FTC Health Breach Notification Rule: Plain English Summary
The Rule That Sat Dormant for Fourteen Years, Then Changed Everything
The FTC Health Breach Notification Rule was finalized in 2009. For the next fourteen years, the Federal Trade Commission did not bring a single enforcement action under it. The rule existed on paper, referenced in legal databases and compliance checklists, but it had no teeth in practice. Most healthcare technology companies either did not know it existed or assumed it was irrelevant.
Then, in February 2023, the FTC enforced it against GoodRx. The enforcement was not about a database hack or a stolen laptop. It was about tracking pixels sharing health data with advertising platforms. Within eighteen months, the FTC used the rule against three more companies, establishing it as the primary federal enforcement tool for health data breaches outside the traditional HIPAA framework.
The Health Breach Notification Rule matters to healthcare marketers because it reaches entities and data flows that HIPAA does not cover. If your organization operates a health app, a patient portal, a telehealth platform, or any digital health tool that falls outside traditional HIPAA coverage, this rule may apply directly to you. And even if you are a HIPAA-covered entity, the rule's enforcement history provides critical guidance on how federal regulators view tracking technologies and health data.
What the Rule Says in Plain English
The Health Breach Notification Rule (16 CFR Part 318) requires certain entities to notify consumers, the FTC, and in some cases the media when there is a breach of unsecured health information.
Who it covers. The rule applies to vendors of personal health records (PHRs), PHR-related entities, and service providers to those entities. In 2023, the FTC clarified through an updated policy statement that this includes health apps, fitness trackers, and any entity that collects health information electronically from consumers, regardless of whether the entity is a HIPAA-covered entity.
What counts as a "breach." This is where the rule becomes powerful. A "breach" under the HBNR includes unauthorized acquisition of health information, but the FTC has clarified that sharing health data with third parties without consumer authorization also constitutes a breach. That means a tracking pixel that sends health-related browsing data to an advertising platform triggers breach notification requirements.
What "health information" includes. The rule covers individually identifiable health information created or received by a covered entity. This includes information about physical or mental health conditions, provision of healthcare, and health-related data collected through apps or devices. It is not limited to clinical records.
What notification requires. When a breach occurs, the entity must notify each affected individual, the FTC, and (for breaches affecting 500 or more people) prominent media outlets. The notification must describe the breach, the types of information involved, and steps individuals can take to protect themselves.
The Four Enforcement Actions That Defined the Rule
The FTC's enforcement of the HBNR has established a clear pattern: sharing health data with advertising platforms through tracking technologies constitutes a breach requiring notification.
GoodRx ($1.5M FTC + $25M class action, 2023). The first-ever enforcement under the Health Breach Notification Rule. GoodRx configured Meta Pixel and Google tracking pixels that shared prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other ad platforms. GoodRx used health data for targeted advertising without consent. Source
The GoodRx case established the precedent that sharing health data with ad platforms via tracking pixels constitutes a "breach" under the HBNR. The FTC explicitly stated that the unauthorized disclosure of health information to advertising companies, even when done through standard marketing tools, triggers breach notification obligations.
Easy Healthcare / Premom ($100K FTC, 2023). The fertility-tracking app shared menstrual cycle dates, temperatures, pregnancy status, weight, and hormone results with Google and other analytics firms via SDKs. Despite a privacy policy stating it would only share non-identifiable data, the app transmitted identifiable health information. The FTC permanently banned Easy Healthcare from sharing user health data for advertising. Source
The Premom case extended the HBNR to mobile app SDKs, not just web tracking pixels. It also demonstrated that privacy policy claims do not override actual data practices. If your technology shares health data with third parties, the rule applies regardless of what your privacy policy says.
BetterHelp ($7.8M FTC, 2023). BetterHelp shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels. The company used therapy data to build Facebook lookalike audiences. Source
Cerebral ($7M FTC, 2024). From 2019 to 2023, tracking pixels sent patient names, medical and prescription histories, insurance information, and mental health symptom questionnaire answers to Meta. Cerebral reported the breach to HHS as affecting 3.2 million individuals. The FTC imposed a first-of-its-kind ban on using health information for most advertising. Source
How the HBNR Extends Beyond HIPAA
HIPAA applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates. Many digital health companies, health apps, and technology platforms fall outside HIPAA's scope entirely. Before the HBNR enforcement wave, these entities existed in a regulatory gap: they collected and processed health data but had no federal obligation to protect it or notify consumers when it was exposed.
The HBNR fills that gap. It applies to entities that are not HIPAA-covered but that handle personal health records electronically. This includes fitness and wellness apps that collect health metrics, period and fertility tracking apps, mental health platforms, telehealth services that may not meet HIPAA's covered entity definition, health data aggregators and patient engagement platforms, and any website or app that collects health information from consumers.
For healthcare marketing teams, the practical implication is clear: even if your organization or tool is not a HIPAA-covered entity, sharing health-related data with advertising platforms through tracking technologies can trigger HBNR obligations. The rule does not care about your HIPAA status. It cares about what you do with health data.
