Saturday, April 20, 2024
HomeHealth LawFTC Imposes $1.5 Million Civil Penalty in First-of-Its-Variety Well being Breach Notification...

FTC Imposes $1.5 Million Civil Penalty in First-of-Its-Variety Well being Breach Notification Rule Enforcement Motion

On February 1, 2023, the Federal Commerce Fee (“FTC”) introduced an enforcement motion (“Enforcement Motion”) towards California-based telehealth and prescription drug low cost supplier GoodRx Holdings, Inc. (“GoodRx”) for allegedly violating part 5 of the FTC Act and the Well being Breach Notification Rule (“HBNR”). The proposed order (“Proposed Order”), which was introduced by the U.S. Division of Justice on behalf of the FTC, marks the primary time the FTC has enforced the HBNR and will sign the start of elevated scrutiny and enforcement of the HBNR. Along with imposing a civil penalty of $1.5 million, the Proposed Order prohibits GoodRx from sharing well being data for promoting functions and imposes a number of necessities on GoodRx, together with necessities to (1) get hold of consumer consent for every other sharing of knowledge, (2) search the deletion of knowledge held by third events, (3) restrict how lengthy it might probably retain private and well being data, and (4) implement a privateness program.

The Increasing Scope of the HBNR

The HBNR is comparatively easy in its necessities as a breach notification rule and requires distributors of private well being information (“PHRs”) and PHR associated entities to inform shoppers, the FTC, and, in some circumstances, the media, within the occasion of a breach of safety of unsecured PHR identifiable well being data. If a service supplier to one in every of these entities experiences a breach, it should notify the entity, which in flip should perform its notification obligations.

What’s much less easy, nevertheless, is the scope of the HBNR. The HBNR defines a PHR as an digital file of PHR identifiable well being data on a person that may be drawn from a number of sources and that’s managed, shared, and managed by or primarily for the person. A vendor of PHRs is outlined as an entity that gives or maintains a PHR, whereas a PHR associated entity is outlined as an entity that (1) gives services or products by means of the web site of a vendor of PHRs; (2) gives services or products by means of the web sites of lined entities as outlined underneath the Well being Insurance coverage Portability and Accountability Act (“HIPAA”) that provide PHRs to people; or (3) accesses data in, or sends data to, a PHR. The HBNR doesn’t apply to HIPAA-covered entities or entities to the extent that they interact in actions as a enterprise affiliate. This doesn’t essentially imply, nevertheless, that entities performing capabilities as a enterprise affiliate are wholly exempt from the HBNR since many enterprise associates interact in each HIPAA-covered actions and non-HIPAA-covered actions.

As additional detailed in a earlier article, the FTC issued a coverage assertion in September 2021 (“Coverage Assertion”) that seems to have considerably expanded the rule’s scope to comb in a lot of expertise firms and actions, together with well being apps that leverage utility programming interfaces (“APIs”). For instance, an app is topic to the HBNR if it collects data straight from shoppers and has the technical capability to attract data by means of an API that allows syncing with a shopper’s health tracker. In keeping with the Coverage Assertion, an app that attracts data from a number of sources can be topic to the HBNR, even when the well being data comes from just one supply – for instance, if a blood sugar monitoring app attracts well being data solely from one supply (e.g., a shopper’s inputted blood sugar ranges), but in addition takes non-health data from one other supply (e.g., dates from the calendar on the buyer’s telephone), it’s topic to the HBNR. As well as, the Coverage Assertion clarified {that a} “breach” will not be restricted to cybersecurity intrusions or nefarious habits, but in addition covers incidents of unauthorized entry similar to sharing of lined data with out a person’s authorization.

The Criticism

In keeping with the Criticism, GoodRx is a vendor of PHRs and is topic to the HBNR because it maintains “an digital file of PHR identifiable well being data on a person that may be drawn from a number of sources and that’s managed, shared, and managed by or primarily for the person.” The Criticism asserts that GoodRx’s web site and cellular apps are digital information of PHR identifiable well being data which are able to drawing data from a number of sources, and the knowledge is managed, shared, or managed by or primarily for the consumer. Whereas PHRs are historically thought of a somewhat slender product targeted on sufferers organizing and managing their well being data, the Coverage Assertion demonstrated that the FTC is taking an expansive interpretation of the HBNR’s definition of “PHR” and, consequently, what constitutes a “vendor of PHRs.” It’s little shock due to this fact that the FTC considers GoodRx topic to the HBNR, significantly in gentle of the examples articulated within the Coverage Assertion.

