Consumer Health Information and Increased Scrutiny: FTC Brings First Action Under Health Breach Notification Rule
The Federal Trade Commission ("FTC") has brought its first enforcement action for violations of the Health Breach Notification Rule ("HBNR"), signaling heightened federal agency scrutiny of digital health platforms, advertising relationships, and uses and disclosures of health information.
On February 1, 2023, the FTC brought an enforcement action against GoodRx, a digital health company, for alleged violations of the FTC Act and the HBNR, resulting in a reported $1.5 million civil penalty and injunctive relief. As the FTC's first enforcement action under the HBNR, this illustrates an increased willingness of the FTC to penalize certain disclosures of health information outside of the HIPAA context.
The FTC claimed in its complaint that, although GoodRx is not subject to HIPAA, the company is a "vendor of personal health records" subject to the HBNR. The FTC alleged that GoodRx:
- Improperly shared consumer health information with advertisers without consumer notice and consent and failed to notify consumers, the FTC, and media of such unauthorized disclosures;
- Inappropriately utilized tracking technologies for targeted advertising;
- Failed to limit third-parties' use of consumers' health information; and
- Failed to implement formal policies protecting consumer health information.
The FTC and GoodRx stipulated to a joint proposed order requiring GoodRx to pay $1.5 million to the FTC and implement remedies regarding its data privacy practices, including:
- Complying with HBNR notification requirements;
- Permanently banning the disclosure of health information for most advertising purposes or requiring express consumer consent; and
- Directing its third-party advertisers to delete all health information received.
Federal agencies increasingly are scrutinizing HIPAA and non-HIPAA covered entities for violations relating to health information. This action follows the FTC's recent statement emphasizing that developers of digital health apps, connected devices, and other health products have obligations under the HBNR and signaling upcoming enforcement. It also follows the Office of Civil Rights bulletin emphasizing HIPAA requirements related to tracking technologies.
Regulatory enforcement actions are likely to fuel private class action litigation, similar to recent class actions against hospitals alleging improper use of tracking technologies.
Entities dealing with health information should carefully review and assess: (i) the health information they collect; (ii) third-party tracking technologies and relationships; (iii) compliance with notice, consent, and reporting requirements; and (iv) internal tools to mitigate risk of unauthorized uses or disclosures of health information.