FTC takes first enforcement action under its Health Breach Notification Rule; also takes action against misrepresentation of HIPAA compliance

The FTC announced its first enforcement action under its Health Breach Notification Rule. This rule applies to entities that are not covered under HIPAA. The announcement of the proposed order was filed by the U.S. Department of Justice on behalf of the FTC against the “…telehealth and prescription drug discount provider GoodRx Holdings, Inc. for for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” The Commission vote was 4-0, with Commissioner Wilson issuing a concurring statement. The company has agreed to pay a $1.5 million civil penalty for violating the rule.  The proposed order, in order to go into effect, must be approved by the federal court.

The proposed order marks a milestone in FTC enforcement in the commercial health information sphere. The proposed order stipulates that GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes. The order also stipulates that the defendants are permanently restrained from misrepresenting, or assisting others in misrepresenting, expressly or by implication the extent “to which the defendant is a HIPAA-covered entity, and the extent that Defendant’s privacy and information practices are in compliance with HIPAA requirements.”

There are many important aspects to this proposed order. One of them is that the FTC has taken action on HIPAA coverage misrepresentations. This is incredibly important for ensuring consumers have clarity about when their information is protected by HIPAA, or not. On January 19, 2023, WPF’s Executive Director gave public comments at the FTC Commissioners’ meeting regarding the consumer confusion about what information was and was not protected under HIPAA on websites and in digital services. In the statement, WPF ED Pam Dixon said:

“Consumers need to know plainly and simply whether a website or digital service or app is regulated under HIPAA, or not. There needs to be a clear and prominent statement in the privacy policy that says: “We are not regulated under HIPAA. If you share your information with us, it will not have HIPAA protections when we hold it.

The World Privacy Forum urges the Commission to take action to protect consumers by insisting on a prominent, clear, simple statement regarding the status of whether or not a particular digital tool or service is regulated under HIPAA or not.”  (WPF Statement)

In its proposed court order, the FTC said GoodRx:

  • “Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.”

It is very rare for a request such as the one WPF made in January to be followed by an enforcement action that specifically addresses this very issue. WPF is extremely pleased that the FTC has taken action on this issue of HIPAA misrepresentation, among others. Health privacy is an extremely sensitive area, and leakage of this data can be highly consequential, often in negative ways.

The FTC also said that GoodRx:

  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.

The proposed federal court order additionally would:

  • Prohibit the company from sharing health information for advertising purposes;
  • Prohibit misrepresentations;
  • Prohibit disclosure of health information without affirmative express consent and notice,
  • Require the company to seek deletion of data (including by third parties).
  • Require notification of consumers impacted by the breach; 
  • Limit retention of data; 
  • and requite the implementation of a mandated privacy program,
  • Among other actions. (See full text of Stipulated Order.)

The World Privacy Forum will be writing additional analysis regarding the proposed order, and will be submitting comments on the proposal.

Related Documents: