Most people, and especially health care providers, are familiar with HIPAA and its relation to protecting the privacy and security of a person's health care information. Now that the Federal Trade Commission (FTC) has taken action for the first time under its Health Breach Notification Rule (which is completely separate from HIPAA), health care providers and other companies engaged in digital health initiatives should recommit to (i) having robust data privacy and security policies and procedures; and (ii) complying with such policies and procedures.
In the FTC's press release about its first enforcement action in this area, the FTC points out that GoodRx had insufficient policies, and the ones it had in place were not being followed. Another noteworthy item (among many in the press release), is that concerns about GoodRx's practices were brought to light by a "consumer watchdog", not as a result of an accidental disclosure of a particular patient's data, a system failure, or a malicious attack by a bad actor (e.g., hack, ransomware).
For additional insight on what to do (and not to do) in the context of health care data privacy and security, review the FTC's full press release and work with health care and data privacy attorneys well-versed in these matters.