Client Alert: FTC Begins Enforcing HIPAA-Style Breach Notice Rules Against Health Tech Vendors
Date: June 6, 2023
FTC and HBNR Background
The FTC is empowered to regulate the trade practices of consumer-facing industries that don’t have an industry-specific regulator, such as health tech companies that fall outside the scope of the Health Insurance Portability and Accountability Act (“HIPAA”) because they are neither “covered entities” nor “business associates.” When doing so, the FTC’s primary regulatory tools are: (a) Section 5 of the FTC Act, which prohibits companies from misleading consumers or engaging in unfair practices that harm consumers; and (b) the HBNR, which requires certain organizations (including nonprofits) not covered by HIPAA to notify their customers, the FTC and, in some cases, the media, in the event of a breach of unsecured, identifiable health information (“IHI”).
Which Entities are Vendors of Personal Health Records?
An entity is a “vendor of personal health records” under HBNR if it: (a) is not regulated by HIPAA; and (b) “offers or maintains a personal health record” of an individual. A “personal health record” is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” According to FTC policy statements, the makers of health apps, connected devices, and similar products must comply with the HBNR, as those business are considered “vendors of personal health records.”
FTC Enforcement
On February 1, 2023, the Department of Justice filed a complaint on behalf of the FTC in connection with the alleged failure of GoodRx to comply with breach notification obligations under the HBNR, along with Section 5 of the FTC Act.
GoodRx offers a web- and mobile-based platform where users can search for and compare prescription medication pricing at nearby pharmacies, and obtain prescription discount cards or coupons. According to the FTC, the GoodRx privacy policy promised that GoodRx would share users’ personal information, including IHI, only with limited third parties and for limited purposes; that it would restrict third parties’ use of that information; and that it would never share IHI with advertisers or other third parties. GoodRx also promised that it would only share users’ personal information, such as name, phone number, and email address, for the limited purposes of providing services to users or contacting them directly.
The FTC complaint characterized GoodRx’s privacy policy representations as false and deceptive, and generally in violation of Section 5 of the FTC Act because GoodRx allegedly shared its users’ personal information, including IHI, with advertising platforms and other third parties in violation of its promises, and without providing notice or obtaining affirmative express consent from its users.
Specifically, in designing and operating its website and mobile app, GoodRx incorporated third-party trackers from companies like Facebook, Google, and Criteo, typically in the form of software development kits or automated tracking pixels. Contrary to the core representations GoodRx made to its users in its privacy policy, the trackers sent consumer information back to those businesses for marketing and other purposes. GoodRx shared that personal information without providing any notice to its users or seeking their consent. In addition, GoodRx permitted third parties that received users’ personal data or IHI to use and profit from the information for their own business purposes, without limiting how those third parties could use the data.
According to the FTC complaint, in the case of Facebook, GoodRx’s conduct went beyond sharing IHI through the configuration of the tracking pixels. The FTC alleged that GoodRx also violated its privacy policy promises by actively sharing user IHI with Facebook to target GoodRx customers with GoodRx’s own advertisements on the Facebook and Instagram platforms. Using Facebook’s ad targeting platform, GoodRx matched specific users to their IHI and designed campaigns that targeted users with advertisements based on their health information—all of which was visible to Facebook. For example, in one campaign, GoodRx uploaded the user’s email addresses, phone numbers, and mobile advertising IDs to Facebook to identify their profiles on the Facebook or Instagram platforms, and labeled them by the medication the users had purchased. GoodRx then targeted those users with advertisements concerning the related medications or treatment options on the Facebook or Instagram platforms.
In addition to false and deceptive practices under Section 5 of the FTC Act, the FTC alleged that GoodRx violated HBNR, as it did not notify users, in accordance with the notification provisions of the HBNR, that it had breached the security of GoodRx users’ IHI through GoodRx’s unauthorized disclosures to Facebook, Google, and others. HBNR requires each “vendor of personal health records” to provide notice to affected individuals and the FTC following the discovery of unauthorized acquisition of IHI. In instances where an unauthorized acquisition involves 500 or more residents of a state, HBNR also requires notice to prominent media outlets serving that state.
In the stipulated order entered in the case, GoodRx was hit with a $1.5 million civil penalty. In addition, GoodRx was permanently restrained from disclosing IHI to third parties for advertising purposes. And GoodRx and affiliated businesses were ordered to establish and implement a comprehensive privacy program that includes safeguards to (a) prevent the collection, use, or disclosure of personal information inconsistent with the entities’ representations to customers, and (b) audit and review contracts and terms of service with any third party to ensure sharing of personal information in a manner consistent with the entities’ privacy policies and the applicable law.
In part, the safeguard requirements under the stipulated order appear to be aimed at rectifying the generally deficient data privacy and data security practices by GoodRx, which the FTC contends provide independent grounds for violation of Section 5 of the FTC Act. In its complaint, the FTC took exception with the fact that GoodRx (a) did not have sufficient or formal compliance programs for reviewing and approving data sharing requests or third-party tracking tool integrations to prevent unauthorized disclosures of IHI, and (b) further lacked any policies or procedures for notifying users of security breaches in connection with their IHI, each of which independently constitutes an unfair act or practice in violation of Section 5 of the FTC Act. These causes of action predicated on “unfairness” in the FTC's complaint appear to correspond to its heightened expectations about the proper handling of IHI under the HBNR.
Next Steps
Given the lessons from this recent enforcement action, and the increasing number of states enacting comprehensive consumer privacy legislation, it may be a good time for your organization to undertake the following tasks:
- Determine whether your organization is subject to the HNBR, and if so, update or implement appropriate data breach response policies.
- Determine whether any personal information disclosures to third parties carry a risk of a reportable data breach under the HNBR. Based on the GoodRx enforcement action, it appears that the FTC considers intentional and otherwise authorized disclosures by the vendor of personal health records a breach of IHI security, requiring notice under the HNBR, absent affirmative express consent from the consumer. Your organization should review all data collection and disclosure practices to ensure it is obtaining informed user consent before sharing any IHI, regardless of the purpose, with third parties.
- Review your privacy policies and statements to ensure they are in compliance with applicable privacy laws.
- Review your data collection, use, or disclosure practices to ensure they are consistent with any representations that your organization has made to the public.
- Review your existing and future agreements to ensure that any data use practices or provisions in such agreements are in compliance with the applicable laws and your privacy policies, and where necessary, impose appropriate contractual obligations and restrictions on third parties who may receive personal information or IHI from your organization.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.