New Implications of the FTC’s Health Breach Notification Rule

BY OLIVIA ADENDORFF AND RACHAEL A. REZABEK

On February 1, 2023, in a first-of-itskind enforcement action, the Federal Trade Commission (FTC) filed a complaint in the Northern District of California alleging that GoodRx, a company offering free prescription coupons and prescription price comparison information, violated the agency’s Health Breach Notification Rule (HBNR or Rule) by sharing consumers’ health-related browsing information with third parties without first seeking affirmative express consent. GoodRx did not admit any wrongdoing, and the parties settled the matter through a consent order filed concurrently with the complaint. The FTC’s shares browsing information with advertising platforms and other vendors through tracking and pixel technologies. term “health information” was generally understood to be limited to (i) medical and prescription records, such as those generated by a doctor’s office or pharmacy, or (ii) medical data provided by an individual about his or her own health. GoodRx expands the definition of “health information” to include certain types of data that reveal whether an individual has accessed health-related information online. For example, certain types of browsing information alone may be “health information” in the FTC’s eyes.

The HBNR went into effect in 2009. The plain text of the Rule requires specific types of entities, such as “personal health records vendors,” to notify consumers and the FTC following a “breach of security” involving unsecured health information. Failure to notify can result in significant civil penalties of up to $50,120 per violation. The Rule was historically understood to narrowly apply to instances of theft or misappropriation of consumer medical records. Consistent with that understanding, the FTC never enforced the HBNR prior to the GoodRx action, and few companies reported breaches under the Rule.

Second, the FTC now takes the position that disclosure of such “health information” to third parties without first obtaining affirmative express consent is tantamount to a “breach of security” under the Rule. Many (if not most) companies disclose their sharing of “health information” through their privacy policies, including the companies’ use of pixels and trackers on their webpages or mobile applications. With the GoodRx settlement, the FTC signals that disclosure via privacy policy is insufficient to share “health information” unless the third party is bound by strict confidentiality and use restrictions.

Third, the FTC signals that it may treat any entity that has the right to use a company’s consumer data for its own purposes as a “third party” instead of a service provider. In brief, with exception detailed in the GoodRx vendors as a“third party” unless there are contractual provisions in place limiting ven dors’ use of consumer data only enumerated contractual purposes. If a vendor reserves rights to use a company’s consumer data for its own business purposes (such as for research and development, advertising, or optimizing its own services), as many major advertising platforms do, the FTC will view that vendor as a “third party.”

Considering the GoodRx action, there are certain steps that companies should consider taking before sharing health information with third parties:

• Determine if HBNR Applies Assess whether the HBNR applies to the business, products, and services of the company.

• Review Pixels and Trackers—After GoodRx, the use of digital advertising and analytics technologies by businesses that collect health-related data will be subject to heightened scrutiny. This enforcement action makes clear that businesses that collect health-related personal data from individuals online or via mobile apps need to understand what cookies, pixels, and other tracking scripts and code they are using, what data these tools collect and transmit, and with whom the data is shared.

• Review Vendor Contracts—Companies should consider reviewing vendor contracts to ensure that all vendors that receive “health information” as broadly defined by the FTC are subject to confidentiality and use restrictions.

The authors note that the GoodRx action is a settlement, and thus reflects the FTC’s view of the law, as opposed to settled precedent. However, the FTC will ; thus, companies should carefully consider the recommendations above to avoid