WEBVTT 1 00:00:00.120 --> 00:00:03.000 - So in the United States, there's a law called HIPAA. 2 00:00:03.000 --> 00:00:04.650 Maybe you're familiar with it, 3 00:00:04.650 --> 00:00:07.200 because you've probably filled out a thousand forms 4 00:00:07.200 --> 00:00:08.970 about it at the doctor's office. 5 00:00:08.970 --> 00:00:11.100 Now, a lot of people think that HIPAA 6 00:00:11.100 --> 00:00:12.810 protects your health data. 7 00:00:12.810 --> 00:00:15.603 Well, heres a secret, it doesn't. 8 00:00:16.500 --> 00:00:20.100 Basically, HIPAA is a law that only applies 9 00:00:20.100 --> 00:00:22.860 to health care providers, hospitals, 10 00:00:22.860 --> 00:00:25.200 pharmacies, insurance companies, 11 00:00:25.200 --> 00:00:29.250 and anyone who's acting directly on their behalf. 12 00:00:29.250 --> 00:00:31.680 Everyone else can pretty much do 13 00:00:31.680 --> 00:00:34.020 whatever they want with your health information. 14 00:00:34.020 --> 00:00:36.210 Tell your doctor you have bipolar disorder 15 00:00:36.210 --> 00:00:37.800 or you wanna get an abortion, 16 00:00:37.800 --> 00:00:40.950 and there are some strict privacy rules they have to follow. 17 00:00:40.950 --> 00:00:44.460 But if you type that same information into WebMD, 18 00:00:44.460 --> 00:00:47.040 you can kiss your data goodbye. 19 00:00:47.040 --> 00:00:49.710 In 2020, I did a little investigation 20 00:00:49.710 --> 00:00:52.950 into a prescription coupon company called GoodRx, 21 00:00:52.950 --> 00:00:55.770 and caught them sending users' medication data 22 00:00:55.770 --> 00:00:59.160 to Facebook and Google and a bunch of other companies. 23 00:00:59.160 --> 00:01:03.150 And, oh, they forgot to tell their customers about it. 24 00:01:03.150 --> 00:01:04.590 Sounds illegal, right? 25 00:01:04.590 --> 00:01:07.980 Well, until now, it really seemed like it wasn't, 26 00:01:07.980 --> 00:01:11.430 'cause remember, HIPAA doesn't apply to them in most cases. 27 00:01:11.430 --> 00:01:14.250 Well, the FTC just changed the rules, 28 00:01:14.250 --> 00:01:16.920 or at least, they're trying to. 29 00:01:16.920 --> 00:01:20.700 The FTC just fined GoodRx $1.5 million. 30 00:01:20.700 --> 00:01:22.740 Not because they violated HIPAA, 31 00:01:22.740 --> 00:01:25.530 but because GoodRx's practices were deceptive, 32 00:01:25.530 --> 00:01:27.090 according to the FTC. 33 00:01:27.090 --> 00:01:28.680 And it isn't just a fine, 34 00:01:28.680 --> 00:01:31.350 the proposed court order says GoodRx isn't allowed 35 00:01:31.350 --> 00:01:34.440 to use health data for ads at all. 36 00:01:34.440 --> 00:01:37.320 And the government wants to go ever farther than that. 37 00:01:37.320 --> 00:01:39.120 According to an FTC official, 38 00:01:39.120 --> 00:01:42.030 they wanna send a clear signal to the health industry 39 00:01:42.030 --> 00:01:45.750 that using medical data for advertising is against the law 40 00:01:45.750 --> 00:01:48.780 unless you have clear, informed consent, 41 00:01:48.780 --> 00:01:51.960 and you can't trick people with confusing buttons, 42 00:01:51.960 --> 00:01:54.240 or bury it in your privacy policy. 43 00:01:54.240 --> 00:01:55.770 The FTC's order has to be approved 44 00:01:55.770 --> 00:01:57.090 by a federal court system. 45 00:01:57.090 --> 00:02:00.300 But if it is, it could transform health privacy 46 00:02:00.300 --> 00:02:01.650 in the United States. 47 00:02:01.650 --> 00:02:04.050 Now, the ad industry is probably gonna fight this, 48 00:02:04.050 --> 00:02:06.000 but we could finally be in an era 49 00:02:06.000 --> 00:02:08.070 where the rules about health privacy 50 00:02:08.070 --> 00:02:09.720 match up with the protections 51 00:02:09.720 --> 00:02:12.540 that people think they already have. 52 00:02:12.540 --> 00:02:15.273 Check out more videos here on Gizmodo.com.