FTC Proposes Updates to the Health Breach Notification Rule for Health Apps and Consumer Health Technologies

The Federal Trade Commission seeks to clarify how the Health Breach Notification Rule applies to health records collected by health apps and similar consumer health technologies.

On May 18, 2023, the Federal Trade Commission ("FTC") announced a Notice of Proposed Rulemaking ("Proposed Update") to amend the Health Breach Notification Rule ("HBNR"). The FTC seeks to amend the HBNR to clarify its application to health apps, fitness trackers, and other similar direct-to-consumer health technologies. The HBNR requires certain companies not covered by the Health Insurance Portability and Accountability Act ("HIPAA") that access personal health records to notify consumers and the FTC when there is a breach of that data.

According to the FTC, these amendments are needed due to the increased amount of health data collected from consumers and new technological developments and business practices (e.g., use of marketing third party tracking technologies). Health apps, fitness watches, and other direct-to-consumer health technologies have become more common since the rule's issuance. In its Open Committee Meeting on May 18, 2023, the FTC underscored the importance of the HBNR to safeguard the collection of sensitive personal information collected by these consumer health technologies. Companies are likely to see that amendments to the HBNR result in stepped-up enforcement.

The FTC is seeking comment on a number of specific proposed changes within the Proposed Update, including: 

  • Revising definitions to clarify the rule's application to health apps and other direct-to-consumer health technologies not covered by HIPAA. 
  • Clarifying that a security breach includes "an unauthorized acquisition" of identifiable health information that results from a disclosure without consumer consent.
  • Proposing the use of email and other electronic means to provide notice of a breach to consumers.
  • Expanding what information companies need to include in notices to consumers.

The deadline for submitting comments will be 60 days after the notice is published in the Federal Register.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.