Understanding the FTC’s Health Breach Notification Rule: What It Means for Health Apps and Wearables in 2026

As health apps and wearable devices become increasingly integrated into daily life, protecting sensitive personal health information has never been more critical. Although hospitals and insurance providers fall under HIPAA regulations, many companies collecting health data—such as fitness trackers, diet apps, and connected medical devices—operate outside this framework. For these organizations, the Federal Trade Commission’s (FTC) Health Breach Notification Rule establishes essential obligations when a breach of unsecured, individually identifiable health information occurs.

This rule, which implements section 13407 of the American Recovery and Reinvestment Act of 2009, applies to vendors of personal health records (PHRs), PHR-related entities, and third-party service providers working with these organizations. Importantly, the FTC’s Rule preempts contradictory state breach notification laws but does not prevent states from imposing additional, non-contradictory requirements—such as mandating advice on credit monitoring or providing contact information for consumer reporting agencies in breach notices.

Who Must Comply with the Health Breach Notification Rule?

According to the FTC’s official guidance, your business is covered by the Rule if you are:

• A vendor of personal health records (meaning you offer or maintain a PHR)
• A PHR-related entity
• A third-party service provider for a vendor of PHRs or a PHR-related entity

This scope explicitly includes makers of health apps, connected devices (like fitness trackers and blood pressure cuffs), and similar products that collect individually identifiable health information. The FTC clarified this applicability in July 2024 amendments, ensuring that emerging health technologies fall under the Rule’s protections.

What Triggers a Notification Requirement?

The Rule requires notification following a breach of unsecured, individually identifiable health information. “Unsecured” means the data is not rendered unusable, unreadable, or indecipherable through specified technologies or methodologies. If encryption or other proper security measures protect the data, notification may not be required even if a security incident occurs.

Covered entities must notify three parties when a breach occurs:

1. Affected individuals
2. The Federal Trade Commission
3. The media (in cases affecting 500 or more residents of a state or jurisdiction)

Notification Timelines and Content Requirements

Notifications to individuals must occur without unreasonable delay and no later than 60 calendar days after discovering the breach. The FTC must be notified within 10 business days following notification to individuals if the breach affects 500 or more people. For smaller breaches affecting fewer than 500 individuals, annual log submissions to the FTC are sufficient.

Breach notices to consumers must include:

• A description of the breach, including dates discovered and occurred
• The types of unsecured health information involved
• Steps individuals should take to protect themselves from potential harm
• A brief description of the covered entity’s investigation and mitigation efforts
• Contact information for questions or assistance

While the federal Rule sets these baseline requirements, some states enhance them—for example, requiring specific guidance on credit report monitoring or providing details about consumer reporting agencies.

Compliance and Enforcement

The FTC enforces the Health Breach Notification Rule through its authority under Section 5 of the FTC Act, which prohibits deceptive or unfair practices. Noncompliance can result in enforcement actions, including civil penalties. Organizations subject to the Rule should implement reasonable security measures to protect health information and maintain documented breach response procedures.

As noted in recent regulatory discussions, wellness products sit at the intersection of multiple oversight bodies—including the FDA, HIPAA (where applicable), the FTC, and state privacy laws—creating a complex but necessary compliance landscape for health technology companies.

Key Takeaways

• The FTC’s Health Breach Notification Rule applies to health apps, wearables, and similar technologies not covered by HIPAA
• Organizations must notify consumers, the FTC, and sometimes media following breaches of unsecured health information
• Notifications must occur within 60 days of discovery and include specific protective guidance for affected individuals
• State laws can add to—but not contradict—federal requirements
• July 2024 amendments confirmed the Rule’s applicability to modern health tech products

For companies navigating this regulatory environment, understanding the Health Breach Notification Rule is not just about legal compliance—it’s about building consumer trust in an era where health data is among the most sensitive information individuals share.