Health privacy has been a Federal Trade Commission (FTC) priority for decades, and indeed, one of its very first privacy cases, in the early 2000s, involved the inadvertent sharing of user health data. Fast-forward a few decades, and health privacy remains a major concern. Case in point: The latest FTC privacy enforcement action focuses on the practices of GoodRx and is the first FTC case to allege a violation of the Health Breach Notification Rule (HBNR or Rule). This enforcement action should serve as a warning shot to companies dealing in health information, reminding them that just because they do not fall under the Health Insurance Portability and Accountability Act (HIPAA) does not mean they are free to use the data they collect without potential regulatory consequences.
FTC’s Health Breach Notification Rule Background and Focus on Health Information
As explained in more detail in this post, the HBNR was introduced as part of the American Recovery and Reinvestment Act of 2009. The rule applies to