The 2023 Rule Update: Closing the Interpretation Gap
In May 2023, concurrent with the early enforcement actions, the FTC finalized updates to the HBNR that clarified several points that had been ambiguous.
Breaches include unauthorized sharing, not just hacks. The updated rule explicitly states that a "breach of security" includes the unauthorized acquisition of identifiable health information, which covers sharing data with third parties through tracking pixels, SDKs, and APIs without consumer authorization. You do not need to be hacked. You just need to be sharing data in ways your users did not specifically authorize.
Health apps and similar technologies are covered. The FTC clarified that the rule applies to entities that process health information through apps, websites, and connected devices. This is not limited to formal "personal health record" products.
Notification timelines are strict. Entities must notify affected individuals within 60 days of discovering a breach. For breaches affecting 500 or more people, the FTC and major media outlets must also be notified. Given that tracking pixel breaches often affect the entire user base, most violations trigger the media notification requirement.
What This Means for Your Marketing Stack
The HBNR enforcement pattern has direct implications for how healthcare and health-adjacent organizations configure their marketing technology.
Audit every data flow to third parties. Every tracking pixel, analytics script, and marketing SDK that sends data to a third-party server is a potential HBNR breach vector. This is true whether you are a HIPAA-covered entity or not. Map every data flow from your website, app, and patient-facing tools to identify where health information reaches platforms without specific consumer authorization.
Consent is not optional. The HBNR cases consistently cite lack of consumer authorization as the breach trigger. Cookie consent banners alone do not satisfy this requirement. Consumers must be informed specifically about health data sharing and must authorize it. Server-side consent gating, where data does not flow to third parties until consent is verified at the server level, provides the technical enforcement mechanism.
Server-side architecture eliminates the primary risk vector. Every HBNR enforcement action involved client-side tracking technologies (pixels, SDKs) sending data from the user's browser or device to third-party servers. Server-side architecture routes data from your server to controlled destinations. The user's browser never communicates with advertising or analytics platforms. This structural change eliminates the unauthorized disclosure pathway.
BAAs matter even outside HIPAA. While the HBNR does not require BAAs, having a contractual framework with any vendor that processes health data establishes accountability and demonstrates good-faith compliance efforts. A vendor covered by a comprehensive BAA, maintaining SOC 2 Type II across all five trust criteria, is a defensible choice. A vendor with no contractual health data protections is not.
Continuous monitoring catches new exposures. Marketing teams add scripts. Developers integrate new tools. A web scanner that audits your tracking surface on an ongoing basis detects when new third-party data flows emerge before they become breach notification triggers.
FAQ
Does the FTC Health Breach Notification Rule apply to HIPAA-covered entities?
The HBNR primarily targets entities that are not covered by HIPAA, filling the gap in health data protection. However, HIPAA-covered entities are not exempt from FTC enforcement generally. The FTC has used its authority under Section 5 of the FTC Act (prohibiting unfair or deceptive practices) alongside the HBNR in some cases. If your organization is HIPAA-covered, you face obligations under both HIPAA's breach notification rule and potentially the HBNR if you operate health apps or tools outside your covered entity functions.
What counts as "health information" under the HBNR?
The rule covers individually identifiable health information, which includes information about physical or mental health conditions, provision of healthcare, and health data collected through apps or digital tools. Based on enforcement, this includes prescription drug names, health conditions searched or browsed, mental health questionnaire responses, fertility and reproductive health data, and any health-related behavioral data tied to an identifiable individual.
Is sharing data with Google Analytics a breach under the HBNR?
If your website or app collects health information and Google Analytics transmits that information (including browsing behavior on health-related pages tied to identifiers like IP addresses) to Google's servers without specific consumer authorization, it could constitute a breach under the FTC's interpretation of the HBNR. The enforcement cases have consistently treated tracking pixel and analytics data sharing as unauthorized disclosure.
What are the penalties for violating the HBNR?
The FTC can impose civil penalties of up to $50,120 per violation per day. In practice, settlements have ranged from $100K (Easy Healthcare) to $7.8M (BetterHelp). The FTC has also imposed behavioral remedies including permanent bans on sharing health data for advertising, mandatory deletion of data and algorithms derived from improperly obtained health data, and requirements for comprehensive privacy programs with independent assessments.
How is the HBNR different from HIPAA's breach notification rule?
HIPAA's breach notification rule applies to covered entities and business associates and covers "unsecured PHI." The HBNR applies to entities outside HIPAA's scope and covers "personal health records." The key practical difference is scope: the HBNR reaches health apps, digital health tools, and technology platforms that HIPAA does not cover. The HBNR also explicitly treats unauthorized sharing with third parties (not just hacking or theft) as a reportable breach.
The FTC Health Breach Notification Rule has transformed from a dormant regulation into the primary enforcement tool for health data privacy outside HIPAA. If your organization collects health information digitally, Ours Privacy provides the server-side infrastructure and consent management that prevents the unauthorized data flows regulators are targeting.
Related reading:
What Is the OCR? How HHS Enforces HIPAA
HIPAA Penalties for Marketing Violations
Healthcare Data Breach Notification Requirements
The December 2022 OCR Guidance on Tracking Technologies
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.