TLDR; (if you don't want to read it all)
GoodRx is a marketing company that has partnered with a Pharmacy Benefit Manager (PBM) or several PBM's to generate traffic (sales). The PBM's negotiate discounts with pharmacies and earn a transaction fee in exchange for sending the pharmacy customers. The marketer earns a transaction fee for helping the PBM.
Currently, GoodRx does not sell your data but they reserve the right to sell it unless you opt out. The PMB is unknown. Its privacy policy is unknown so it's not clear what terms they abide by. I assume they operate in the same manner as all major PBM's which would make them no different than your companies insurance provider.
Should you be worried about using GoodRx? Basically no. And if you had to choose any cash network card, GoodRx is more transparent than the alternatives.
The full description:
GoodRx is a website that provides coupons for prescription medicine. You go to the website, enter your location (The USA only) and the drug and they search all of the pharmacies in your area for the cheapest price.
Recently I had to have a prescription filled that cost $200. With my deductible I have to pay $150, the insurance company covers $50. Given the price, I decided to use GoodRx despite my concerns about privacy. With GoodRx the same prescription cost me $75 total and all I had to do was show the pharmacist my telephone with the coupon info. I was happy, but when things seem to good to be true, they usually are.
How does GoodRX do it? My fear was that they were somehow selling my information to a health data broker. So I spent an hour or two researching how the company makes money. Here is what I found and what I have extrapolated from public data. Take into consideration that I know nothing more than what I've learned from Google searches about the prescription drug business. And there is a chance that I'm completely wrong in my assumptions.
GoodRx is vague on their website about how they make money.
We do not sell your personal health information to anyone. We make money from advertisements on our site and referral fees.
We can assure you that our prices are accurate and the discounts we find are based on contractual agreements.
This is all I had to go on. But it was enough. I started my research based on the words referral fees and contractual agreements.
This is what I learned about the drug business.
Your prescription insurance card has information on it based on the Uniform Prescription Card format. This contains three things:
- RxBin. This tells the pharmacy who to bill. This is relevant if you have a co-pay. You only pay the pharmacy $20 and they have to electronically invoice the insurance company for the rest. Your insurance company doesn't actually handle this process. This is usually outsourced to a Pharmacy Benefit Manager (PBM). So this number belongs to the PBM. RxGroup. This is for the PBM, this could be your employer's identifier or whatever group the insurance company has put you in. Grouping is generally used to negotiate rates. So it could also be an industry association or union. In this case, it's likely GoodRx. Rx ID. Your individual number.
GoodRx uses several RxBin numbers. And the RxGroup numbers never change when they are shown with their corresponding RxGroup. So this makes be believe they have partnered with several PBM's. If so, this would make them a marketing company that has multiple partners, aggregates the data and displays the PBM with the best deals. They are providing traffic to the PBM.
PBM's negotiate huge discounts in exchange for business sent to drug stores. If the PBM is large, for example, the PBM's that represent a large union, AAA or several large companies, they can represent significant business for retail locations.
There are several marketing companies that acquire customers for the PBM, many of them are unscrupulous, for example using tactics that make old people think they are a government insurance agency.
So the discounts GoodRx is showing you is the discount that the PBM has negotiated with that individual pharmacy network (Walgreens, CVS, etc.) on behalf of their customers (RxGroup's). The PBM makes money by charging the pharmacy a pre-negotiated transaction fee which is baked into the prescription cost. To incentivize marketing partners, the PBM gives them a cut of the transaction fee.
With an understanding of how these cards are backed and the revenue model, no one should ever pay for a prescription drug discount card.
GoodRx can also make money from coupons offered by the drug maker. A drug maker might offer a coupon to get customers to try a new brand of drug or variation of it. The revenue model for manufacturer coupons works in the same manner. A free drug coupon could mean the drug maker is paying all of the fees to the pharmacy, PBM, and marketer (assuming this is legal). Or they could be paying the marketer an advertising fee equivalent to the transaction fees.
