By Ashley L. Thomas, Shannon
Britton Hartsfield, Anthony E.
DiResta Holland & Knight
The Federal Trade Commission (FTC) recently initiated its first enforcement action under the Health Breach Notification Rule against a company for failing to notify consumers and others of alleged unauthorized disclosures of personal health information to Facebook, Google and other companies. The company will be required to pay a civil monetary penalty of $1.5 million.
Adopted in 2009, the Health Breach Notification Rule requires certain businesses not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information. The FTC adopted a policy statement on Sept. 15, 2021, emphasizing that developers of digital health apps, connected devices and other health products have obligations under the Health Breach Notification Rule and signaling that enforcement was coming.
The GoodRx Case
In a proposed order the U.S. Department of Justice (DOJ) filed on behalf of the FTC, the FTC alleges that GoodRx, a direct-to-consumer telehealth and prescription drug discount provider, failed to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies. As part of its services, GoodRx lets users keep track of their personal health information, including to save, track and receive alerts about their prescriptions, refills, pricing and medication purchase history. GoodRx made public promises that it would never share personal health information with advertisers or other third parties.
According to the FTC, GoodRx repeatedly violated these promises by sharing sensitive user information with third-party advertising companies and platforms like Facebook, Google and Criteo among other third parties. The complaint states that GoodRx used third-party website and mobile app tracking tools, including pixels and software development kits (SDKs) to gather individual data that could be used for data analytics and other services. The use of pixel trackers was also called into question by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in a memorandum issued on Dec. 1, 2022, applicable to HIPAA-covered entities and business associates.
As part of the settlement, GoodRx will be permanently prohibited from sharing user health data with applicable third parties for advertising purposes, which is a first-of-its-kind settlement stipulation. As part of the settlement, GoodRx is required 1) to obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes, 2) direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches, 3) limit how long it can retain personal and health information according to a data retention schedule that will be publicly posted and 4) adopt a comprehensive privacy program with security safeguards.
The information GoodRx shared included its users’ prescription medications and personal health conditions, personal contact information and unique advertising and persistent identifiers. GoodRx shared this information without providing notice to its users or seeking their consent. The FTC also alleged that GoodRx exploited the information shared with Facebook to target GoodRx users with advertisements on Facebook and Instagram. Using Facebook’s ad-targeting platform, GoodRx matched specific users to their personal health information and designed campaigns that targeted users with advertisements based on their health information – all of which was visible to Facebook.
In addition, the FTC found that GoodRx 1) failed to limit third-party use of personal health information, 2) failed to maintain sufficient policies or procedures to protect its users’ personal health information and 3) falsely claimed it was HIPAA compliant by displaying a seal on its website. Alleged false statements about HIPAA compliance were also the subject of an FTC enforcement action in 2021. As a result of these alleged deficiencies, the FTC determined that GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch and Twilio.
Direct-to-consumer healthcare apps and product companies should carefully review privacy practices and evaluate whether online or public privacy notices accurately reflect current data sharing practices and ensure that they are not doing anything with data that has not been disclosed to consumers.v
There are a number of resources that healthcare mobile apps and products can utilize to better understand respective regulatory obligations. The FTC’s website has a webpage covering the Health Breach Notification Rule with the text of the Rule, blog posts and other materials. The webpage also includes the form that entities covered by the rule may use to report breaches of health information. The FTC also developed a web-based tool for developers of health-related mobile apps, which is designed to help them understand which federal laws and regulations might apply to their apps.
Ashley L. Thomas is senior counsel and Anthony DiResta is a partner in Holland & Knight’s Washington, D.C., office. Shannon Britton Hartsfield is a partner in the firm’s Tallahassee office.