GoodRx Shares Consumer Data

GoodRx, the website and app that has a seemingly endless TV marketing budget, has been sharing their consumer data with Facebook, Google, and others according to a recent article by Consumer Reports. During testing, Consumer Reports found that, “a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions and make educated guesses about their sexual orientation.”

One company that GoodRx has shared consumer information with is Braze, a marketing firm, which claims that the data they collect is only used to target GoodRx users with information and not shared broadly with other advertising companies. GoodRx states Braze is used to send email or text reminders when a consumer is running low on their medication. Another company, Branch, claims it uses GoodRx data to make sure links work correctly in the mobile app.

According to Consumer Reports, both Facebook and Google have denied that they use prescription information to target consumers with ads, especially based on sensitive information like a person’s personal health information. However, Consumer Report’s Digital Lab observed sensitive information being passed to these companies and believes the app and website could be redesigned to prevent it from happening.

The big questions are: Is this legal? Doesn’t HIPAA apply?

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

The short answers are yes, it is legal, and HIPAA does not apply to “direct-to-consumer” websites and apps. According to a February 2016 Office for Civil Rights (OCR) guidance on health apps, HIPAA “only covers health plans, health care clearinghouses, and most health care providers. If you work for one of these entities, and as part of your job you are creating an app that involves the use or disclosure of identifiable health information, the entity (and you, as a member of its workforce) must protect that information in compliance with the HIPAA Rules.”

Because GoodRx is a private company with no doctors or hospitals involved, it does not have to protect the health data a consumer gives it. Many consumers would be surprised to hear about this, although it is good to remember that if a service is free, the real product is the consumer and his or her data, and how a company shares consumer data is usually located in the fine print.

Shortly after the Consumer Report’s article came out, GoodRx posted a statement apologizing for the Facebook advertising in particular and vowing to “do better.” They also stated they would appoint a new VP of Data Privacy, make it possible for consumers to opt-out from cookies and tracking, and allow consumers to delete their data.