FTC Seeks First-Ever Health Breach Notification Rule Enforcement: Pixel Users Beware
- For the first time ever, the Federal Trade Commission (FTC) is seeking enforcement under the Health Breach Notification Rule, which requires certain businesses not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information.
- Direct-to-consumer healthcare apps and product companies should carefully review privacy practices and evaluate whether online or public privacy notices accurately reflect current data sharing practices by the company, as well as update privacy notices to reflect the actual practices of the company so the company is not doing anything with data that has not been disclosed to consumers.
For the first time ever, the Federal Trade Commission (FTC) is seeking enforcement under the Health Breach Notification Rule. This regulation requires certain businesses not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information. The Health Breach Notification Rule, found at 16 C.F.R. Part 318, was adopted in 2009 but never resulted in enforcement action until Feb. 1, 2023. The FTC adopted a policy statement on Sept. 15, 2021, emphasizing that developers of digital health apps, connected devices and other health products have obligations under the Health Breach Notification Rule and signaling that enforcement was coming. (See Holland & Knight's previous alert, "Important FTC Rules for Health Apps Outside of HIPAA," Sept. 27, 2021.)
The GoodRx Case
In a proposed order the U.S. Department of Justice (DOJ) filed on behalf of the FTC, the FTC alleges that GoodRx, a direct-to-consumer telehealth and prescription drug discount provider, failed to notify consumers and others of its unauthorized disclosures of consumers' personal health information to Facebook, Google and other companies. As part of its services, GoodRx lets users keep track of their personal health information, including to save, track and receive alerts about their prescriptions, refills, pricing and medication purchase history. GoodRx made public promises that it would never share personal health information with advertisers or other third parties. In order for the proposed order to become effective, it must be approved by the federal court.
According to the FTC's complaint, GoodRx repeatedly violated these promises by sharing sensitive user information with third-party advertising companies and platforms like Facebook, Google and Criteo as well as other third parties. The complaint states that GoodRx used third-party website and mobile app tracking tools, including pixels and software development kits (SDKs) to gather individual data that could be used for data analytics and other services. The use of pixels was also called into question by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in a memorandum issued on Dec. 1, 2022, applicable to HIPAA-covered entities and business associates. (See article by Holland & Knight attorneys, "Department of Health and Human Services Offers HIPAA Guidance on Online Tracking Technologies," The Journal of Federal Agency Action, March-April 2023.)
In addition to being the first enforcement action under the Health Breach Notification Rule, this settlement is also significant because GoodRx will be permanently prohibited from sharing user health data with applicable third parties for advertising purposes, which is a first-of-its-kind settlement stipulation. As part of the settlement, GoodRx is required 1) to obtain users' affirmative express consent before disclosing user health information with applicable third parties for other purposes, 2) direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches, 3) limit how long it can retain personal and health information according to a data retention schedule that will be publicly posted and 4) adopt a comprehensive privacy program with security safeguards.
FTC Commissioner Christine S. Wilson submitted a Concurring Statement. She would have supported a higher civil penalty, stating: "Existing studies make clear that consumers place significant value on their personal health information. … I believe the company profited significantly from its silence about its scurrilous privacy practices – far in excess of the $1.5 million penalty the Commission levies today."
The information GoodRx shared included its users' prescription medications and personal health conditions, personal contact information and unique advertising and persistent identifiers. GoodRx shared this information without providing notice to its users or seeking their consent. The FTC also alleged that GoodRx exploited the information shared with Facebook to target GoodRx users with advertisements on Facebook and Instagram. Using Facebook's ad-targeting platform, GoodRx matched specific users to their personal health information and designed campaigns that targeted users with advertisements based on their health information – all of which was visible to Facebook. In addition, the FTC found that GoodRx 1) failed to limit third-party use of personal health information, 2) failed to maintain sufficient policies or procedures to protect its users' personal health information and 3) falsely claimed it was HIPAA compliant by displaying a seal on its website. Alleged false statements about HIPAA compliance were also the subject of an FTC enforcement action in 2021. As a result of these alleged deficiencies, the FTC determined that GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC and the media about the company's unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch and Twilio. GoodRx will be required to pay a civil monetary penalty of $1.5 million.
Direct-to-consumer healthcare apps and product companies should carefully review privacy practices and evaluate whether online or public privacy notices accurately reflect current data sharing practices and ensure that they are not doing anything with data that has not been disclosed to consumers.
There are a number of resources that healthcare mobile apps and products can utilize to better understand respective regulatory obligations. The FTC's website has a webpage covering the Health Breach Notification Rule with the text of the Rule, blog posts and other materials. The webpage also includes the form that entities covered by the rule may use to report breaches of health information.
The FTC also developed a web-based tool for developers of health-related mobile apps, which is designed to help them understand which federal laws and regulations might apply to their apps. The FTC developed the tool in conjunction with the HHS OCR and Office of National Coordinator for Health Information Technology (ONC) as well as the U.S. Food and Drug Administration (FDA). The guidance tool asks developers a series of high-level questions about the nature of their app, including about its function, the data it collects and the services it provides to users. Based on the developer's answers to those questions, the guidance will point the app developer toward detailed information about certain federal laws that might apply to the app, which includes the Health Breach Notification Rule.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.