Not-So-GoodRx Reprimanded $1.5 million for Sharing Consumers’ Information

The article GoodRx Shares Consumer Data appeared in the April 2020 Newsline, which pertained to GoodRx sharing their consumers’ data with various platforms, including Facebook and Google. Key information from the article include:

Both Facebook and Google denied utilizing information, specifically personal health information, obtained from GoodRx to target ads to mutual consumers.
Despite Facebook and Google’s claims, GoodRx did issue an apology for their role they played in sharing consumer information to the platforms and vowed to “do better”
Since GoodRx is “a private company with no doctors or hospitals involved, it does not have to protect the health data a consumer gives it”

One could speculate that GoodRx was hoping this would be the end of the ordeal. However, it was not.

For the first time, the Federal Trade Commission (FTC) has enforced the Health Breach Notification Rule, due to “GoodRx Holdings Inc…failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Pending federal court approval, the Proposed Order will include numerous provisions that GoodRx will need to follow, including:

Prohibited from sharing user health data with applicable third parties for advertising purposes
Require user consent for sharing health information outside of advertising purposes
Implement a privacy program which includes safeguards from unauthorized access to user data
Mandatory outreach to third parties requesting consumer health data be deleted and disclose information about the breach of their health information and FTC’s legal action to consumers
Limit the amount of time consumers’ health information will be retained
Make available to the public how long their information will be retained, what information is collected, and why the information collected is necessary
Pay a civil penalty of $1.5 million due to “sharing sensitive personal health information for years with advertising companies and platforms -contrary to its privacy promises…”.

As alluded to above, GoodRx is not a HIPAA covered entity and therefore not legally bound to the same notification rules as covered entities. As such, patients should be made aware of this if they choose to upload information into GoodRx’s app or website or request that a pharmacy submit claims information to GoodRx. Patients can refer to GoodRx’s updated “Privacy Policy” for more information.

Author
Recent Posts

Meredith Thiede, PharmD

Analyst at PAAS National^®

Independent pharmacy is in my blood. Both my great-grandfather and grandfather owned Rexall stores in northern Wisconsin. I always had the dream of owning my own independent pharmacy (with my very own soda fountain!), but I have quickly found being part of your independent pharmacy’s success story is even more rewarding for me. I look forward to being part of the trusted PAAS team that helps you navigate the waters of the ever-changing world of pharmacy audits and Fraud, Waste, and Abuse regulations.

Latest posts by Meredith Thiede, PharmD (see all)

Best Practices When Filling & Billing Afrezza® - April 8, 2024
Best Practices for DAW Billing in Pharmacies - February 15, 2024
Don’t Cut Corners: Notations on Prescriptions - February 9, 2024