Skip to main content

The Federal Trade Commission is seeking comment on whether proposed changes should be made to a decade-old rule that requires certain companies that provide or service personal health records to notify consumers and the Commission of a data breach.

The Health Breach Notification Rule, which went into effective in 2009, requires vendors of personal health records and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. Currently, the Rule requires such entities to provide notifications within 60 days after discovery of the breach. If more than 500 individuals are affected by a breach, however, entities must notify the FTC within 10 business days.

The Health Breach Notification Rule review is part of the FTC’s periodic review of its rules to ensure they are keeping pace with changes in the economy, technology, and business models. In addition to standard questions about the Rule’s effectiveness and benefits, and whether it should be retained, changed or eliminated, the FTC also is seeking comment on such issues as:

  • whether the Rule has resulted in under-notification, over-notification, or an efficient level of notification;
  • whether the Rule’s definitions should be modified to reflect legal, economic, and technological changes;
  • whether the timing requirements and methods for reporting a breach are adequate;
  • the implications for enforcement raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platform health tools; and
  • whether and how the Rule should address any developments in health care products or services related to COVID-19.

The FTC will be accepting comment on these questions until August 20, 2020. Instructions on how to file comments can be found in the Federal Register notice. Once processed, the comments on the Rule review will be posted to

The Commission voted 5-0 to publish the Rule review notice in the Federal Register.

The Federal Trade Commission works to promote competition and protect and educate consumers.  The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at, or report fraud, scams, and bad business practices at Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.

Contact Information

Juliana Gruenwald Henderson
Office of Public Affairs

Elisa Jillson
Bureau of Consumer Protection