Does the FTC Health Breach Notification Rule Affect My Digital Health App?

Possibly, and most digital health founders do not expect it. The common assumption is that HIPAA is the only breach notification obligation that matters. The FTC Health Breach Notification Rule creates a second, parallel duty that reaches health apps sitting outside HIPAA, and many companies carry no coverage built for it. The rule has been on the books, but its broadened 2026 scope and the FTC’s new healthcare focus made it a live exposure rather than a footnote.

Two Breach Regimes, Not One

HIPAA governs covered entities and their business associates. Plenty of consumer-facing health and wellness apps are neither. For years that felt like an absence of obligation. It is not. The FTC Health Breach Notification Rule, updated and broadened for 2026, applies to vendors of personal health records and similar health technologies that fall outside HIPAA. If your app collects health information directly from users and you are not a HIPAA covered entity, the FTC rule is likely the regime that applies to you, rather than no regime at all. Treating the question as HIPAA-or-nothing is how the obligation gets missed. The two regimes can also overlap, since a company can be a business associate for one product line and an FTC-rule vendor for a consumer app, with different notice duties on each. Outside the US, foreign privacy regimes attach the moment a non-US user signs up, covered in whether your digital health platform needs insurance for international users.

Who the FTC Rule Reaches

The rule was written for exactly the products HIPAA does not reach: health and wellness apps, connected devices that draw health data, and personal health record tools. Its definition of a breach is broad. An unauthorized acquisition of identifiable health information counts, including some unauthorized disclosures, not only a classic outside hack. When a breach hits, the obligations are concrete: notify affected individuals, notify the FTC, and in larger incidents notify the media, with the FTC notice required for incidents reaching five hundred individuals within a set window. The FTC also stood up a healthcare task force in 2026 that is actively scanning digital health, telehealth, and AI tools, which signals more attention ahead, not less.

The Insurance Gap It Creates

This is where founders get caught. A cyber policy bought from a generic template, or one that assumes HIPAA is the only trigger, may not respond cleanly to an FTC notification obligation and the regulatory exposure behind it. The notification work alone, forensics, individual notice, and FTC reporting, is real first-party cost, and the regulatory inquiry is a third-party exposure. A health app needs a cyber program written to answer the regime that actually applies to it, which is the same discipline behind cyber coverage for a HIPAA-regulated company and part of the broader stack a digital health platform assembles as it grows. Underwriters are starting to ask which regime an app falls under before they quote, because the answer changes the notification exposure they are pricing, and an app that cannot answer cleanly is harder to place.

What to Do Now

Start by deciding which regime you are in. If you are a covered entity or a business associate, HIPAA applies. If you are a consumer health or wellness app outside HIPAA, assume the FTC rule applies and plan for its notice duties. Either way, confirm your cyber policy answers the specific notification and regulatory obligations you carry, not a generic breach. Keep this separate from your service exposure, because a wrong output a user relied on is a different claim entirely and needs its own line of coverage.

Map your data, your users, and the regime you fall under, then match the coverage to it. A specialty review through Tower Street Insurance can confirm your program answers the FTC rule, not only HIPAA.