The Criticism alleges that since 2017, GoodRx “repeatedly” violated its guarantees to customers that it might solely share their private data with restricted third events for restricted functions, would prohibit third events’ use of such data, and would by no means share private well being data with advertisers or different third events. With out offering discover to customers or acquiring their consent, GoodRx allegedly shared data with third-party promoting firms and platforms, which included doubtlessly delicate data on prescription drugs and private well being situations, in an effort to offer focused commercials to customers. In keeping with the Criticism, these disclosures revealed “extraordinarily intimate and delicate particulars about GoodRx customers” that could possibly be linked to such situations as psychological well being situations, substance habit, and sexual and reproductive well being.

In keeping with the FTC, these disclosures represent a “breach” (i.e., disclosures with out the person’s authorization) that require notification underneath the HBNR. As famous above, that is broader than the everyday interpretation of “breach,” however because the Coverage Assertion defined, the FTC is seemingly decoding the HBNR’s definition of “breach” to cowl nearly any sharing of knowledge with out the person’s authorization. The Enforcement Motion means that, in observe, the FTC could also be extra more likely to implement the HBNR the place the entity repeatedly fails to abide by the statements in its privateness insurance policies.

The Criticism additionally alleges the next:

  • GoodRx allowed third events to make use of GoodRx’s data for their very own inner functions, similar to for analysis and improvement or commercial optimization functions.
  • GoodRx displayed a seal on the backside of its telehealth providers homepage testifying HIPAA compliance, which acknowledged “HIPAA Safe. Affected person Knowledge Protected.”
  • GoodRx did not implement ample insurance policies or procedures to forestall the improper disclosure of delicate well being data.

The Proposed Order

Along with imposing a $1.5 million civil penalty on GoodRx, the Proposed Order prohibits GoodRx from partaking in sure practices, requires it to inform people as required underneath the HBNR, and requires it to have interaction in numerous actions designed to bolster its compliance program. Particularly, the Proposed Order consists of the next prohibitions and necessities:

  • GoodRx is prohibited from disclosing well being data to 3rd events for promoting functions, and the corporate should get hold of affirmative categorical consent from customers earlier than disclosing their well being data to 3rd events for non-advertising functions.
  • GoodRx is prohibited from making misrepresentations relating to numerous elements associated to its data privateness and safety practices.
  • GoodRx should present customers discover of the breach and Enforcement Motion.
  • GoodRx should instruct third events that acquired well being data to delete such data.
  • Inside 180 days of entry of the Proposed Order, all GoodRx companies should set up and implement a complete privateness program that protects the privateness, safety, availability, confidentiality, and integrity of private data. This system should embody, amongst different parts, insurance policies and procedures, assessments, and obligatory annual coaching for all staff.
  • GoodRx companies that acquire, preserve, use, disclose, or present entry to non-public data should rent an unbiased third social gathering to conduct an preliminary privateness evaluation and biennial assessments thereafter.
  • GoodRx should yearly certify to the FTC its compliance with the necessities of the Proposed Order and report, inside 30 days of discovery, incidents of noncompliance.


Digital well being firms and different organizations throughout the well being care business ought to be aware of the Enforcement Motion and consider whether or not the HBNR applies to their enterprise, significantly for the reason that FTC seems to have considerably expanded the rule’s scope by means of the Coverage Assertion. Though HIPAA-regulated actions are typically exempt from the HBNR, many organizations interact in each HIPAA-covered and non-HIPAA-covered actions. For instance, a digital well being firm could also be a enterprise affiliate with respect to sure merchandise it gives on behalf of a HIPAA-covered entity whereas additionally providing direct-to-consumer merchandise that aren’t topic to HIPAA.  

The Enforcement Motion is very noteworthy as it’s the first time the FTC has taken enforcement motion underneath the HBNR, a rule that has been in impact since 2009. As first foreshadowed within the Coverage Assertion, the Enforcement Motion could possibly be a harbinger of accelerating reliance on the HBNR as a lever for the FTC to penalize firms that misuse well being data and violate their guarantees to shoppers.

For extra data or recommendation relating to the applicability of the Enforcement Motion to your group, please contact the skilled(s) listed under or your common Crowell & Moring contact.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments