Most people, and especially health care providers, are familiar with HIPAA and its relation to protecting the privacy and security of a person's health care information. Now that the Federal Trade Commission (FTC) has taken action for the first time under its Health Breach Notification Rule (which is completely separate from HIPAA), health care providers and other companies engaged in digital health initiatives should recommit to (i) having robust data privacy and security policies and procedures; and (ii) complying with such policies and procedures.
In the FTC's press release about its first enforcement action in this area, the FTC points out that GoodRx had insufficient policies, and the ones it had in place were not being followed. Another noteworthy item (among many in the press release), is that concerns about GoodRx's practices were brought to light by a "consumer watchdog", not as a result of an accidental disclosure of a particular patient's data, a system failure, or a malicious attack by a bad actor (e.g., hack, ransomware).
For additional insight on what to do (and not to do) in the context of health care data privacy and security, review the FTC's full press release and work with health care and data privacy attorneys well-versed in these matters.
{GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.
