FTC Health Breach Notification Rule 2026

The FTC's Health Breach Notification Rule Is Broader Than Most Companies Think

The FTC's Health Breach Notification Rule applies to a far wider range of health apps, fitness platforms, and digital health companies than most legal and compliance teams recognize. The GoodRx and BetterHelp enforcement actions signal the FTC is treating this as an active priority.

By Mike Reeves April 23, 2026 1 min read min read

By Mike Reeves | ComplianceJournal.news

The Federal Trade Commission's Health Breach Notification Rule has been on the books since 2009. For most of its existence it was lightly enforced and widely misunderstood — many companies assumed it applied only to entities covered by HIPAA, or only to traditional healthcare businesses. The FTC's 2021 policy statement and subsequent enforcement actions have corrected that misunderstanding in a way that is still rippling through the health technology industry.

The rule applies to vendors of personal health records and related entities that are not covered by HIPAA. A fitness app that tracks workouts and health metrics is a personal health record vendor if it draws data from multiple sources. A digital health platform that aggregates health information from wearables, pharmacy records, and clinical providers is a personal health record vendor. A weight loss app that collects diet and exercise data is a personal health record vendor.

The GoodRx and BetterHelp Enforcement Actions

The FTC's enforcement actions against GoodRx and BetterHelp established the template for how the agency is applying the Health Breach Notification Rule to the health technology sector. Both cases involved the disclosure of user health information to advertising platforms — Facebook's pixel technology in both cases — without user notice or consent.

In both cases the FTC treated the disclosure to advertising platforms as a breach triggering notification obligations under the Health Breach Notification Rule. GoodRx settled for $1.5 million. BetterHelp settled for $7.8 million. Both orders include injunctive provisions requiring specific practices around health data disclosure and advertising technology.

What Companies Must Address

Any company that collects health-related data and uses standard advertising technology — Meta Pixel, Google Analytics, third-party data brokers — is operating in territory the FTC has indicated it will scrutinize. Companies that have not conducted a Health Breach Notification Rule applicability analysis should do so now. The analysis may reveal past notification failures that require attention before the FTC identifies them through its own monitoring.

This article is for informational purposes and does not constitute legal advice.