GoodRx Enforcement Action Signals FTC’s Invigorated Commitment to Health Privacy

When your alarm went off this morning, the first thing you did was check your phone to see how many hours you had slept on your sleep tracking app. The next step in your morning routine was to throw on your smart watch and start your day (hopefully you’ll hit 10,000 steps). At work you logged into your employer-sponsored wellness program and input your workouts for the week. Then, because it was such a stressful day at work, you took fifteen minutes during lunch to use your mental health app and follow a guided meditation. Finally, it was time to head home. After looking up the most affordable pricing option online for your prescription, you make a quick stop at the pharmacy and use a coupon you printed out at work. Without realizing it, you spent the day generating health data. It may also surprise you that most, if not all, of that health data is not protected by Health Insurance Portability and Accountability Act (HIPAA), but instead falls into one of the current regulatory gaps for personal health data.

FTC Enforcement Action Under the Health Breath Notification Rule

Last week the Federal Trade Commission (FTC) announced a major health privacy enforcement action against GoodRx, a digital health platform, for sharing personal data with third parties without notifying its users. Many aspects of the complaint and proposed order signify the FTC’s increasingly stronger approach to health privacy enforcement, and it couldn’t be timelier. Digital health privacy has become a pressing issue as many consumers use mobile health apps, telehealth platforms, fitness trackers, and other websites that collect health data daily. The mismanagement or breach of sensitive health data can cause harms ranging from stigma and humiliation to financial and reputational injuries.

Many of these apps, platforms and companies fall outside HIPAA’s narrow scope. HIPAA’s privacy requirements only apply to covered entities like healthcare providers, health plans, and clearinghouses, as well as business associates that assist a covered entity in transmitting Protected Health Information (PHI). PHI is also narrowly defined to only include information generated by a covered entity. If, for example, a patient or consumer “discloses PHI to a third-party, non-covered entity, the information is no longer protected by HIPAA.” As a result, there is a tremendous amount of health data that HIPAA does not regulate. 

Instead, the collection and use of non-HIPAA-covered health data is primarily regulated (when it is regulated at all) through the FTC’s consumer protection authorities. Section 5 of the FTC Act empowers the FTC to prevent and protect consumers from unfair and deceptive trade practices. In the health data sector, the FTC has brought enforcement actions under Section 5 for deceptive practices. In these cases, the unlawful deception often relies on a “broken promises theory”—i.e., a violation of a privacy policy that was communicated to the consumer. However, these actions have been limited to situations where there were expressly communicated privacy policies. As it relates to data privacy generally, the FTC has brought enforcement actions under their Section 5 unfairness authority where companies failed to implement reasonable data security measures.

The FTC has more focused authority over health data under its Health Breach Notification Rule (HBNR). The HBNR was issued to implement the health data provisions of the American Recovery and Reinvestment Act of 2009, and particularly to address businesses that fall outside of HIPAA’s purview. A violation of the HBNR also constitutes a Section 5 violation. Critically, the HBNR regulates breaches of a broad range of heath data, known in the Rule as a Personal Health Record (PHR). The Rule defines PHR as “an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” While some data might not seem identifiable or health-related initially, data “drawn from many sources” can cumulatively become a PHR. For example, a PHR may also include certain anonymized data if it could be identifiable when mixed with “multiple sources.” Additionally, location data could become sensitive health data, like GPS data indicating that someone has visited a methadone or abortion clinic. Location data can reveal healthcare activity, behavior, environment or may indicate social networks of public health. 

Although the HBNR was issued in 2009, the FTC had not brought any enforcement actions under the HBNR until it took aim at GoodRx last week. GoodRx is a digital health platform that offers prescription discounts and telehealth services. According to the FTC complaint, GoodRx violated Section 5 of the FTC Act and the HBNR by failing to prevent and notify consumers of unauthorized disclosures of personal health information to third parties. The complaint included multiple claims detailing both unfair and deceptive acts and practices that violated Section 5. 

The complaint illustrated how GoodRx further exploited the personal information it shared with Meta, using Meta’s ad targeting program to target advertisements to GoodRx users based on their health information. In addition to targeting their users based on specific medication purchase data, GoodRx ran ad campaigns through Meta Pixel targeting users based on their specific health conditions, including: acne, birth control, hair loss, HIV, smoking, and diabetes. The proposed court order includes a $1.5 million penalty and permanently prohibits GoodRx from disclosing user health information to third parties for advertising purposes. Otherwise, GoodRx must obtain affirmative express consent before any future disclosure of health information to third parties. 

Health Data Regulation Going Forward 

The amount of sensitive health data collected by non-HIPAA-covered entities continues to grow. In just the mobile health sector, more than 318,000 health apps are available across major app stores and are projected to generate more than $111 billion by 2025. Health data is continuing to proliferate, and the GoodRx enforcement action is a step in the right direction for the FTC in its role as a health privacy regulator. Even without Congressional action on comprehensive data protection legislation, the HBNR is a powerful enforcement authority already in the FTC’s toolkit. By finally using its HNBR authority, the FTC is sending an important message that the Commission is serious about health privacy enforcement to a whole industry of non-HIPAA-covered entities that collect or store health data.