On February 1, the Federal Trade Commission (FTC) reached a settlement with digital health platform GoodRx for sharing users' personal health information (PHI) with third parties without properly disclosing its data practices or obtaining users' affirmative consent, as well as for failing to maintain adequate policies or procedures to protect users' PHI. This is the FTC's first-ever enforcement action under the Health Breach Notification Rule, which requires vendors of personal health records (PHRs) and certain PHR-related entities to notify consumers, the FTC and sometimes the media about discovery of certain data breaches.
The FTC's Complaint
As of the date of this article, GoodRx and the FTC have proposed to settle the allegations. The settlement would require GoodRx to agree to a consent order requiring numerous modifications to its data collection and use practices and would require a penalty payment of $1.5 million.
Focus on Deceptive Practices
The FTC also alleges that multiple statements GoodRx made to users were deceptive. Such alleged statements include a claim that the company was compliant with Digital Advertising Alliance principles and the use of a Health Insurance Portability and Accountability Act (HIPAA) compliance seal on its website. Since GoodRx is not subject to HIPAA, the FTC alleges that the seal created the misimpression that data was handled in accordance with HIPAA.
Expanding the Concept of a Data Breach
In the normal course, many individuals and companies think of a "data breach" as requiring involvement of a bad actor (e.g., for ransomware, a hack, phishing, theft) or an unfortunate, unintentional incident (such as a lost laptop). However, in this GoodRx matter, a novel application of the Health Breach Notification Rule, the FTC found that GoodRx's disclosures of personal information via advertising trackers were in fact "breaches" that GoodRx failed to report. This expanded interpretation of the Health Breach Notification Rule may indicate more FTC enforcement focused on the digital health industry, including health and fitness applications and activity and health status trackers.
Lessons for Healthcare Companies
- fully understand your company's data flows and how different departments at your organization (e.g., marketing) are collecting, using and disclosing personal data;
- examine and confirm the accuracy of your marketing statements and representations to customers; and
- reassess referencing compliance with HIPAA if you are not subject to HIPAA.