ARTICLE
9 February 2023

Consumer Health Information And Increased Scrutiny: FTC Brings First Action Under Health Breach Notification Rule

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
The Federal Trade Commission ("FTC") has brought its first enforcement action for violations of the Health Breach Notification Rule ("HBNR")...
United States Food, Drugs, Healthcare, Life Sciences

The Federal Trade Commission ("FTC") has brought its first enforcement action for violations of the Health Breach Notification Rule ("HBNR"), signaling heightened federal agency scrutiny of digital health platforms, advertising relationships, and uses and disclosures of health information.

On February 1, 2023, the FTC brought an enforcement action against GoodRx, a digital health company, for alleged violations of the FTC Act and the HBNR, resulting in a reported $1.5 million civil penalty and injunctive relief. As the FTC's first enforcement action under the HBNR, this illustrates an increased willingness of the FTC to penalize certain disclosures of health information outside of the HIPAA context.

The FTC claimed in its complaint that, although GoodRx is not subject to HIPAA, the company is a "vendor of personal health records" subject to the HBNR. The FTC alleged that GoodRx:

  • Improperly shared consumer health information with advertisers without consumer notice and consent and failed to notify consumers, the FTC, and media of such unauthorized disclosures;
  • Inappropriately utilized tracking technologies for targeted advertising;
  • Failed to limit third-parties' use of consumers' health information; and
  • Failed to implement formal policies protecting consumer health information.

The FTC and GoodRx stipulated to a joint proposed order requiring GoodRx to pay $1.5 million to the FTC and implement remedies regarding its data privacy practices, including:

  • Complying with HBNR notification requirements;
  • Permanently banning the disclosure of health information for most advertising purposes or requiring express consumer consent; and
  • Directing its third-party advertisers to delete all health information received.

Federal agencies increasingly are scrutinizing HIPAA and non-HIPAA covered entities for violations relating to health information. This action follows the FTC's recent statement emphasizing that developers of digital health apps, connected devices, and other health products have obligations under the HBNR and signaling upcoming enforcement. It also follows the Office of Civil Rights bulletin emphasizing HIPAA requirements related to tracking technologies.

Regulatory enforcement actions are likely to fuel private class action litigation, similar to recent class actions against hospitals alleging improper use of tracking technologies.

Entities dealing with health information should carefully review and assess: (i) the health information they collect; (ii) third-party tracking technologies and relationships; (iii) compliance with notice, consent, and reporting requirements; and (iv) internal tools to mitigate risk of unauthorized uses or disclosures of health information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More