FTC Health Breach Notification Rule
The FTC Health Breach Notification Rule (16 CFR Part 318) is the FTC regulation requiring VENDORS OF PERSONAL HEALTH RECORDS (PHR) + PHR-RELATED ENTITIES + THIRD-PARTY SERVICE PROVIDERS to NOTIFY individuals + the FTC + (where applicable) the media of breaches of security involving identifiable health information. The Rule applies to entities NOT COVERED BY HIPAA (Health Insurance Portability and Accountability Act of 1996 + HIPAA Breach Notification Rule at 45 CFR Subpart D) - i.e. consumer-facing health apps + wearables + fitness trackers + reproductive health apps + DTC genetics + mental health apps + smart scales + connected medical devices NOT operated by HIPAA-covered entities. 2009 ORIGINAL RULE: implemented Section 13407 of the HITECH Act (PL 111-5); covered classic PHR vendors. 2024 FINAL RULE AMENDMENTS (effective 29 July 2024 + with 25 April 2025 for delayed elements): EXPANDED SCOPE to (a) MOBILE HEALTH APPS + CONNECTED DEVICES even if not marketed as PHR; (b) NEW DEFINITION OF BREACH explicitly including UNAUTHORIZED DISCLOSURE to advertising/marketing networks + 3rd-party SDKs + data brokers + cross-app tracking + reproductive-health-data scenarios; (c) UPDATED DEFINITION OF PHR IDENTIFIABLE HEALTH INFORMATION; (d) NEW DEFINITION OF HEALTHCARE PROVIDER; (e) THIRD-PARTY SERVICE PROVIDER (TPSP) obligations to upstream notify PHR vendors. NOTIFICATION REQUIREMENTS: (i) INDIVIDUAL NOTIFICATION without unreasonable delay + no later than 60 CALENDAR DAYS after discovery; (ii) FTC NOTIFICATION via online notification form within 60 days (for breaches affecting 500+ individuals) or annual log (<500); (iii) MEDIA NOTIFICATION via prominent media outlet for breaches affecting 500+ individuals in a state or jurisdiction; (iv) CONTENT REQUIREMENTS - brief description + types of info + steps to protect + actions taken + contact info. ENFORCEMENT: FTC may impose civil penalties up to USD 51,744 PER VIOLATION (2025 figure - adjusted annually for inflation per Federal Civil Penalties Inflation Adjustment Act); additional state enforcement under state attorney general consumer protection laws. PRIVATE RIGHT OF ACTION: none under HBNR + but state law claims may apply.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
HBNR: 2024 Amendments - Mobile Apps, Connected Devices, Reproductive Health and Cross-App Tracking
| Code | Title |
|---|---|
| HBNR-2024-Amendments-Mobile-Apps-Repro | 2024 Amendments - Mobile Apps, Connected Devices, Reproductive Health and Cross-App Tracking |
HBNR: Breach Notification to Individuals (16 CFR 318.3, 318.4, 318.5) - 60-Day Timeline + Content + Method
| Code | Title |
|---|---|
| HBNR-IndividualNotice-60Day | Notice to Individuals - 60-Day Discovery Clock + Content + Method (16 CFR 318.3, 318.4, 318.5) |
HBNR: Definitions (16 CFR 318.2) - PHR, Identifiable Health Information, Breach, Healthcare Provider
| Code | Title |
|---|---|
| HBNR-Definitions-PHR-Identifiable-Breach | Definitions - PHR, Identifiable Health Information, Breach of Security, Healthcare Provider (16 CFR 318.2) |
HBNR: Enforcement, Coordination with HIPAA / State Laws and 2024-2025 Status
| Code | Title |
|---|---|
| HBNR-Coord-HIPAA-State-MHMD-Sectoral | Coordination with HIPAA, State My Health My Data Acts and Other Sectoral Federal Laws |
| HBNR-Crosswalk-NIST-CSF-ISO-HIPAA | Crosswalk to NIST CSF 2.0, NIST 800-66, ISO 27001/27701, SOC 2 and HIPAA |
| HBNR-Enforcement-HIPAA-StateLaw-Status | Enforcement, Civil Penalties, HIPAA Coordination + State Law + Status (16 CFR 318.7, 318.8, 318.9) |
| HBNR-Implementation-Roadmap-Org | HBNR Compliance Program Implementation - Organizational Roles, Detection, Incident Response, Records |
| HBNR-Status-2024-2025-Enforcement-Cases | HBNR Implementation Status, 2024-2025 FTC Enforcement Cases and Anticipated Amendments |
HBNR: FTC and Media Notification (16 CFR 318.5(c) + 318.6) - 500+ Threshold and Annual Log
| Code | Title |
|---|---|
| HBNR-FTC-Media-Notice-500Threshold | FTC + Media Notification - 500+ Individual Threshold (16 CFR 318.5(c), 318.6) |
HBNR: Scope and Applicability (16 CFR 318.1, 318.2) - PHR Vendors and PHR-Related Entities
| Code | Title |
|---|---|
| HBNR-Scope-PHR-Vendor | Scope, PHR Vendor and PHR-Related Entity Applicability (16 CFR 318.1) |
HBNR: Third-Party Service Provider Obligations (16 CFR 318.3(b))
| Code | Title |
|---|---|
| HBNR-TPSP-Upstream-Notification | Third-Party Service Provider Obligations - Upstream Notification (16 CFR 318.3(b)) |
Frequently Asked Questions
What is FTC Health Breach Notification Rule?
