By: Amy Marschall, PsyD

In February 2023, the Federal Trade Commission (FTC) proposed an order to fine GoodRX $1.5 million for unauthorized disclosure of protected health information by selling personal data to tech companies including Facebook and Google. One month later, the FTC proposed a second fine to the online therapy company BetterHelp, fining the company a proposed $7.8 million for selling client data.

In addition to these fines, the FTC has ordered these companies to stop selling and disclosing client data without consent.

These fines represent a shift towards protecting individual privacy for those who receive healthcare online. In recent decades, technology has outpaced the law, putting people’s privacy at risk when they are at their most vulnerable. What do these fines mean for the future of technology and medicine, and how can you protect yourself?

The Charges Against GoodRX and BetterHelp

GoodRX and BetterHelp are not the only companies to receive public criticism for inadequate protections and lax privacy policies, but they are the first to face sanctions and fines as a result.

The Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare providers uphold standards for protecting clients’ personal and medical information and maintain confidentiality. This is not limited to information about treatment and diagnosis; it includes any identifying information. By selling client data to advertisers, these companies were in violation of this law. In BetterHelp’s case, the company sold this information in violation of HIPAA while actively advertising that their platform was HIPAA-compliant, which is a lie.

Even though BetterHelp claims they did not sell information from client sessions, the identifying client information is still a violation. Additionally, although providers can disclose confidential information with written consent from clients, such authorizations must specifically indicate who will get the information and what will be disclosed. A general privacy policy saying that a company sells data to advertisers is not HIPAA-compliant.

Furthermore, even if there were a way to request blanket authorization for disclosing protected health information, releases of information are intended to allow treatment teams to discuss a client’s needs. A provider should request a release because it is their professional opinion that the disclosure is in the client’s best interest, not for monetary gain.

As both GoodRX and BetterHelp advertise themselves as affordable options for pharmaceutical and mental health care, their policy of selling client data disproportionately impacts low-income clients who might not be able to afford other options.

What Does This Mean For The Future?

In addition to leveraging fines for misuse of client data, the FTC has banned BetterHelp from selling client data going forward, requiring them to change this policy. More fines may be coming as well, as GoodRX and BetterHelp are not the only companies who have sold client data to advertisers.

If the FTC continues to sanction and fine these companies, and bans on selling client data are upheld consistently, this could mean better protection and privacy for telehealth users in the future. Technology advances and online health resources have advanced faster than the law and regulations could keep up, and this seems to represent the legal side catching up. Companies will be forced to create sustainable business models that protect client privacy.

How Can Clients Protect Themselves?

Unfortunately, these companies rely on the fact that few people are fully health literate and technology literate, so many do not realize when a company has a predatory or illegal policy. When seeking services, check the company’s privacy policy, and read it fully. The company should provide information about what they do with your data and private information.

What does the privacy policy say about disclosures and what the company does with client data? If this section of the privacy policy talks about disclosures to advertisers, they are selling your information.

For many, platforms like BetterHelp and GoodRX are the only affordable way to access care. If you need support and do not have other options, vet the services available to you and make an informed decision. If you feel that these services are your only option, do what is best for your care, but be aware of the risks.

What Does This Mean for Therapists?

BetterHelp’s website states that they employ more than 25,000 licensed therapists. Many providers have been criticizing BetterHelp’s privacy policies for years, and the FTC fine and sanction definitively proves the company’s unethical and illegal practices. Therapists who work for BetterHelp or who are considering accepting a job with the platform need to be aware of the risk to their license.

Section 4 of the American Psychological Association’s ethics code details psychologists’ obligations to protect client confidentiality. Section 1.07 of the National Association of Social Workers ethics code puts forth requirements to social workers for protecting confidentiality. The American Counseling Association includes these requirements in Section B of the ethics code. The American Association for Marriage and Family Therapy ethics code addresses this in Standard II.

All four ethics codes require providers to protect client privacy and confidentiality in their treatment. These requirements include not using platforms that are not HIPAA-compliant. This means, for example, that a therapist cannot use an unsecure system to store their notes, keep client data in a location where unauthorized people might view it, or use platforms that we know are not HIPAA-compliant. A therapist who knowingly continues to use a platform that does not meet these standards may be liable to their clients for privacy breaches, and they may be at risk for sanctions by their licensing board.

How Can I Find A Therapist Who Protects My Privacy?

It is okay to ask potential therapists about their privacy policy–most provide this information on their website and review it with you prior to the start of treatment. When looking for providers, ask whatever questions help you feel comfortable engaging in therapy.
It can be challenging to find a therapist you can afford. Fortunately, we shared tips for making mental health care affordable without turning to organizations that do not maintain your privacy. We also shared tips for finding a therapist who is a good fit.