The Federal Trade Commission (FTC) has taken first-of-its-kind enforcement action against the
digital health platform, GoodRx. The agency agreed with the telehealth and drug coupon provider over accusations of sharing patient data with third parties like Google and Facebook for advertising purposes. The agreement requires GoodRx to pay a $1.5 million fine and to undertake specific remedies. However, the deal still needs to be approved by a federal court in California. The case has significant legal implications, as the agency's penalty invokes its previously unenforced health breach notification rule (HBNR). The case also highlights a trend towards tighter regulation of selling online patient data for marketing purposes.
GoodRx, which offers virtual doctor visits and prescription drug discounts, agreed to pay the fine without admitting any fault. However, many other health and wellness sites, apps, wearables, and online businesses regularly share data with companies like Meta and Google for targeted advertising. The threat of a monetary penalty could lead to a change in this business model. This case will likely prompt companies to reconsider the trade-off between making a little extra money and the risk of data leaks.
The FTC's complaint alleged that GoodRx misled its customers by informing them it complied with the HIPAA health privacy law, which doesn't apply to the company, and by promising not to share personal health information with advertisers, despite doing so. The commission also criticized the company for not having adequate internal safeguards to protect patient data and for distributing their personal information to third parties. If the court approves the settlement, GoodRx will not be allowed to distribute health data with third parties for advertising purposes.
The GoodRx case follows two other health data-related enforcement actions by the FTC. Earlier this year, Kochava faced a lawsuit after allegedly selling data identifying individuals who had visited abortion clinics. The other was an action against period-tracking app Flo in 2020 for allegedly sharing data with Facebook and Google, violating its privacy rules. The GoodRx case differs because the agency rarely invoked the HBNR in the past. The HBNR makes clear that the FTC is using its authority under the FTC Act and the American Recovery and Reinvestment Act of 2009 to pursue non-HIPAA-covered entities that possess and potentially share sensitive health and personal information.
The FTC's enforcement action against GoodRx could be the first of many if the agency follows through on its commitment to be aggressive in this area. Last year, the FTC released a proposal to regulate data-driven surveillance marketing and received more than 11,000 comments, over 100 related to health or healthcare marketing. The FTC is reviewing the comments and intends to enforce this area" aggressively. The HBNR, and the FTC's enforcement action against GoodRx, highlight the importance of ensuring that health and personal data is protected and not used for unauthorized purposes. For the marketing industry, companies must be cautious about using health data for advertising purposes and ensure they have adequate internal safeguards to protect the data they hold.
Ready to take your business to the next level? We are a group of marketing gurus, specializing in everything marketing--from branding, web design, and social media content creation to SEO, email marketing, video production, and more. Contact us for a consultation today!