HomeLegal DirectoryFTC HBNR Rule (AI health apps)

In effect Moderate protection

FTC Health Breach Notification Rule — Amended (covers AI health-app inferences)

United States · 16 C.F.R. Part 318; 89 Fed. Reg. 47028

Health apps and connected devices — including AI-powered mental health and fitness tools — must notify users, the FTC, and (in some cases) the media within 60 days of a breach of identifiable health information. The 2024 amendments confirm that AI-generated inferences about health are covered.

Technical detail

16 C.F.R. Part 318 (as amended, 89 Fed. Reg. 47028). Clarifies that 'PHR identifiable health information' includes data emerging from algorithmic and AI inferences; covers vendors of personal health records and PHR-related entities; expands what constitutes a 'breach' to include unauthorized disclosures.

Who is protected: U.S. consumers of non-HIPAA-covered health apps, including AI symptom checkers, mental health chatbots, and fitness wearables

Who must comply: Vendors of personal health records, PHR-related entities, and third-party service providers handling identifiable health information

Key facts

JurisdictionUnited States
LevelFederal
StatusIn effect
Protection strengthModerate protection
Effective date2024-07-29
Enacted2024-04-26
Citation16 C.F.R. Part 318; 89 Fed. Reg. 47028
Enforced byFederal Trade Commission
Private right of actionNo — agency enforcement only
PenaltiesCivil penalties of $53,088 per violation per day; consumer redress
Topicsconsumer data privacy · healthcare AI · consumer protection · data retention
Last verified2026-06-17
Official sourceHealth Breach Notification Rule — Final Amendments (89 FR 47028) ↗

More AI rules in United States

Related consumer data privacy rules elsewhere

See something wrong or out of date? Submit a correction — every entry must carry a verifiable official source.