By: Kewa Jiang
GoodRx and the First Enforcement Under the Health Breach Notification Rule
GoodRx’s alleged violation of HBNR is significant because this is the first time enforcement action has been brought under this rule since it was enacted in 2009. HBNR is meant to regulate entities that handle health information and experience a data breach but the entities themselves fall outside the scope of HIPAA enforcement. The DOJ alleges GoodRx is considered a vendor of personal health records under HBNR because the company maintains electronic personal health records of individuals’ identifiable health information but is not a HIPAA covered entity. When GoodRx disclosed customers’ data to third party advertising platforms without customers’ knowledge or consent, the DOJ argues this was a data breach of “more than 500 customers’ unsecured PHR identifiable health information.”
GoodRx settled with the FTC with a $1.5 million civil penalty fine without admitting any wrongdoing and must comply with ongoing data privacy practices. In response, GoodRx maintains they are committed to customers’ data privacy protection and the FTC’s enforcement action focused on old issues that the company already addressed.
BetterHelp and Disclosure of Mental Health Customers’ Data
BetterHelp entered into a consent decree with FTC on March 2, 203 and must pay $7.8 million, which will be partially used to refund customers who paid for services between August 1, 2017 to December 21, 2020. In response, BetterHelp states that using “limited, encrypted information” to optimize their advertisement is a routine industry-standard practice. The company admits no wrongdoing and affirms its continued efforts to protect customers’ data privacy.