On May 22, 2020, the Commission initiated periodic review of the Health Breach Notification Rule (Rule). 85 FR 31085 (May 22, 2020). The comment period closed on August 20, 2020. The Commission staff is reviewing comments and intends to submit a recommendation to the Commission by December 2022.

On September 15, 2021, the Commission issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. 

This Rule requires vendors of personal health records (PHR) and PHR-related entities to provide: (1) notice to consumers who's unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach; and (2) notice to the Commission. Under the Rule, PHR vendors and PHR-related entities must notify both the FTC and affected consumers "without unreasonable delay and in no case later than 60 calendar days" after discovery of the breach. Among other information, the notices must provide consumers with a description of the types of unsecured health information that were involved in the breach.

The FTC's Rule applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS). Also, the FTC's Rule does not apply to businesses or organizations covered by the Health Insurance Portability and Accountability Act (HIPAA). Entities covered by HIPAA must comply with HHS’ breach notification rule in the event of a security breach.