The Federal Trade Commission (“FTC”) is seeking enforcement under the Health Breach Notification Rule for the first time since the rule was adopted in 2009. The Health Breach Notification Rule (16 C.F.R. Part 318) requires vendors of personal health records, PHR-related entities, and third party service providers that are not otherwise subject to the Health Insurance Portability and Accountability Act (“HIPAA”) to notify their customers and individuals whose personal health records are disclosed in the event of a breach or unauthorized disclosure. In its complaint filed against GoodRx on January 1, 2023, the FTC targets the digital health platform, alleging that it repeatedly violated the promises it has made to its customers regarding its protection of their personal health information, including that such information would be shared only with limited third parties and for limited purposes; that GoodRx would restrict such third parties’ use of customer information; and that it would never share personal health information with advertisers or other third parties.
The Complaint, which was filed by the Department of Justice on behalf of the FTC, states that GoodRx repeatedly violated these promises by divulging sensitive user information, such as prescription medications, personal health conditions, and personal contact information, with third-party advertising companies and platforms like Facebook without first providing notice to its users or seeking their consent.
If the FTC’s Proposed Order is accepted by the court, GoodRx will be subject to a $1.5 million penalty for violating the Health Breach Notification Rule. It will also be permanently prohibited from sharing health data for advertisements and subject to a requirement to obtain customers’ express consent before disclosing their health information for reasons other than advertising.
With the proliferation of direct-to-consumer healthcare apps and companies that maintain or collect personal health records, but are not otherwise covered under HIPAA, the FTC has increased its efforts to safeguard the private health information of consumers. While this enforcement action may be the first taken in the Health Breach Notification Rule’s history, it is not likely to be the last. Digital health platforms and other healthcare related apps should carefully review privacy practices moving forward to determine whether they are appropriately safeguarding consumer information.