The Federal Trade Commission made its position clear in early 2023: health apps that share sensitive user data without proper consent are violating the law. The agency issued warning letters to several digital health companies and followed up with enforcement action against GoodRx, which agreed to a $1.5 million settlement for sharing users’ prescription drug information with advertisers including Facebook and Google.

The FTC invoked the Health Breach Notification Rule — a regulation that most health app developers had quietly ignored for years. The rule requires companies that handle personal health records to notify users when their data is shared without authorization. The GoodRx case was the first time the FTC had used it.

The message to the digital health industry was direct: the fact that your app is not covered by HIPAA does not mean you can do whatever you want with patient data. Users who share information about prescriptions, mental health, fertility, or chronic conditions have a reasonable expectation that information will not be handed to ad networks.

If your business sits at the intersection of health and technology, the FTC’s recent enforcement posture is not background noise. It is a signal.