HeyDoctor provides an online prescription as a service(PCaaS) for startups and service providers. It helps users pitch medications and prescriptions. The company was founded in 2017 and is based in San Francisco, California. In September 2019, HeyDoctor was acquired by GoodRx.
Expert Collections containing HeyDoctor
Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.
HeyDoctor is included in 2 Expert Collections, including Digital Health.
The digital health collection includes vendors developing software, platforms, sensor & robotic hardware, health data infrastructure, and tech-enabled services in healthcare. The list excludes pureplay pharma/biopharma, sequencing instruments, gene editing, and assistive tech.
Companies developing, offering, or using electronic and telecommunication technologies to facilitate the delivery of health & wellness services from a distance. *Columns updated as regularly as possible; priority given to companies with the most and/or most recent funding.
Latest HeyDoctor News
Mar 8, 2023
To embed, copy and paste the code into your website or blog: <iframe frameborder="1" height="620" scrolling="auto" src="//www.jdsupra.com/post/contentViewerEmbed.aspx?fid=7f386fb6-47e9-4294-9156-c9196eaa0d1d" style="border: 2px solid #ccc; overflow-x:hidden !important; overflow:hidden;" width="100%"></iframe> The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI). Breach Reporting In taking action against GoodRx Holdings, Inc. (and its partially and fully owned subsidiaries including HeyDoctor LLC, collectively referred to herein as GoodRx) the FTC is clearly following through on its September 2021 Policy Statement . As we discussed in a previous post , the FTC indicated it would be bringing actions for Breach Rule violations against a surprisingly broad range of entities (e.g. certain health apps). Historically, many entities not subject to HIPAA dealing with health information may have understandably believed they fell outside the rule’s scope and thus were not required to report a “breach of security” under the Breach Rule, which is defined as acquisition of IHI without the authorization of the individual. The Breach Rule is similar to HIPAA, in that it requires notice of breach to affected individuals, a government agency (the FTC), and prominent media outlets if there is a breach involving more than 500 individuals. However, unlike HIPAA, determining whether a breach is reportable does not allow for a fact-based risk assessment. Instead, the analysis hinges on whether or not the information was or reasonably could have been acquired. As a result, incidents that may not be reportable breaches under HIPAA (as well as some state laws) would still be reportable under the Breach Rule. Notably, there are complex business models that can implicate both rules. While HIPAA covered entities and companies acting solely as business associates under HIPAA are only subject to the HIPAA Breach Notification Rule companies acting as business associates that also offer services involving IHI outside HIPAA’s scope could be subject to the Breach Rule. For example, a company would be subject to both rules if it (i) develops a health application marketed to the general public capable of drawing information from multiple sources; and (ii) separately provides a white-labeled patient portal application to insurance company pursuant to a business associate agreement that collects member PHI. FTC Enforcement On February 1, 2023, the Department of Justice (DOJ) filed its first proposed order on behalf of the FTC in connection with the failure of GoodRx to comply with the Breach Rule along with Section 5 of the FTC Act. The U.S. District Court for the Northern District of California approved the proposed order , which was entered on February 17, 2023 (Order). The Order imposes significant requirements and prohibitions on GoodRx related to the use and disclosure of consumer data and levies a $1.5 million civil penalty, as further discussed below. According to the DOJ’s complaint , GoodRx allegedly violated Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” by misrepresenting its privacy practices and compliance with HIPAA and used tracking pixels and other automated trackers in a manner that monetized and shared IHI with third party advertisers without proper consumer notice or authorization. The FTC alleged that the unauthorized sharing of IHI took place for years without being reported as required by the Breach Rule. Not surprisingly, GoodRx posted a statement on its website (GoodRx Statement) indicating that it does not agree with the allegations of the FTC’s complaint and its “novel application of the Health Breach Notification Rule.” GoodRx Settlement Details GoodRx stipulated to the entry of the Order for the sake of resolving all matters in the complaint to avoid costly litigation, and was not required to admit to any of the allegations. In addition to paying the $1.5 million penalty, GoodRx will (among other things): be permanently restrained and enjoined from disclosing IHI (which specifically includes information derived or extrapolated from information about an individual’s activities that allows for a determination that the individual has a health condition or is taking a drug) to third parties for advertising purposes; be permanently required to provide notice and obtain express written consent from consumers before sharing IHI with third parties for other purposes (subject to certain exceptions including applicability of and compliance with HIPAA); be permanently restrained and enjoined from misrepresenting (directly or indirectly) privacy practices, consumer rights, privacy and security safeguards, privacy controls, HIPAA and privacy and security law and certification standard compliance; provide breach notification in accordance