In an effort to deter companies from misusing consumer health data for advertising purposes, the Federal Trade Commission (FTC) recently took aim at GoodRx, a consumer-focused digital healthcare platform. GoodRx provides online and mobile platforms that compare prescription drug prices and sends consumers prescription drug coupons. The FTC’s complaint alleges that GoodRx routinely collects users’ personal information, including their personal health information (PHI), while using deceptive privacy statements and failing to notify users of a security breach that violated Section 5 of the FTC Act and Health Breach Notification Rule. While GoodRx does not agree with the FTC’s allegation and admits no wrongdoings, they agreed to a federal settlement. If a federal court approves the agreement, GoodRx will pay $1.5 million and be barred from sharing users’ PHI for advertising purposes.  

A security breach involving PHI can have significant and long-lasting consequences for individuals. Stumbling into someone’s bathroom and opening up their medicine cabinet might reveal that they have HIV, erectile dysfunction or substance abuse issues, potentially causing an embarrassing moment. But exposing this intimate data online could cause a lifetime of humiliation and might lead to financial harm and discrimination. Most consumers might believe this sensitive health information is protected by the Health Insurance Portability and Accountability Act (HIPAA). They would be correct if the information were collected by a healthcare provider that conducts certain healthcare transactions. However, when that same information is collected by a non-healthcare provider, such as GoodRx, HIPAA protections do not apply.

A comprehensive federal privacy and security law is a solution

In the midst of a digital revolution, the United States operates without a comprehensive federal privacy and security law to protect consumer data. To patch the void and protect U.S. consumers from privacy harms, some states have passed comprehensive privacy laws. The FTC uses an 85-year-old statute, along with its rulemaking authority, to create and enforce privacy rules. However, the patchwork of state privacy laws has made a path for industry compliance unclear and burdensome, leaving many U.S. consumers unprotected from privacy harms. The 117th Congress made significant progress with the American Data Privacy and Protection Act (ADPPA), which was a viable solution to the unequal consumer protection arising from the state patchwork of privacy laws. The ADPPA failed to cross the finish line, but there is optimism that the 118th Congress will pass an ADPPA-like privacy and security law.

The ADPPA would have restricted certain data practices, which might spur covered entities to be attentive when designing their services and processing users’ data. The ADPPA’s Section 102 would have required a covered entity that collects “sensitive covered data” to have received an “affirmative express consent” from the user before transferring that data to a third party. Sensitive data includes “[a]ny information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.” Under an ADPPA-like law, a consumer using GoodRx’s platforms and receiving a coupon for a prescription could reveal that user’s past, present or future health condition. Thus, GoodRx would not be permitted to share that information with a third-party advertising platform without receiving affirmative, express consent from the user.

The ADPPA included a “privacy by design” provision, which is germane to the FTC revelation that GoodRx integrated third-party software developer toolkits (SDK) into their platforms. According to the complaint, the integrated SDKs collect and send data to third parties so that third-party advertising platforms can provide services like advertising and data analytics. SDKs are a downloadable set of tools developers use to build applications for specific operating systems that make application developers’ jobs more efficient. Instead of having to drive to a forest, chop down a tree, mill the lumber and design a bed frame from scratch, developers can instead go to a retail store and buy a bed frame kit with all the tools and materials required to build a bed frame. However, it is imperative that each company knows exactly what each toolkit comprises and how it will affect compliance with applicable state and federal privacy laws. The “privacy by design” provision in the ADPPA’s Section 103 helps mitigate privacy and security risks early in the technology life cycle. The provision would have required GoodRx to implement “reasonable policies, practices, and procedures” for any SDKs integrated into their platforms. Further, the section would have directed the FTC to issue guidance on what would constitute reasonable policies, practices and procedures.

The collection of consumer health data has developed a negative narrative while overlooking its significant contributions to the innovation in the health tech industry that brings vast health improvements to society. A smartwatch can save a life, a telehealth provider can reach rural areas void of healthcare options and GoodRx can provide high-cost prescription medication at a discount. Certainly, bad actors have provided substantial cause for concern with their health data processing and security practices. Thus, it is paramount that consumer health data collection, processes and security are transparent and adequately protected to help rebuild public trust in providing health data to ensure health tech innovation can thrive.

Image credit: ipopba