The Federal Trade Commission (FTC) announced this month its first Health Breach Notification Rule enforcement against digital health platform GoodRx Holdings Inc. Specifically, GoodRx was reported to have failed to notify consumers that their personal health information (PHI) was disclosed to third-party advertisers (i.e. intentional unauthorized disclosure happened). The Health Breach Notification Rule was established when the Health Information Technology for Economic and Clinical Health (“HITECH”) Act was made law.
The FTC must get their enforcement approved, but as of now the proposed order requires GoodRx to pay a $1.5 million civil penalty and complies with the Health Breach Notification Rule. The proposed penalty aside, GoodRx is just one example of how the potential for our PHI or other sensitive information is being bought and sold as a commodity. This news should make it clear that your HIPAA program is important. Aside from ensuring that your organization complies while protecting PHI, it is at least as important to ensure that whatever PHI you share is only being used as allowed by a business associate contract.
It's a shame that our information is being treated so callously and for profit and we're glad to see the FTC step up. Click on the graphic below to read more if you desire.
Stay (HIPAA) safe,