Republished in the May 2023 edition of the Computer & Internet Lawyer.
The Federal Trade Commission (FTC) has enforced its Health Breach Notification Rule (the “HBNR”) for the first time since it was enacted in 2009. On February 1, the FTC announced a first-of-its-kind proposed order (the “Order”) with digital health platform GoodRx Holdings Inc. (“GoodRx”), a telehealth and drug discount provider. The FTC alleged that GoodRx shared users’ information with third-party advertising companies and advertising platforms contrary to its privacy promises, notably scrutinizing GoodRx’s ad targeting and use of third-party tracking technologies. Under the Order, GoodRx has agreed to pay a $1.5 million civil penalty and will be prohibited from sharing users’ sensitive health data with third-party advertisers. This action is a reminder to all digital health companies subject to the HBNR to evaluate their online targeting and advertising practices, as well as the promises they make to users around these practices.
As a refresher, the HBNR, which was issued under the American Recovery and Reinvestment Act of 2009 and became effective on September 24, 2009, applies to (i) vendors of personal health records (PHRs),[1] (ii) PHR-related entities that interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites or that access information in or send information to a PHR, and (iii) third-party service providers for vendors of PHRs or PHR-related entities that process unsecured PHR identifiable health information[2] as part of providing their services. The HBNR does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. Under the HBNR, vendors of PHRs and PHR-related entities are required to report a “breach of security” involving PHRs to the FTC, consumers, and the media (in some cases). Service providers to such entities that process information contained in PHRs (e.g., for billing or data storage purposes) also have notice obligations to report such breaches to their business customers. The HBNR defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information that is in a PHR, without the authorization of the individual. Notice is required no later than 60 days of discovering the breach, unless more than 500 people are impacted (in which case, the FTC must be notified within 10 business days). If covered entities fail to comply, violations of the HBNR are subject to civil penalties of $50,120[3] per violation per day.
Despite the 14-year period of dormancy since the HBNR was enacted, this enforcement action does not come as a surprise. To the contrary, the FTC has signaled in recent years that enforcement was imminent. In September 2021, the FTC released a Policy Statement clarifying that developers of health apps or connected devices are covered by the HBNR so long as they “are capable of drawing information from multiple sources, such as a combination of consumer inputs and application programming interfaces (‘APIs’).” The FTC also noted that a “breach of security” under the HBNR would not be limited to nefarious or malicious intrusions. Rather, even accessing or sharing information without an individual’s authorization would qualify as a “breach of security” under the HBNR. The FTC explicitly stated that the Policy Statement was intended to place entities on notice of their ongoing obligation to “come clean” about breaches.
According to the FTC’s Complaint, GoodRx violated Section 5 of the FTC Act[4] by sharing users’ sensitive information with advertisers and social media platforms contrary to its privacy promises Specifically, the FTC alleged that GoodRx:
While the Complaint alleges a number of claims based on GoodRx’s privacy misrepresentations, which violate Section 5’s prohibition against deceptive acts, most notably, the FTC also alleges that GoodRx engaged in unfair acts or practices in violation of Section 5 for failing to provide notice and obtain consent before using and disclosing health information for advertising and for failing to implement sufficient policies or procedures to prevent an unauthorized disclosure of personal health information or notify of breaches of that information.
In addition to these violations, the FTC alleged that GoodRx, as a vendor of personal health records[5] violated the HBNR by failing to report these unauthorized disclosures to the FTC, consumers, and the media.
Under the Order, in addition to the $1.5 million penalty, GoodRx is:
This enforcement action is a cautionary reminder of the increased scrutiny that targeted advertising and the use of third-party tracking tools have recently come under, particularly in the digital health space. In light of the GoodRx action, digital health companies should:
[1] A PHR is an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. See 16 C.F.R. § 318.2(d).
[2] “PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) that is provided by or on behalf of the individual; and (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. See 16 C.F.R. § 318.2(e).
[3] Based on the FTC’s inflation-adjusted civil penalty amounts for 2023.
[4] Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce.
[5] The Complaint identifies GoodRx as a “vendor of personal health records” and subject to the HBNR because it lets users keep track of their personal health information, drawing information from users, pharmacies, healthcare professionals, and users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.