In late April 2024, the Federal Trade Commission announced a significant update to the Health Breach Notification Rule (HBNR) that positions the agency to regulate breaches involving digital health technologies not covered under HIPAA, setting a stronger baseline for privacy protections as the ecosystem moves into 2025.1
The HBNR historically required vendors of personal health records (PHRs) and related entities to notify individuals, the FTC, and in certain cases the media of breaches involving unsecured PHR identifiable health information.2
With the proliferation of mobile health apps, wearable devices, and connected health platforms, the FTC’s final changes clarify the scope of coverage to include entities and technologies that fall outside the traditional HIPAA framework, bringing more consumer health data practices under an enforceable notification regime.12
Digital health companies relying on consumer engagement through applications and devices should evaluate whether the expanded definitions of PHR vendors and related entities subject them to new breach notification obligations and operational expectations.12
Implementation timelines place the effective date 60 days after publication in the Federal Register, shaping compliance planning and enforcement posture heading into 2025.1
The finalized amendments to the Health Breach Notification Rule introduce substantive updates to how breaches of consumer health information are defined, evaluated, and reported, with broad implications for digital health platforms operating outside HIPAA.12
First, the rule revises critical definitions, including “PHR identifiable health information” and “covered health care provider,” with the practical effect of bringing more digital health apps, connected services, and health data features into the regulatory perimeter.12
Under the updated framework, electronic services that draw, combine, and manage individual health data from multiple sources can be treated as PHR vendors or related entities, which triggers HBNR breach notification obligations when unsecured PHR identifiable health information is compromised or improperly disclosed.2
Second, the definition of “breach of security” is expanded in a way that matters operationally for app ecosystems. It is not limited to classic security incidents (such as intrusion or exfiltration) and can include unauthorized disclosures of health information that occur through integrations with third parties, APIs, software development kits, or embedded tracking tools in a consumer health context.12
This provision is especially relevant for developers of mobile health applications, telehealth platforms, and connected health services that exchange consumer health data with advertising, analytics, attribution, or other external systems. Organizations should assess whether data flows that were historically treated as “sharing” or “analytics” could be treated as unauthorized disclosure when not appropriately authorized or represented, increasing the likelihood that a reportable event occurs.1
Third, the final rule updates notice requirements by expanding the content that must be provided to affected consumers. Entities subject to the HBNR must include the identity of any third parties that acquired unsecured PHR identifiable health information in their breach notifications, increasing transparency and creating stronger accountability expectations for vendor ecosystems and downstream recipients of health data.12
Timing requirements also become more structured for large events. Breaches involving 500 or more individuals require notification to the FTC and affected individuals in a coordinated manner, subject to a 60-day maximum deadline following discovery. This increases the need for early incident triage, rapid scope assessment, and a disclosure-ready communications workflow that can operate while investigation is still underway.2
Fourth, the final rule modernizes acceptable notification methods to include electronic channels such as email and other means that can improve consumer outreach in the age of digital communication. For digital health services that primarily interact with consumers through apps and online accounts, this aligns notice mechanics with how consumers actually engage, but it also increases expectations that contact pathways are accurate, maintained, and actionable during incident response.12
By codifying these updates, the FTC strengthens the HBNR’s relevance to contemporary digital health practices. Companies that assumed HIPAA was the only major health privacy regime must now reassess data flows, security posture, vendor oversight, and incident response playbooks to ensure they can identify reportable events and deliver compliant notices under the HBNR.12
For digital health platforms, wearable manufacturers, and mobile health apps that capture, analyze, or display health-related information, the expanded HBNR increases compliance complexity and operational risk by establishing clear federal expectations for incident detection, breach evaluation, and notification outside HIPAA.1
Entities previously unconstrained by federal health privacy rules may need to implement policies and systems to detect, quantify, and report breaches involving unsecured PHR identifiable health information, including revisiting user authorization and third-party sharing practices that can influence whether an event is treated as an unauthorized disclosure.2
Companies that integrate health tracking with advertising or analytics should recognize that certain unauthorized disclosures to these partners may now be treated as a breach of security under the updated rule, increasing the importance of technical oversight of data flows and contractual clarity with third parties.1
Healthcare providers and health tech companies face notable operational challenges when aligning with the updated Health Breach Notification Rule. Breach detection and response capabilities that were once tailored narrowly to HIPAA-covered environments may not fully address the broader set of triggers and reporting requirements that apply in consumer health technology contexts.12
First, incident response plans should explicitly incorporate HBNR thresholds and deliverables. This includes workflows for breach discovery, internal escalation, scoping, consumer notification, and reporting to the FTC. It also includes clearly defined decision points for determining whether information is “unsecured” and whether an event constitutes a reportable breach under the HBNR definitions.2
Traditional IT and security teams may need targeted training to recognize HBNR-specific criteria, particularly where unauthorized disclosures, rather than overt security intrusions, can qualify as a breach. This means compliance readiness must extend beyond detection tooling to include governance over integrations, data sharing mechanisms, and product behavior that can create disclosure risks during normal operations.1
Second, digital health companies should audit third-party ecosystems, given the rule’s inclusion of entities that access or send unsecured PHR identifiable health information as “related entities.” Partners that receive health information through APIs, cloud integrations, attribution, analytics, or embedded tooling should be vetted for privacy and security maturity, and contracts should define incident reporting responsibilities, timelines, and evidence-sharing requirements in a way that supports the primary entity’s HBNR deadlines.2
This creates practical shared-responsibility questions that must be resolved before an incident occurs. Teams should clarify which party is responsible for identifying an incident, who performs forensic scoping, which party communicates with consumers, and what information must be available to identify any third parties that acquired the data for inclusion in notices.12
Third, consumer communications teams must be prepared to craft technically accurate but accessible breach notifications that meet the expanded substantive requirements. Notices should identify involved third parties (when required), describe the categories of unsecured PHR identifiable health information affected, and provide practical steps consumers can take. This is a communications challenge during high-stress breach contexts, especially when internal teams are still validating scope while the notification clock runs.2
Finally, executive leadership should integrate breach reporting and privacy risk into enterprise risk management. With heightened regulatory scrutiny and the potential for enforcement actions stemming from delayed or incomplete notice, organizations should elevate breach notification readiness as a strategic capability, not a narrow incident response task.1
The FTC’s modernization of the Health Breach Notification Rule marks a pivotal moment for digital health privacy governance and sets a precedent for how non-HIPAA consumer health data controllers are regulated, particularly where products combine data from multiple sources and integrate with third parties.1
Strategic considerations include privacy-by-design, strong access controls, encryption where appropriate, and continuous auditing of data flows across internal systems and external integrations, paired with incident response exercises that accelerate readiness for HBNR timelines.2
As enforcement, consumer expectations, and state privacy frameworks continue to evolve, organizations may benefit from coordinated compliance strategies that harmonize breach reporting with broader consumer protection and privacy obligations.1