FTC Health Breach Notification Rule is a compliance framework from United States with 7 domains and 11 controls. The FTC Health Breach Notification Rule (16 CFR Part 318) is the FTC regulation requiring VENDORS OF PERSONAL HEALTH RECORDS (PHR) + PHR-RELATED ENTITIES + THIRD-PARTY SERVICE PROVIDERS to NOTIFY individuals + the FTC + (where applicable) the media of breaches of security involving identifiable health information. The Rule applies to entities NOT COVERED BY HIPAA (Health Insurance Portability and Accountability Act of 1996 + HIPAA Breach Notification Rule at 45 CFR Subpart D) - i.e. consumer-facing health apps + wearables + fitness trackers + reproductive health apps + DTC genetics + mental health apps + smart scales + connected medical devices NOT operated by HIPAA-covered entities. 2009 ORIGINAL RULE: implemented Section 13407 of the HITECH Act (PL 111-5); covered classic PHR vendors. 2024 FINAL RULE AMENDMENTS (effective 29 July 2024 + with 25 April 2025 for delayed elements): EXPANDED SCOPE to (a) MOBILE HEALTH APPS + CONNECTED DEVICES even if not marketed as PHR; (b) NEW DEFINITION OF BREACH explicitly including UNAUTHORIZED DISCLOSURE to advertising/marketing networks + 3rd-party SDKs + data brokers + cross-app tracking + reproductive-health-data scenarios; (c) UPDATED DEFINITION OF PHR IDENTIFIABLE HEALTH INFORMATION; (d) NEW DEFINITION OF HEALTHCARE PROVIDER; (e) THIRD-PARTY SERVICE PROVIDER (TPSP) obligations to upstream notify PHR vendors. NOTIFICATION REQUIREMENTS: (i) INDIVIDUAL NOTIFICATION without unreasonable delay + no later than 60 CALENDAR DAYS after discovery; (ii) FTC NOTIFICATION via online notification form within 60 days (for breaches affecting 500+ individuals) or annual log (<500); (iii) MEDIA NOTIFICATION via prominent media outlet for breaches affecting 500+ individuals in a state or jurisdiction; (iv) CONTENT REQUIREMENTS - brief description + types of info + steps to protect + actions taken + contact info. ENFORCEMENT: FTC may impose civil penalties up to USD 51,744 PER VIOLATION (2025 figure - adjusted annually for inflation per Federal Civil Penalties Inflation Adjustment Act); additional state enforcement under state attorney general consumer protection laws. PRIVATE RIGHT OF ACTION: none under HBNR + but state law claims may apply. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FTC Health Breach Notification Rule have?
FTC Health Breach Notification Rule has 11 controls organised across 7 domains. The largest domains are HBNR: Enforcement, Coordination with HIPAA / State Laws and 2024-2025 Status (5 controls), HBNR: 2024 Amendments - Mobile Apps, Connected Devices, Reproductive Health and Cross-App Tracking (1 controls), HBNR: Breach Notification to Individuals (16 CFR 318.3, 318.4, 318.5) - 60-Day Timeline + Content + Method (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FTC Health Breach Notification Rule map to?
FTC Health Breach Notification Rule does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.
How do I get started with FTC Health Breach Notification Rule compliance?
Start your FTC Health Breach Notification Rule compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FTC Health Breach Notification Rule requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 701 frameworks.
Get Started Free →Free forever — no credit card required