Why the FTC and not OCR
GoodRx isn't a covered entity under HIPAA. It's a consumer-facing app that helps people compare prescription prices. So OCR couldn't act.
But the company collected health information from users — what medications they searched, what prescriptions they had, what conditions those medications treated. The Health Breach Notification Rule, written in 2009 under the HITECH Act, requires non-HIPAA-covered companies that handle "personal health records" to notify users about breaches. The FTC enforces it.
GoodRx is the first company the FTC ever charged under that rule. For 14 years, the rule was effectively dormant. The GoodRx case turned it into an active enforcement tool.
What GoodRx actually did
The FTC complaint alleged a long list of practices. Three of the most consequential:
GoodRx shared user health information with Facebook, Google, Criteo, and Branch through tracking pixels and APIs. The shared data included specific medication names, drug categories (HIV, cardiac, mental health), and the searches users ran. The data was used for advertising, including retargeting ads on Facebook for medications users had searched for.
GoodRx made privacy claims that the FTC said were false. The website displayed a "HIPAA Secure" seal, which is meaningless because GoodRx isn't covered by HIPAA, but the seal misled consumers about the company's privacy practices.
GoodRx didn't notify users about the disclosures, which the FTC argued was itself a violation of the Health Breach Notification Rule.
The settlement
The FTC's order has three main components.
The civil penalty is $1.5 million, paid into the U.S. Treasury.
The injunctive relief bars GoodRx from sharing user health information with third parties for advertising purposes. This is broader than HIPAA — it covers data that would be PHI if GoodRx were a covered entity, and it covers the practice (sharing for advertising) directly.
The compliance order runs 20 years. GoodRx must maintain a comprehensive privacy program, get consumer consent for any data sharing, notify users about prior disclosures, and submit to regular FTC oversight.
What it set in motion
The GoodRx settlement opened a wave of FTC enforcement against direct-to-consumer health platforms.
- BetterHelp — $7.8M in consumer refunds, March 2023, mental health intake to Facebook, Snap, Pinterest, Criteo
- Premom (Easy Healthcare) — $200K, May 2023, fertility data to AppsFlyer, Google, Umeng, Jiguang
- Cerebral — $7M+ settlement, April 2024, telehealth data to LinkedIn, Snap, TikTok, Google, Meta
- Monument/Tempest — permanent ad-data ban, April 2024, alcohol-addiction treatment data via pixels
Every one of these followed the GoodRx playbook: pixel-based disclosures, privacy claims that didn’t match practice, FTC charges under Section 5 plus the Health Breach Notification Rule.
Why it matters even for HIPAA-covered practices
GoodRx isn't a covered entity, but the case still informs HIPAA-covered practices for two reasons.
First, the technical fact pattern is identical. Pixel disclosures, server-side conversion APIs, and data flowing to ad platforms work the same way whether you're a hospital or a discount-prescription app. The legal frame is different, but the technical risk is the same.
Second, the FTC will assert jurisdiction over the parts of a healthcare business that aren't HIPAA-covered. A hospital's general consumer marketing site, a covered entity's consumer wellness app, or a health system's adjacent consumer products may all fall within FTC scope.
The 2024 HBNR amendment
In April 2024, the FTC formalized the rule with new amendments that made the dormant rule actively enforced. The amendments expanded who counts as a "vendor of personal health records," clarified what counts as a breach, and shortened notification timelines. Per-violation penalties are around $51,744, indexed annually.