Health privacy has been a Federal Trade Commission (FTC) priority for decades, and indeed, one of its very first privacy cases, in the early 2000s, involved the inadvertent sharing of user health data. Fast-forward a few decades, and health privacy remains a major concern. Case in point: The latest FTC privacy enforcement action focuses on the practices of GoodRx and is the first FTC case to allege a violation of the Health Breach Notification Rule (HBNR or Rule). This enforcement action should serve as a warning shot to companies dealing in health information, reminding them that just because they do not fall under the Health Insurance Portability and Accountability Act (HIPAA) does not mean they are free to use the data they collect without potential regulatory consequences.
FTC’s Health Breach Notification Rule Background and Focus on Health Information
As explained in more detail in this post, the HBNR was introduced as part of the American Recovery and Reinvestment Act of 2009. The rule applies to entities that are not subject to HIPAA but are capable of obtaining health records from multiple sources. The FTC has specifically indicated that the following types of entities that handle health information – are subject to the Rule: health apps and wearable devices that track diseases, diagnoses, treatments, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.
In September 2021, the FTC issued a policy statement on the FTC’s HBNR, “reminding” entities that “a ‘breach’ is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”
In the wake of the Dobbs decision, the FTC issued a warning, by way of an open letter from the acting associate director of the Division of Privacy & Identity Protection, that websites sharing health, location and highly sensitive data without adequate disclosures to consumers would “hear from” the FTC.
GoodRx and the Allegations Raised by the FTC
GoodRx is a digital healthcare platform that sells health-related products and services to consumers, including through prescription medication discount products and telehealth services.
In addition to these direct claims about data sharing, the complaint also notes instances where GoodRx or its sister companies stated that they complied with certain standards – like the Digital Advertising Alliance principles, HIPAA and the “same guidelines as any health entity.” Id. pp. 7-9.
Alleged Sharing via Website Tracking Technology
The complaint details many ways in which the FTC believes that the company violated these very promises. At its core, the FTC’s complaint alleges that health information was shared with advertising and social media platforms for advertising purposes. The sharing allegedly occurred in multiple ways, but in short, the FTC focuses on GoodRx’s use of website tracking technology, advertising technology and certain software development kits (SDKs) that it says disclose this information, contrary to GoodRx’s privacy policies. The complaint also alleges that until early 2020, GoodRx did not have “sufficient or formal compliance programs for reviewing and approving all data sharing requests or third-party tracking tool integrations. It also had no policies or procedures for notifying users of breaches of their personal and health information.” It seems fairly likely that these policies and procedures, if implemented, would have helped identify and remediate many of the practices and issues alleged in the complaint.
The FTC alleges that GoodRx engaged in both deceptive and unfair practices in connection with the practices described above. Notably, the FTC complaint alleges that it is an unfair practice to have shared consumer health information with third-party advertising platforms without user knowledge and affirmative express consent. Given the prevalence of the use of advertising trackers, entities covered by the HBNR should give immediate attention to how they are obtaining consent to share with website tracking technology providers.
The remaining alleged violations are more commonplace:
- It was an unfair practice to not have adequate policies and procedures to prevent the alleged unauthorized disclosures.
- It was an unfair practice to fail “to notify users of breaches of that information.” It violated the FTC Act by misrepresenting that its telehealth services were HIPAA-compliant, when, in fact, it was neither.
- It misrepresented its compliance with the Digital Advertising Alliance Sensitive Data Principle, which generally prohibits the use of certain health information for online behavioral advertising without consent.
So what does the settlement require? First, there is a $1.5 million civil penalty for the HBNR violation. Much has been written about current limitations on the FTC to obtain monetary relief, but HBNR is one area where the FTC can and will seek civil penalties. (Notably, FTC Commissioner Christine Wilson, in a concurring statement, said that she would have preferred that the civil penalty be higher. She also doesn’t mince words in this must-read statement and calls to task some of her colleagues for accepting this penalty amount while having dissented on other high-profile FTC privacy cases that involved much greater penalties).
But there is a lot more to the settlement than money. It is also the first FTC settlement that bans a party from disclosing health information to third parties for advertising purposes. The order provisions of the ban are carefully crafted to allow certain analytics and contextual advertising, but the agency’s message is quite clear. The order also requires affirmative express consent (which is defined in detail) in many circumstances where data is shared with third parties. And as expected, the order requires the creation of a comprehensive privacy protection program with biennial third-party assessments. And finally, there are robust notice provisions, including direct notice to users and website notice.
We mentioned earlier a separate statement from Wilson, and one other issue from her statement is worth flagging. She states in a footnote that this case reflects a violation of the HBNR “based on a plain reading of the text, setting aside any gloss the Commission sought to add in its September 2021” policy statement.
Action to Consider
There is a lot to digest about this case, but the following are a few key takeaways for companies that provide health-related services, whether or not they are HIPAA-covered entities.
Policies and Procedures Matter – It is important to regularly review your policies and procedures and to make certain that your practices are in sync with how you describe your practices to users. Whether they would have prevented some of the alleged practices in this case is unknown, but the lack of policies certainly did not help the FTC’s view of GoodRx.
The HBNR Should Always Be Considered – Many practitioners forget that the activities that constitutes a breach under the HBNR are quite broad and can involve unauthorized sharing with a third-party partner. Pay extra-close attention to any health data that is being shared with third parties.
Sharing Can Be Too Simple – Through pixels, SDKs and many other means, it is easy – and, frankly, the norm – to share user data with third-party advertisers. Depending on configurations, the information shared may go beyond what companies intend or what users would expect. Make sure you understand all tracking technologies used on your website and their configurations, and confirm whether they jibe with your privacy policies.
FTC Unfairness Allegations Can Get at Many Types of Activities – Practitioners often focus on state laws and specific federal health laws without doing an adequate assessment of whether the practices at issue could also constitute an FTC unfairness violation. The contours of unfairness are not particularly well defined, but it is worth considering whether there could be an FTC unfairness issue lurking for any data incident.
 Note that HIPAA-regulated entities have been on notice since Dec. 1, 2022, that the Office for Civil Rights (OCR) would be taking a strict view of the use of tracking technology and advertising technology. A blog post explaining those technologies and the OCR’s guidance can be found here.