Want to save money on drugs? You could head to GoodRx.com. Type in the name of a medication, and the company will give you a coupon to use at a pharmacy. But there’s a little problem, one that GoodRx forgot to tell its customers about. Going back to at least 2017, GoodRx sent details about the medications you take to Facebook, Google, and other companies in the tech business, and used that data for targeted ads.
That might sound illegal, but, until yesterday, I would have told you it’s not. In fact, it’s common. Most health apps and websites you can think of sling your data all over the web. But the regulatory bad boys at the Federal Trade Commission want to change that, and they’re relying on a wild and untested legal theory to get their way. On Wednesday, the FTC said GoodRx broke the law and filed a settlement that could fundamentally transform health privacy in the United States.
“This is a huge deal,” said Andrea Downing, a health privacy advocate and co-founder of the Light Collective, a patient support network. “A lot of folks simply assume that all of your health information is covered by HIPAA. It’s not. This is a breakthrough I’ve been hoping for for years.”
Your health information is leaking all over the place, trading hands a thousand times a second in ad targeting systems, and being bought and sold by anyone else who wants it. After the Supreme Court threw out Roe v. Wade, a Gizmodo investigation found 32 different data brokers selling lists of pregnant people and families. The FTC says GoodRx sent ad companies data about medications, creating lists of people with labels like “HIV,” “Cold Sores,” and “UTI.”
Apple MacBook Air Laptop
The M1 chip delivers 3.5x faster performance than the previous generation all while using way less power. Get up to 18 hours of battery life.
The FTC wants you to be able to decide whether you’re cool with that kind of thing. Up to you whether you say yes.
If a judge approves the settlement, it would have a big impact. The legal experts Gizmodo spoke to said they don’t expect the sharing of medical data to stop altogether, but the FTC’s order does set an ambitious goal. If companies are forced to get consent, it could solve some significant privacy problems. Though, of course, that’s a big if. There’s a lot of regulation between here and the privacy promised land.
When you visit a new doctor, you have to fill out a bunch of forms about HIPAA, the Health Information Portability and Accountability Act. A lot of people, including people who should know better, think that law protects all your health data. Nope! You’ll notice that the “P” in HIPAA doesn’t stand for “privacy.” Basically, only doctors, insurance companies, and their business associates have to follow HIPAA’s privacy rules. No one else has to worry about it, even if they’re handling the exact same kinds of medical information.
The FTC isn’t allowed to regulate HIPAA. The Department of Health and Human Services is, but, conversely and perversely, that agency can’t regulate anything that isn’t a “HIPAA Covered Entity.” That leaves companies like GoodRx, WebMD, FitBit, and a million others in legal limbo. Those companies handle information that most people I know think has legal protections but in reality does not. It seems like no one was in charge. With the provisions of the GoodRx settlement, the FTC is laying claim to authority over the companies in that gray area. The FTC is declaring itself the new health privacy sheriff in town, and it’s gettin’ ready to round up all the health data rustlers on the digital prairie.
“The FTC did this as a power grab,” said Clinton Mikel, a partner at the law firm Health Law Partners and former chairman of an American Bar Association group on e-health and privacy.
To make that power grab, the FTC can’t use HIPAA, but it can weaponize something called the Health Breach Notification Rule (HBNR). It’s a rule from 2009 that’s seldom been enforced, but in 2021 the FTC dusted off the HBNR and said if you share health data without consent, the commission is going to call that a data breach. The GoodRx case is proof the agency wasn’t bluffing.
“I think the FTC would have lost this case” if it had to litigate in court, Mikel said. “The FTC is taking it upon itself to step in and assert standards without really having any statutory reason to do so.”
Maybe, maybe not, but because the FTC is levying its fine on GoodRx via settlement instead of a court battle, the action could set a precedent that the FTC can use for more of the same kind of health privacy regulation.
That could be why the fine for GoodRx was so low. The FTC charged the company $1.5 million dollars, a measly 0.2% of GoodRx’s $745 million 2021 revenue. It’s possible the FTC lowered the bill to get GoodRx to sign on to a settlement the government could use as precedent in future battles. An FTC official denied that theory when reached for comment, saying that the settlement wouldn’t have had unanimous approval from its bipartisan commissioners if this was some kind of lefty power grab. GoodRx, for its part, said it agreed to the settlement to avoid a costly legal battle and put the issue to bed (and deny any wrongdoing.)
“While some have said they would have wanted a higher penalty, this cost sets the bar for future actions.,” said Phyllis Marcus, who works on FTC compliance at the law firm Hunton Andrews Kurth. “This enforcement has greater impacts on other companies and could serve as a basis for the FTC to build a record for particular aspects. It is certain to be on the lookout for others in breach of these rules.”