FTC Announces First Health Breach Notification Rule Enforcement Action
The Federal Trade Commission (FTC) has announced its first enforcement action over noncompliance with the Health Breach Notification Rule. The FTC intends to fine the digital health platform, GoodRx Holdings Inc., $1.5 million for failing to notify consumers that their personal health information was impermissibly disclosed to third parties.
The Health Breach Notification Rule was introduced by the FTC in 2009, and while compliance has been mandatory since that date, the FTC only recently decided to make enforcement of the rule a priority. In September 2021, the FTC issued a policy statement confirming that developers of digital health apps, connected devices and other health products had obligations under the Health Breach Notification Rule, and guidance was issued in January 2022 to help covered entities comply with the rule.
Healthcare providers, health plans, and healthcare clearinghouses (HIPAA-covered entities) and their business associates are required to issue notifications to regulators and the public about breaches of individually identifiable protected health information per the HIPAA Breach Notification Rule; however, when health data is collected by an entity not covered by HIPAA, notifications to consumers only needed to be issued if required by state laws. The Health Breach Notification Rule plugged a gap and required vendors of personal health records and related entities to notify consumers following a breach of unsecured health information.
GoodRx is a telehealth and prescription drug discount provider that offers consumers a free-to-use website and mobile app that collect health data and provide consumers with coupons for discounts on medications and access to other healthcare services. Through accounts on the website and app, consumers can record their healthcare information and medication purchase histories, and can receive alerts about prescriptions, refills, and the pricing of medications. GoodRx explained in its privacy practices that it will never sell or share personal health information with advertisers or third parties.
The penalty now awaits approval from the U.S. District Court, Northern District of California. If approved, GoodRx will be required to pay the penalty, obtain users’ consent before disclosing any of their health information, direct the third parties that received health data to delete that information, and put limits in place on how long personal and health information can be retained. GoodRx is also required to implement a comprehensive privacy program and security safeguards.
GoodRx issued a statement about the proposed fine confirming the FTC investigation “focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began,” and that it does not agree with the findings and admits no wrongdoing. GoodRx said the decision to enter into a settlement was made to avoid the time and expense of protracted litigation.
The proposed settlement is the second recent action taken by the FTC over consumer privacy violations. Last year, the FTC filed a lawsuit against the data broker Kochava for selling geolocation data, which could be used to track movements to abortion clinics and other sensitive locations. These enforcement actions could signal a new era of FTC enforcement to ensure that digital health companies better protect the privacy of consumers’ healthcare data and ensure that consumers are notified if their privacy has been violated.