By: Karlie Rubin

The Federal Trade Commission (“FTC”) has begun to crack down on online health companies regarding the selling of their clients’ private health information.  The Health Breach Notification Rule (“HBNR”) was enacted to require vendors of personal health records to notify consumers (and sometimes the media) when they discover certain data breaches.  The FTC decided to make an example out of the company GoodRx to show other online health vendors they will be pursuing other claims aggressively concerning the release of consumer data, and the potential risk that accompanies it.  Companies like GoodRx will need to be more cautious while handling consumer health data and will most likely need to implement stricter policies on authorizations for releasing this data.

Around February of 2023, GoodRx and the FTC agreed to a settlement which ordered the online prescription and telemedicine platform to pay a fine of $1.5 million.  The FTC claimed that GoodRx failed to notify their consumers of unauthorized disclosures of personal health information to third parties such as Facebook, Google and others.  Consumers of GoodRx were concerned about how much money the company made from selling their private health records for advertising purposes.  It is alleged that the company shared the names of medications users were looking at on GoodRx, the medications which were redeemed using GoodRx at pharmacies, and the conditions users were seeking treatment for.  In 2021, the FTC issued a warning to online health apps, promising litigation if they failed to get their consumers’ permission before disclosing health information to third parties.  In 2023, the FTC made good on that promise, filing this civil suit against GoodRx.

After expanding the reach of the HBNR, the FTC was able to bring this claim against an online health platform for the first time.  Regulators of the FTC are attempting to limit these companies from profiting off their users’ data.  The current issue lies with the lack of U.S. privacy legislation, and results in data sharing of highly sensitive medical information.  As these online health platforms continue to reach a larger audience of consumers, the government has spoken on the need to enforce the HBNR to protect the privacy of consumer health issues.  From this, the FTC also sued the online therapy platform, BetterHelp, for the company’s collection and use of consumer health data, which they alleged were unfair and deceptive practices under Section 5 of the Federal Trade Commission Act.  BetterHelp and the FTC entered into settlement agreements wherein BetterHelp will be fined $7.8 billion dollars.  Because BetterHelp promised their users they wouldn’t be selling their information, a portion of the settlement will be refunded to its users.  From these two settlements, it is evident that the FTC will continue to do their best to protect consumer health data from these online platforms.  With the first wave of these cases settling without any admissions of wrongdoing, it will be interesting to see if any industry practices change.  These fines, though exorbitant, may just be the cost of doing business.

Like BetterHelp, GoodRx reached a settlement without admitting to any wrongdoing.  In an email notice sent to their consumers in March, the company wrote that they “do not agree with the FTC’s allegations and we admit no wrongdoing . . . [e]ntering into the settlement allows us to avoid the time and expense of protracted litigation.”  In addition to the civil penalty, the company agreed to a court order that includes creating a comprehensive privacy program.  In a blog post on their website, GoodRx wrote down some key points they are taking from the settlement, but that going forward, they will still operate the same.  In a GoodRx blog post, they noted that these are allegations from almost three years ago and they have already addressed this issue.  As stated above, they wrote to their consumers that they do not agree with the allegations regarding the HBNR.  They believe that the way they advertised was compliant with this rule and that it remains common practice for many other similar companies.  This issue can partially be traced to the lack of cohesive privacy legislation in the U.S.  The lack of clarity on the issue has made compliance a difficult task.

The HBNR is comparable to the Health Insurance Portability and Accountability Act (“HIPAA”): both require a notice of the breach to the affected individuals, a government agency, and media outlets (if the breach involves more than 500 consumers).  The difference between these two rules lies in when a breach should be reported or not.  Under the HBNR, the reporting threshold is whether the information was or reasonably could have been acquired.  These online telemedicine platforms are subject to not only HIPAA, but also the HBNR because they are marketed to the public, can draw information from a plethora of sources, and collect the private health information of consumers.  As HIPAA is not the precedent law for these online health companies, there is a gray area where consumers have been misguided in sharing their health information as not all health information is protected under this law.  The U.S. needs to define the gray area between HIPAA and the HBNR and it seems the FTC is working hard towards changing the standard for how these online health companies are able to sell and distribute consumer data.

 

Student Bio:  Karlie Rubin is a second-year law student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Karlie received her bachelor’s degree in Counseling/Psychology from Lesley University.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.