The FTC Health Breach Notification Rule (16 CFR Part 318) is the breach-notification regime for consumer health technology that falls outside HIPAA. HIPAA only reaches 'covered entities' like providers and health plans and their business associates; a large slice of digital health — direct-to-consumer apps, vendors of personal health records, and connected wellness products — sits outside that perimeter. The FTC rule fills the gap, requiring those companies to notify affected individuals, the FTC, and in larger incidents the media when identifiable health information is breached.
The rule was significantly strengthened by amendments finalized in 2024, which clarified the modern scope. Health, fitness, fertility, sleep, and wellness apps that draw data from multiple sources are explicitly covered, and — importantly — a 'breach' is not limited to a hack or external attack. An unauthorized disclosure, such as sharing user health data with advertising or analytics partners without proper authorization, can itself trigger notification duties.
For a telemedicine or digital-health founder the practical lesson is that 'we are not a HIPAA covered entity' is the start of the regulatory analysis, not the end. If your app handles individually identifiable health information and you are not under HIPAA, you are likely under the FTC rule, and the FTC has shown willingness to enforce it, particularly around tracking technologies and data sharing. The common mistake is wiring in third-party SDKs or marketing pixels that quietly transmit health-related data, which can constitute a reportable unauthorized disclosure even when no attacker was ever involved.
