The Federal Trade Commission (FTC) Health Breach Notification Rule (HBNR) requires vendors of public health records (PHR) to notify data subjects, the FTC, and “prominent media outlets” within 60 days of discovering a breach of security involving PHR.
In April of 2024 the FTC clarified that the rule also extends to entities that are not covered by HIPAA. In other words, not being a HIPAA covered entity does not mean that you’re exempt from breach notification requirements.
You can find the text of the rule here.