with the Breach Rule; notify the FTC of any violations of the Order; instruct third parties that impermissibly received IHI from GoodRx to delete all personally identifiable consumer information previously provided, which must be confirmed before any sharing may resume (regardless of whether information is hashed); establish and implement a comprehensive privacy program that protects the privacy, security, availability, confidentiality, and integrity of heath information and meets certain requirements within 180 days; obtain initial and biennial privacy assessments by a third party approved by the FTC and provide annual certification of compliance for 20 years; and post a notice provided by the FTC on the GoodRx websites and mobile applications within 14 days of the order detailing the FTC’s allegations for a period of 180 days and email a copy of the notice to any individuals in which GoodRx has email addresses. According to the GoodRx Statement, the FTC’s concerns were proactively addressed several years ago and thus the Order will have no material impact on the business’ current or future operations. Otherwise, per GoodRx, the cost of the above requirements would have the potential to far exceed the penalty, and will subject GoodRx to continued government scrutiny for a term of 20 years in any event. By way of comparison, corrective action plan obligations under HIPAA resolution agreements, even in the event of a large-scale breach, typically do not exceed a three (3) year term. Next Steps In addition to the FTC, the DOJ has also signaled that health information privacy is a priority. On February 22, 2023, in a press release regarding the GoodRx settlement, Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division stated, “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.” Between recent enforcement trends and an increasing number of states enacting comprehensive consumer privacy legislation, the absence of HIPAA applicability is less of a material distinction when it comes to the risks presented by unauthorized use and disclosure of IHI. With this in mind, we recommend that entities collecting IHI from consumers take the following steps: determine whether the Breach Rule applies to the organization as described in FTC’s Policy Statement and if necessary update incident response and breach response policies and procedures; perform data mapping to understand the data collected from consumers and identify the purposes for which it is used and shared, taking into account what IHI can be inferred by the data collected using tracking technologies and other marketing services; identify what information privacy and security laws apply to the IHI collected; compare current use and sharing of IHI with public facing statements regarding same and address any inaccuracies; contact counsel if it is determined that prior use and disclosure of IHI resulted in a reportable breach under the FTC’s Policy Statement; consider the risks of making public representations regarding HIPAA compliance and other privacy and security measures before making them and update any existing statements that are misleading or inaccurate; evaluate information privacy and security policies and procedures and if necessary update to ensure compliance with applicable privacy laws and representations made to the public; monitor and audit third party disclosures of IHI for compliance with applicable law; and review current and prospective contracts with third parties to ensure applicable data sharing provisions align with applicable law, information privacy and security policies, and procedures and public representations.
HeyDoctor Frequently Asked Questions (FAQ)
When was HeyDoctor founded?
HeyDoctor was founded in 2017.
Where is HeyDoctor's headquarters?
HeyDoctor's headquarters is located at 41 Waller Street, San Francisco.
What is HeyDoctor's latest funding round?
HeyDoctor's latest funding round is Acquired.
How much did HeyDoctor raise?
HeyDoctor raised a total of $120K.
Who are the investors of HeyDoctor?
Investors of HeyDoctor include GoodRx, Y Combinator, Pioneer Fund, Soma Capital and ONEVC.
Who are HeyDoctor's competitors?
Competitors of HeyDoctor include Simple Health.
Compare HeyDoctor to Competitors
Ro operates as a patient-driven telehealth company. Its network of physicians and pharmacies provides a personalized healthcare experience from online treatment to the delivery of medication and ongoing care. It was formerly known as Roman. The company was founded in 2017 and is based in New York, New York.
Pandia Health provides a one-stop shop for recurring medications, starting with birth control. Pandia Health offers free and discreet delivery of the pill, patch, or ring as well as emergency contraceptives.
Quadrant Eye is an eye care platform. It offers online eye exams and then licensed eye doctors review the results and send a glasses or contact lens prescription. It was founded in 2020 and is based in San Francisco, California.
Wisp is an online store for treatment for cold sores, genital herpes, bacterial vaginosis, yeast infection, and urinary tract infection. It is based in San Francisco, California. On September 1, 2021, WELL Health Technologies acquired a majority stake in Wisp at a valuation of $77.36M.
Lemonaid develops a telemedicine platform that delivers evidence-based care. The company's platform is available through Android and iOS mobile apps. On October 22, 2021, Lemonaid was acquired by 23AndMe at a valuation of $400M.
The Pill Club provides an online birth control prescription and delivery service to aid access to birth control. It delivers birth control, emergency contraception, and complimentary gifts while offering a personalized and connected healthcare experience. The company was founded in 2014 and is based in San Mateo, California.