Federal Trade Commission’s GoodRx Settlement: Not Just a $1.5 Million Penalty
The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI).
In taking action against GoodRx Holdings, Inc. (and its partially and fully owned subsidiaries including HeyDoctor LLC, collectively referred to herein as GoodRx) the FTC is clearly following through on its September 2021 Policy Statement. As we discussed in a previous post, the FTC indicated it would be bringing actions for Breach Rule violations against a surprisingly broad range of entities (e.g. certain health apps). Historically, many entities not subject to HIPAA dealing with health information may have understandably believed they fell outside the rule’s scope and thus were not required to report a “breach of security” under the Breach Rule, which is defined as acquisition of IHI without the authorization of the individual.
The Breach Rule is similar to HIPAA, in that it requires notice of breach to affected individuals, a government agency (the FTC), and prominent media outlets if there is a breach involving more than 500 individuals. However, unlike HIPAA, determining whether a breach is reportable does not allow for a fact-based risk assessment. Instead, the analysis hinges on whether or not the information was or reasonably could have been acquired. As a result, incidents that may not be reportable breaches under HIPAA (as well as some state laws) would still be reportable under the Breach Rule. Notably, there are complex business models that can implicate both rules. While HIPAA covered entities and companies acting solely as business associates under HIPAA are only subject to the HIPAA Breach Notification Rule companies acting as business associates that also offer services involving IHI outside HIPAA’s scope could be subject to the Breach Rule. For example, a company would be subject to both rules if it (i) develops a health application marketed to the general public capable of drawing information from multiple sources; and (ii) separately provides a white-labeled patient portal application to insurance company pursuant to a business associate agreement that collects member PHI.
On February 1, 2023, the Department of Justice (DOJ) filed its first proposed order on behalf of the FTC in connection with the failure of GoodRx to comply with the Breach Rule along with Section 5 of the FTC Act. The U.S. District Court for the Northern District of California approved the proposed order, which was entered on February 17, 2023 (Order). The Order imposes significant requirements and prohibitions on GoodRx related to the use and disclosure of consumer data and levies a $1.5 million civil penalty, as further discussed below.
According to the DOJ’s complaint, GoodRx allegedly violated Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” by misrepresenting its privacy practices and compliance with HIPAA and used tracking pixels and other automated trackers in a manner that monetized and shared IHI with third party advertisers without proper consumer notice or authorization. The FTC alleged that the unauthorized sharing of IHI took place for years without being reported as required by the Breach Rule. Not surprisingly, GoodRx posted a statement on its website (GoodRx Statement) indicating that it does not agree with the allegations of the FTC’s complaint and its “novel application of the Health Breach Notification Rule.”
GoodRx Settlement Details
GoodRx stipulated to the entry of the Order for the sake of resolving all matters in the complaint to avoid costly litigation, and was not required to admit to any of the allegations. In addition to paying the $1.5 million penalty, GoodRx will (among other things):
- be permanently restrained and enjoined from disclosing IHI (which specifically includes information derived or extrapolated from information about an individual’s activities that allows for a determination that the individual has a health condition or is taking a drug) to third parties for advertising purposes;
- be permanently required to provide notice and obtain express written consent from consumers before sharing IHI with third parties for other purposes (subject to certain exceptions including applicability of and compliance with HIPAA);
- be permanently restrained and enjoined from misrepresenting (directly or indirectly) privacy practices, consumer rights, privacy and security safeguards, privacy controls, HIPAA and privacy and security law and certification standard compliance;
- provide breach notification in accordance with the Breach Rule;
- notify the FTC of any violations of the Order;
- instruct third parties that impermissibly received IHI from GoodRx to delete all personally identifiable consumer information previously provided, which must be confirmed before any sharing may resume (regardless of whether information is hashed);
- establish and implement a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of heath information and meets certain requirements within 180 days;
- obtain initial and biennial privacy assessments by a third party approved by the FTC and provide annual certification of compliance for 20 years; and
- post a notice provided by the FTC on the GoodRx websites and mobile applications within 14 days of the order detailing the FTC’s allegations for a period of 180 days and email a copy of the notice to any individuals in which GoodRx has email addresses.
According to the GoodRx Statement, the FTC’s concerns were proactively addressed several years ago and thus the Order will have no material impact on the business’ current or future operations. Otherwise, per GoodRx, the cost of the above requirements would have the potential to far exceed the penalty, and will subject GoodRx to continued government scrutiny for a term of 20 years in any event. By way of comparison, corrective action plan obligations under HIPAA resolution agreements, even in the event of a large-scale breach, typically do not exceed a three (3) year term.
In addition to the FTC, the DOJ has also signaled that health information privacy is a priority. On February 22, 2023, in a press release regarding the GoodRx settlement, Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division stated, “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.” Between recent enforcement trends and an increasing number of states enacting comprehensive consumer privacy legislation, the absence of HIPAA applicability is less of a material distinction when it comes to the risks presented by unauthorized use and disclosure of IHI. With this in mind, we recommend that entities collecting IHI from consumers take the following steps:
- determine whether the Breach Rule applies to the organization as described in FTC’s Policy Statement and if necessary update incident response and breach response policies and procedures;
- perform data mapping to understand the data collected from consumers and identify the purposes for which it is used and shared, taking into account what IHI can be inferred by the data collected using tracking technologies and other marketing services;
- identify what information privacy and security laws apply to the IHI collected;
- compare current use and sharing of IHI with public facing statements regarding same and address any inaccuracies;
- contact counsel if it is determined that prior use and disclosure of IHI resulted in a reportable breach under the FTC’s Policy Statement;
- consider the risks of making public representations regarding HIPAA compliance and other privacy and security measures before making them and update any existing statements that are misleading or inaccurate;
- evaluate information privacy and security policies and procedures and if necessary update to ensure compliance with applicable privacy laws and representations made to the public;
- monitor and audit third party disclosures of IHI for compliance with applicable law; and
- review current and prospective contracts with third parties to ensure applicable data sharing provisions align with applicable law, information privacy and security policies, and procedures and public representations.