The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Judge Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations

Posted By on Feb 28, 2023

The GoodRx settlement with the FTC to resolve allegations that the FTC Act and Health Breach Notification Rule have been violated has been approved by a judge and is now in effect. The GoodRx FTC settlement involves a $1.5 million penalty and requires GoodRx to cease the alleged deceptive trading practices.

On February 1, 2023, the Department of Justice filed a proposed order on behalf of the Federal Trade Commission prohibiting GoodRx from sharing the health information of its users with third parties for advertising purposes, following an FTC investigation that identified potential violations of the FTC Act and the FTC HElath Breach Notification Rule. The FTC alleged that GoodRx – doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx) – violated the FTC Act by engaging in unfair and deceptive trade practices by sharing the data of millions of users without their consent and knowledge and violated the FTC Health Breach Notification Rule by failing to notify users about the privacy violation.

The information shared with third parties included personally identifying information, information about sensitive health conditions, and medications. The FTC alleged that the information was shared despite GoodRx providing repeated assurances to its users that the company would ensure sensitive health information was protected and would not be shared with third parties. The FTC also took issue with GoodRx displaying a seal on its website confirming the company was “HIPAA Secure: Patient Data Protected”, which indicated that GoodRx was a covered entity under HIPAA when it was not and that it was compliant with the HIPAA Rules when it wasn’t.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The data was shared with third parties via third-party tracking pixels on its website and plug-and-play software development kits provided by companies such as Google, Facebook, Criteo, Branch, and Twilio. The data collected via those tools were shared with the providers of those software kits and pixels and were potentially used for advertising purposes. GoodRx did not agree with the findings of the FTC, and told The HIPAA Journal there was no wrongdoing and the decision was taken to settle the allegations to avoid the time and expense of protracted litigation.

The GoodRx settlement was agreed upon by all parties and requires GoodRx to pay a $1.5 million financial penalty and adopt a corrective action plan that will prevent future unauthorized disclosures of sensitive health data and ensure future compliance with the FTC Act and the Health Breach Notification Rule. GoodRx has also agreed not to disclose the sensitive health data of its users without first obtaining consent to do so and will notify all affected individuals about the disclosures. A judge recently approved the proposed order and the GoodRx settlement will now take effect.

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

The FTC Cracks Down on Deceptive Trading Practices Related to the Transfer of Sensitive Health Data

The FTC is currently having a crackdown on violations of the FTC Act by providers of online health services and health apps after a long period of lax enforcement activity. The announcement by the FTC in June 2021 about the enforcement action against Flo Health indicated its intentions to hold collectors of health information to account when they transfer sensitive health data to third parties without the knowledge of consumers. Flo Health, which provides a period and ovulation tracker, was determined to be transferring the sensitive data of app users to third parties such as advertising and marketing companies, including Google, Facebook, AppsFlyer, and Flurry. In the case of Flow Health, the practice stopped following a Wall Street Journal article uncovering the practice, with the FTC ordering Flo Health to cease the practice. Flo Health chose to settle the allegations with no admission of wrongdoing to avoid the time and cost of litigation.

In September 2021, three months after the Flo Health settlement was announced, the FTC issued a policy statement confirming it would be holding entities to account for these disclosures and would be actively enforcing the Health Breach Notification Rule – a rule that had been in place for more than a decade but had seen no enforcement activity by the FTC. The Health Breach Notification Rule ensures that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) – and therefore not required to issue notifications under the HIPAA Breach Notification Rule – face accountability when the health information of consumers is compromised and requires them to issue notifications.

The decision was taken to start enforcing this rule due to the explosion in the usage of health apps and other connected devices that collect health information. In the policy statement, the FTC clarified that mobile apps, other connected devices such as wearables, and other collectors of health data could be considered healthcare providers under the FTC’s Health Breach Notification Rule and must ensure that notifications are issued in the event of any privacy violation where consumers’ health data is compromised or impermissibly disclosed.

The Flo Health enforcement action was followed by an enforcement action against the data broker Kochava. Kochava was alleged to have sold the geolocation data from hundreds of millions of mobile devices – information that could be used to track individuals when they visited sensitive locations such as reproductive health clinics, addiction recovery facilities, places of worship, and domestic violence shelters – and ordered Kochava to halt the practice. Kochava has battled the FTC over the allegations, maintaining its business practices are legal and do not harm users.

The FTC GoodRx settlement signals a new enforcement drive against online providers of health services. The GoodRx settlement resolved similar allegations of FTC Act violations as those alleged in the enforcement action against Flo Health, and this has been followed up with a pending settlement with the online therapy service provider BetterHelp over similar disclosures of health data to marketing companies.

These disclosures have attracted a lot of media attention over the past few months following studies that revealed the extent to which hospitals, health systems, and online service providers have been collecting personally identifiable health data via website and app tracking technologies, which transfer that information to social media networks and analytics firms. The data can then be transferred to other third parties, including data brokers, and can be used for advertising purposes, often without the knowledge of the data subjects.

Last year, the HHS’ Office for Civil Rights issued guidance on how the use of these technologies can violate HIPAA and that disclosures of health data via these technologies warrant notifications under the Breach Notification Rule. No OCR enforcement actions have been announced to date, and it remains to be seen whether OCR will take a similar approach to the FTC over these impermissible disclosures and lack of consumer notifications.

The enforcement actions by the FTC send a clear message to all entities that collect identifiable health data, that regardless of the intentions behind the use of these tracking technologies – whether the sensitive health data of consumers is collected and sold or is inadvertently transferred to third parties – the practice is only permitted if consumers are informed exactly how their personal information will be used, and that if it is discovered that identifiable health data has been disclosed, that consumers must be informed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist