The Federal Trade Commission’s enforcement action against digital health company GoodRx this month is likely to be the first of many against companies trafficking in user’s sensitive medical data, according to compliance experts.
The FTC’s complaint against GoodRx, which accuses the company of sharing consumer’s health data with advertisers, is the first of its kind to lean on an enforcement mechanism called the Health Breach Notification Rule, or the HBNR, that allows regulators to levy fines against bad actors.
But it’s unlikely to be the last as regulators look to dissuade other companies from similar practices.
“I think this is the first and not the last” use of the HBNR, said Phyllis Marcus, a partner at Hunton Andrews Kurth who worked at the FTC for almost two decades. “I have no doubt.”
Regulators say they’re putting the digital health market on watch with the crackdown on companies profiting from users’ sensitive health information, especially health apps uncovered by existing consumer protections.
Such apps, which track everything from diabetes to fertility to heart health to sleep, are increasingly collecting sensitive and personal data from consumers, but don’t fall under the purview of the HIPAA privacy law.
Although the extent of the threat from HBNR to digital health companies remains unclear, the order suggests that the FTC is willing to use every tool in its toolkit to tamp down on data sharing as medical care turns increasingly online, according to experts.
“I think this is the opening salvo and going to be a common case as health apps start to become more pervasive,” said Shawn Collins, a privacy and data security attorney at business law firm Stradling. “This is the FTC trying to signal all these apps and other startup companies that are collecting a lot of sensitive data that we have a mechanism for enforcing data privacy rules against you.”
Print Page
Email to a Friend