Under a mandate by the American Recovery and Reinvestment Act of 2009, the FTC issued the Health Breach Notification Rule (HBNR), which “requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization,” according to the FTC.
As a digital health platform that offers prescription drug discounts, telehealth visits, and other health services, California-based GoodRx collects personal health information (PHI) about its users and, thus, falls under the HBNR. It collects its information from both users and pharmacy benefit managers, who use the data to confirm consumer purchases. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps, the FTC said.
Specific Compliance Violations
According to the FTC complaint, GoodRx violated the HBNR resulting from notification failures about its unauthorized disclosure of personally identifiable health information.
Specifically, GoodRx engaged in multiple compliance violations, including the following:
- Lied to consumers about sharing their PHI: Since at least 2017, GoodRx promised its users to never share their PHI with advertisers or other third parties, and yet “repeatedly violated this promise” by sharing sensitive PHI with third-party advertising platforms like Facebook, Google, and Criteo, and other third parties, like Branch and Twilio, according to the FTC.
- Used PHI for targeted advertising: GoodRx monetized its users’ PHI and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.
- Failed to limit third-party use of PHI: GoodRx allowed third parties with which it shared data to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
- Misrepresented its HIPAA compliance: “GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act (HIPAA),” the FTC said. HIPAA establishes stringent privacy and information-security protections for health data.
- Failed to implement policies to protect PHI: GoodRx failed to maintain sufficient policies or procedures to protect its users’ PHI. “GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place,” the FTC said. But this was not revealed until February 2020, when Consumer Reports publicly exposed GoodRx’s practices.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
DoJ Proposed Order
The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. In the first-of-its-kind proposed stipulated order, filed by the DoJ in the U.S. District Court for the Northern District of California, GoodRx must, among other measures, stop disclosing user health data with applicable third parties for advertising purposes.
Other provisions of the proposed order require that GoodRx:
- Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to “clearly and conspicuously detail the categories of health information that it will disclose to third parties.” It also prohibits GoodRx from using manipulative designs and trickery, known as “dark patterns,” to obtain users’ consent.
- Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
- Limit retention of data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
- Implement mandated privacy program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.
The proposed order must first be approved by the federal court.
GoodRx Challenges FTC
GoodRx strongly challenged the FTC settlement. “The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began,” the company said in a prepared statement. “We do not agree with the FTC’s allegations, and we admit no wrongdoing.”
GoodRx added that it proactively began updating its user privacy controls in 2020, before the FTC inquiry. “At that time, we also added a number of new, industry-leading ways for consumers to protect their privacy, including an option to request the deletion of personal data,” the company stated.
The company said it also disagrees with the FTC’s allegations regarding violations of the HBNR, calling it a “novel application” of the rule. “We used Facebook tracking pixels to advertise in a way that we feel was compliant with regulations and that remains common practice for many websites,” the company stated. “We do not agree with the assertion that this was a violation of the HBNR.”
GoodRx further argued that no medical records were shared. Regarding the alleged HIPAA violations, “this refers to an old seal displayed on a telehealth website that we acquired in 2019,” GoodRx stated. “We removed the seal a few months after the acquisition as we worked on integrating this newly acquired business.
“Entering into the settlement allows us to avoid the time and expense of protracted litigation,” the company stated, adding that it is “glad to put this matter behind us.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.