FTC Health Breach Notification Rule — Amended (covers AI health-app inferences)
United States · 16 C.F.R. Part 318; 89 Fed. Reg. 47028
Health apps and connected devices — including AI-powered mental health and fitness tools — must notify users, the FTC, and (in some cases) the media within 60 days of a breach of identifiable health information. The 2024 amendments confirm that AI-generated inferences about health are covered.
Technical detail
16 C.F.R. Part 318 (as amended, 89 Fed. Reg. 47028). Clarifies that 'PHR identifiable health information' includes data emerging from algorithmic and AI inferences; covers vendors of personal health records and PHR-related entities; expands what constitutes a 'breach' to include unauthorized disclosures.
Who is protected: U.S. consumers of non-HIPAA-covered health apps, including AI symptom checkers, mental health chatbots, and fitness wearables
Who must comply: Vendors of personal health records, PHR-related entities, and third-party service providers handling identifiable health information
Key facts
| Jurisdiction | United States |
|---|---|
| Level | Federal |
| Status | In effect |
| Protection strength | Moderate protection |
| Effective date | 2024-07-29 |
| Enacted | 2024-04-26 |
| Citation | 16 C.F.R. Part 318; 89 Fed. Reg. 47028 |
| Enforced by | Federal Trade Commission |
| Private right of action | No — agency enforcement only |
| Penalties | Civil penalties of $53,088 per violation per day; consumer redress |
| Topics | consumer data privacy · healthcare AI · consumer protection · data retention |
| Last verified | 2026-06-17 |
| Official source | Health Breach Notification Rule — Final Amendments (89 FR 47028) ↗ |
More AI rules in United States
- FTC Act Section 5 (unfair/deceptive AI) · In effect
- TAKE IT DOWN Act · In effect
- FCRA (AI in credit & background checks) · In effect
- ECOA / Regulation B (AI credit discrimination) · In effect
- Title VII / ADA (AI hiring) · In effect
- COPPA + 2025 Rule (childrens data) · In effect
Related consumer data privacy rules elsewhere
- CCPA/CPRA + ADMT Regulations · In effect
- AB 2013 (Training Data Transparency) · In effect
- AB 602 (Deepfake Intimate Images) · In effect
- BIPA · In effect
- TDPSA · In effect
- HB 452 (Mental Health Chatbots) · In effect
See something wrong or out of date? Submit a correction — every entry must carry a verifiable official source.