Skip to main content

Does your business or organization have a mobile app, website, Internet-connected device or similar technology that holds consumers’ health information? Do you provide products or services or send or receive data to or from that kind of product? Do you deal with health information while providing services to companies that offer those products?

The Federal Trade Commission’s Health Breach Notification Rule requires companies that experience a breach of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media. On September 15, 2021, the Commission issued a statement clarifying that the Rule applies to most health apps and similar technologies.

Companies should report breaches to the FTC using this standard reporting form. The FTC periodically posts a list of breaches. Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to $50,120 per violation.

Complying with the FTC’s Health Breach Notification Rule explains who’s covered by the Rule and offers guidance on what to do in case of a breach.

The FTC’s Health Breach Notification Rule applies only to identifying health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule doesn’t apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a breach, entities covered by HIPAA must comply with the U.S. Department of Health & Human Services (HHS) Breach Notification Rule.