The Federal Trade Commission recently proposed a $1.5 million settlement with GoodRx Holdings for allegedly sharing patient data to advertise on Facebook and Google, the move, the first of its kind for the organization, could spark better health data privacy laws, Politico reported Feb. 2.
For the first time, the FTC is using its Health Breach Notification Rule against GoodRx for "failing to notify consumers and others of its unauthorized disclosures of consumers' personal health information" for years.
The move came as a shock as there is currently no federal law governing the privacy of data, held by medical providers, for marketing practices.
Currently, the data breach rule protects health data that might be leaked in a breach but is not covered by HIPAA, however, this rule does not cover nor mention protections for data shared via marketing practices.
For example, the rule only states that any entity not covered by HIPAA that collects personally identifiable health information must inform consumers of a data breach or face enforcement. Although there are still many legal gray areas, the crackdown on GoodRx could spur better data sharing practices with third parties.
According to the report, the FTC is seeking public input on whether the commission should write new rules governing commercial surveillance and data security. With this, healthcare organizations, third parties and healthcare companies could see a new rule coming later this year.