FTC’s First Enforcement of Health Breach Notification Rule Reinforces Commitment to Protect Consumer Data

The Federal Trade Commission (“FTC”) recently enforced its Health Breach Notification Rule (“Rule”) for the very first time. The FTC issued a $1.5 million civil penalty to GoodRx and imposed restrictions on the company’s future handling of health data.  This marks the first enforcement of the Rule by the FTC since the Rule was established over 10 years ago, which follows a similar trend to that of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as both experienced several years’ delay between enactment and enforcement.

While HIPAA governs protected health information that is created or maintained by a “covered entity,” the Rule requires certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured personal health records. As it relates to this Rule, a “personal health record” (“PHR”) means an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by, or primarily for, the individual.  This is distinguishable from health records maintained pursuant to HIPAA as the PHR is not collected by or for a health care provider, but instead is managed and controlled by the individual directly. The Rule therefore empowers FTC with broader reach to govern entities that may not be bound by the protections afforded by HIPAA.

The Rule establishes parameters that require vendors of PHR and PHR-related entities to notify the FTC, affected individuals, and in certain circumstances the media, in the event of a breach of unsured PHR. The FTC complaint alleged that GoodRx violated both the FTC Act and the Rule by sharing sensitive personal health information with advertising platforms and other third parties without customer authorization. Specifically, as alleged in the complaint, GoodRx’s privacy policies promised its users that it would share their personal information with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties. However, it failed to abide by these promises and further failed to report these unauthorized disclosures as required by the Rule. As a result, the FTC’s proposed order bars GoodRx from engaging in deceptive practices (i.e., using and disclosing data in ways contrary to its privacy policies) by (i) permanently prohibiting GoodRx from sharing health data for advertising purposes, (ii) requiring express, affirmative user consent prior to GoodRx sharing health information for any other purpose, (iii) requiring GoodRx to direct third parties to purge consumer health data and inform consumers of the breach and enforcement by FTC, (iv) limiting GoodRx’s future retention of personal and health information, and (v) requiring the implementation of a comprehensive privacy program to protect consumer data.

In FTC’s announcement of this enforcement action, the FTC explicitly stated that it was serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation. This enforcement builds upon FTC’s recent policy statement in 2021 clarifying the Rule’s requirements and outlining FTC’s intent to begin enforcement, emphasizing that violations of the Rule would face civil penalties of $43,792 per violation per day.

With the FTC’s increased attention to the Rule, entities with access to health data can expect increased scrutiny. It is recommended that these entities review and revise their policies and procedures to ensure compliance and avoid penalties.

How Frier Levitt Can Help

Data privacy and technology regulations are evolving and enforcement initiatives to protect consumer data are ramping up. Companies and providers with access to health data must ensure their practices are consistent with applicable federal and state laws that may impact how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining whether the Rule applies to your business and what measures you must take to ensure your compliance with the FTC Act, disclosures made in your privacy policies, and how to react in the event of a breach of PHR.