA;
  • Clarifying that a “breach of security” under the Rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of a “PHR related entity”;
  • Clarifying what “drawn from multiple sources” means in the definition of “personal health record”;
  • Authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach; and
  • Expanding what needs to be in the notice to consumers – for example, requiring an explanation about the potential harm stemming from the breach and the names of any third parties that might have acquired the information.

The proposed Rule changes and recent law enforcement actions reflect the high priority the FTC places on protecting the privacy of consumers’ health information and letting consumers know what’s happening with their sensitive information. Once the Notice runs in the Federal Register, you’ll have 60 days to file a public comment. Save a step and file online through

Looking for more compliance resources? Visit the FTC’s Health Privacy page.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

May 19, 2023

Why change the rule? Why not make new rules that pertain to new things such as what you had mentioned. When our government changes rules it's never for the peoples benefit. Just add new rules and leave the existing one alone

Vicki Welch
May 19, 2023

I am appalled that I have been using good RX for several years and of all places Facebook recieved my health information? And a huge fine for you is fine but what does that do for me as the consumer? And they "asked Facebook to delete it?" That should have been court ordered and this definitely should be under hippa violation. Why would this app not be under hippa rules? This is my personal health information!

Matthew Petrozzo
May 23, 2023

In reply to by Vicki Welch

I tried to leave my comment.So I will try as a reply .We the poeple have lost so many rights .We are supposed to be free from unreasonable searches and seizures a protected right in the fourth amendment to the constitution as well as included in the preamble to that constitution in the bill of rights .It clearly states that we should have the expectation of privacy and that we are free from unreasonable searches and seizures of our personal property and it's affects.Ie.paperwork anything we deem personal property.Furthermore in that same preamble contains the ability as we the people to overcome our acting government and start a new one if we believe the government is not acting on our best behalf not only do we possess the we have the responsibility to act on our own best behalf.Since the rights we are currently losing and have lost include our individuality we will have lost all rights .Wake up America.We are a population of citizens who possess hardly any of the rights we started with.So when we gain our identity rights back we then will become individuals again possessing our given rights .

N Jacobson
May 23, 2023

In regard to "The Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers." Any agency that has personal health information and/or personal identifying information, they should ALL be subject to HIPAA. There should be not exceptions. Data breaches are becoming the norm and it is unacceptable.

Matthew Petrozzo
May 23, 2023

If our government is allowing the mass information exchange via social platforms then we have most definitely lost our right to privacy.we as the poeple have lost so many of our right that we don't even possess the right to the expectation of privacy.Furthermore our bill of rights stated in the 4th amendment that we shall be safe against unreasonable searches and seizures .It never once states that those searches or seizures had to come from polices officers .and to capture the rest of that amendment was the right to be safe with ones personal property and it's affects . basically paperwork involving our personal information or what we deem as personal.that right as well as many others are long gone.But it also states in the same preamble to our constitution that we the people possess the ability to overcome our present government if we the people feel it has not or is not acting on our best behalf .Not only the ability but the RESPONSIBILITY! Wake up america your signature doesn't even apply to individuality anymore and when we lose our ability to be individuals we lose our right their to.

Kathryn Martino
May 23, 2023

The so-called "FINES" that are levied against individuals or companies for breaches should be paid directly to the victims, and not to some government agency to grow bureaucracy and back-door deals. If there was a way to compensate any single individual victim immediately, without the need for class actions or courts, the practice of deliberate and accidental breaches and privacy violations would cease immediately.

May 23, 2023

I apologise, but, in my opinion, you are mistaken.

Dennis Anderson
May 30, 2023

What happens now ?

Who pays for this ?

Does this ever end ?

Frankie Reed
July 03, 2023

I am appalled that any, but most distressing...of all places, Facebook recieved my health information? A huge fine for you is fine but what does that do for me the consumer? And you require they "ask Facebook to delete it"??? That should have been court ordered and this definitely should be under hippa violation! Why would this or any similar health info gathering app not be under hippa rules? This is my personal health information! My privacy has been violated the same as if my doctor put my medical chart on a billboard & goodrx should be treated as such.

FTC Staff
July 03, 2023

In reply to by Frankie Reed

Civil penalties are paid to the US Treasury, not the Federal Trade Commission.

Delores Marsh
August 02, 2023

While there playing games with our personal stuff! Why is GoodRx giving Facebook medical information?
why is Facebook asking for it? Why do they need it? It doesn’t make any sense to me. HIPAA laws are there for a reason obey them!
We all know Facebook should pay as well.

More from the Business Blog

Get Business Blog updates