FTC Health Breach Notification Rule
FTC rule (16 CFR Part 318) requiring vendors of personal health records and related entities (not HIPAA-covered) to notify affected individuals and FTC after a breach of unsecured PHR identifiable health information.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 1
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
FTC HBNR was clarified in 2024 to cover health-app vendors and similar entities. Notification is required within 60 days; over 500 affected requires FTC notice within 10 business days.
How it shows up in your practice
Telehealth-only platforms, period trackers, and similar consumer health apps may fall under FTC HBNR rather than HIPAA. Confirm your platform vendor's status.
Sources
- FTC — Health Breach Notification Rulehttps://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule
Document app-vendor status in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- HIPAA & PrivacyPHR (Personal Health Record)An electronic record of identifiable health information drawn from multiple sources that is managed, shared, and controlled by or primarily for the individual.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryPHR (Personal Health Record)An electronic record of identifiable health information drawn from multiple sources that is managed, shared, and controlled by or primarily for the individual.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- RegulationHIPAA Authorization Requirements (45 CFR 164.508)Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
- RegulationHIPAA Business Associate Agreements (45 CFR 164.504(e))Required contract elements for any business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.