On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against California-based telehealth and prescription drug discount provider GoodRx Holdings, Inc. (“GoodRx”) for allegedly violating section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, marks the first time the FTC has enforced the HBNR and could signal the beginning of increased scrutiny and enforcement of the HBNR. In addition to imposing a civil penalty of $1.5 million, the Proposed Order prohibits GoodRx from sharing health information for advertising purposes and imposes several requirements on GoodRx, including requirements to (1) obtain user consent for any other sharing of information, (2) seek the deletion of information held by third parties, (3) limit how long it can retain personal and health information, and (4) implement a privacy program.
The Expanding Scope of the HBNR
The HBNR is relatively simple in its requirements as a breach notification rule and requires vendors of personal health records (“PHRs”) and PHR related entities to notify consumers, the FTC, and, in some cases, the media, in the event of a breach of security of unsecured PHR identifiable health information. If a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must carry out its notification obligations.
What is less simple, however, is the scope of the HBNR. The HBNR defines a PHR as an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. A vendor of PHRs is defined as an entity that offers or maintains a PHR, while a PHR related entity is defined as an entity that (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of covered entities as defined under the Health Insurance Portability and Accountability Act (“HIPAA”) that offer PHRs to individuals; or (3) accesses information in, or sends information to, a PHR. The HBNR does not apply to HIPAA-covered entities or entities to the extent that they engage in activities as a business associate. This does not necessarily mean, however, that entities performing functions as a business associate are wholly exempt from the HBNR since many business associates engage in both HIPAA-covered activities and non-HIPAA-covered activities.
As further detailed in a previous article, the FTC issued a policy statement in September 2021 (“Policy Statement”) that appears to have significantly expanded the rule’s scope to sweep in a large number of technology companies and activities, including health apps that leverage application programming interfaces (“APIs”). For example, an app is subject to the HBNR if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. According to the Policy Statement, an app that draws information from multiple sources is also subject to the HBNR, even if the health information comes from only one source – for example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from the calendar on the consumer’s phone), it is subject to the HBNR. In addition, the Policy Statement clarified that a “breach” is not limited to cybersecurity intrusions or nefarious behavior, but also covers incidents of unauthorized access such as sharing of covered information without an individual’s authorization.
According to the Complaint, GoodRx is a vendor of PHRs and is subject to the HBNR as it maintains “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The Complaint asserts that GoodRx’s website and mobile apps are electronic records of PHR identifiable health information that are capable of drawing information from multiple sources, and the information is managed, shared, or controlled by or primarily for the user. While PHRs are traditionally considered a rather narrow product focused on patients organizing and managing their health information, the Policy Statement demonstrated that the FTC is taking an expansive interpretation of the HBNR’s definition of “PHR” and, consequently, what constitutes a “vendor of PHRs.” It is little surprise therefore that the FTC considers GoodRx subject to the HBNR, particularly in light of the examples articulated in the Policy Statement.
The Complaint alleges that since 2017, GoodRx “repeatedly” violated its promises to users that it would only share their personal information with limited third parties for limited purposes, would restrict third parties’ use of such information, and would never share personal health information with advertisers or other third parties. Without providing notice to users or obtaining their consent, GoodRx allegedly shared information with third-party advertising companies and platforms, which included potentially sensitive information on prescription medications and personal health conditions, in an effort to provide targeted advertisements to users. According to the Complaint, these disclosures revealed “extremely intimate and sensitive details about GoodRx users” that could be linked to such conditions as mental health conditions, substance addiction, and sexual and reproductive health.
According to the FTC, these disclosures constitute a “breach” (i.e., disclosures without the individual’s authorization) that require notification under the HBNR. As noted above, this is broader than the typical interpretation of “breach,” but as the Policy Statement explained, the FTC is seemingly interpreting the HBNR’s definition of “breach” to cover virtually any sharing of information without the individual’s authorization. The Enforcement Action suggests that, in practice, the FTC may be more likely to enforce the HBNR where the entity repeatedly fails to abide by the statements in its privacy policies.
The Complaint also alleges the following:
- GoodRx allowed third parties to use GoodRx’s information for their own internal purposes, such as for research and development or advertisement optimization purposes.
- GoodRx displayed a seal at the bottom of its telehealth services homepage attesting HIPAA compliance, which stated “HIPAA Secure. Patient Data Protected.”
- GoodRx failed to implement adequate policies or procedures to prevent the improper disclosure of sensitive health information.
The Proposed Order
In addition to imposing a $1.5 million civil penalty on GoodRx, the Proposed Order prohibits GoodRx from engaging in certain practices, requires it to notify individuals as required under the HBNR, and requires it to engage in various activities designed to bolster its compliance program. Specifically, the Proposed Order includes the following prohibitions and requirements:
- GoodRx is prohibited from disclosing health information to third parties for advertising purposes, and the company must obtain affirmative express consent from users before disclosing their health information to third parties for non-advertising purposes.
- GoodRx is prohibited from making misrepresentations regarding various aspects related to its information privacy and security practices.
- GoodRx must provide users notice of the breach and Enforcement Action.
- GoodRx must instruct third parties that received health information to delete such information.
- Within 180 days of entry of the Proposed Order, all GoodRx businesses must establish and implement a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of personal information. The program must include, among other elements, policies and procedures, assessments, and mandatory annual training for all employees.
- GoodRx businesses that collect, maintain, use, disclose, or provide access to personal information must hire an independent third party to conduct an initial privacy assessment and biennial assessments thereafter.
- GoodRx must annually certify to the FTC its compliance with the requirements of the Proposed Order and report, within 30 days of discovery, incidents of noncompliance.
Digital health companies and other organizations across the health care industry should take note of the Enforcement Action and evaluate whether the HBNR applies to their business, particularly since the FTC appears to have significantly expanded the rule’s scope through the Policy Statement. Although HIPAA-regulated activities are generally exempt from the HBNR, many organizations engage in both HIPAA-covered and non-HIPAA-covered activities. For example, a digital health company may be a business associate with respect to certain products it offers on behalf of a HIPAA-covered entity while also offering direct-to-consumer products that are not subject to HIPAA.
The Enforcement Action is especially noteworthy as it is the first time the FTC has taken enforcement action under the HBNR, a rule that has been in effect since 2009. As first foreshadowed in the Policy Statement, the Enforcement Action could be a harbinger of increasing reliance on the HBNR as a lever for the FTC to penalize companies that misuse health information and violate their promises to consumers.
For more information or advice regarding the applicability of the Enforcement Action to your organization, please contact the professional(s) listed below or your regular Crowell & Moring contact.