<rant>Why would a pharmacy accept these discount cards? Because they rip you off and can make a profit while reducing a $200 drug to $50? No idea.
Big box retailers consider pharmacies traffic generators. You come for a prescription and end up buying something additional. That's why pharmacies are always placed at the back of the store. They are OK with losing a little but this is killing smaller pharmacies</rant>.
Another way these marketers make money is by selling your data. When you sign up with the marketer you provide them with personal information. Additionally, when you have a prescription filled that information is sent to the PBM and the marketer as well. If you buy a cholesterol drug, the marketer could resell your data to a manufacture of cholesterol drugs as a lead. Or to a data broker who does the same.
GoodRx has stated many times publicly that they do not resell data:
We /definitely/ don't sell personal information. That's just wrong. We're not out to make money that way and it'd go against our core beliefs and values as people, let alone what we've built as a company. We're a very very small team just doing what we can to fix the messed up situation of prescription medication with no transparency.
Honestly. And if it's of any assurance, we've never worked with IMS (data broker). Source: reddit
One would hope the founder of a VC-backed startup isn't lying on public forums. So I'm going to trust his statement. However, this doesn't mean the PBM isn't reselling your data (assuming this is legal).
I just checked GoodRx's privacy policy and its confirmed many of my assumptions:
Information Received From Pharmacy Benefit Managers.
Most prescriptions purchased in the Unites States, including prescriptions filled through the use of discount coupons, loyalty cards or insurance co-pays, result in the pharmacy reporting patient data back to the company that provides the benefit. When you use a coupon provided by GoodRx, we sometimes receive personally identifying information about you and other transaction information from the corresponding Pharmacy Benefit Manager. This information may include prescription information such as your name, date of birth, your location, the name of your physician and when and where you filled the prescription.
If they are storing transaction data, there is a security risk. Should they be comprised, leaking of medical information would bankrupt them and cause a lot of damage to the people who used their service.
And while the founders state publicly that they are not selling personal data their privacy policy seems to be setting them up to be able to do so in the future. At scale, GoodRx will try to benefit from this data by performing analytics on transaction history and demographics and selling the analytical data in some format to companies. Their privacy policy seems to confirm that.
When we share demographic information with third parties, we will give them aggregate information only.
As we develop our business, we may buy or sell assets, and, depending upon the transaction, your personally identifiable information may be one of the transferred assets. In the event that we are acquired by another company, your personal information may be part of the assets transferred to the acquiring party.
They state clearly that selling your personal information is likely. The first sentence sounds like a trade sale for example if the company is acquired, or it's a sneaky way for the lawyers to make it look like selling your data is related to an acquisition by following it with In the event that but those are two separate sentences. I read it to mean: They may sell your data (period) If we are acquired, we may ALSO sell your data to the company who buys us (period).
Scary right? But here is the good part:
HOW LONG DO WE RETAIN THE PERSONAL INFORMATION WE COLLECT FROM YOU?
We will retain the information we collect from you in our system indefinitely. If you would like information deleted, you may request deletion by emailing us at [email protected]
So you could perform a transaction, then email them to remove the record. Or perhaps email them every few months.
So again, I believe the business model for GoodRx is a marketing company that has partnered with a PBM or several PBM's to generate traffic. The PBM's negotiate deals with pharmacies and earn a transaction fee in exchange for sending the pharmacy customers. The marketer earns a transaction fee for helping the PBM.
Currently, GoodRx does not sell your data but they reserve the right to sell it unless you opt out. The PBM is unknown. Its privacy policy is unknown so it is not clear what terms they abide by. If they operate in the same manner as all major PBM's, they are no different than your company insurance provider.
I don't think there is any cause to be concerned about GoodRx violating your privacy at this time. There are a lot of similar companies online and off, but many lack transparency. So GoodRx is the safest choice if you had to choose any. If you do plan to purchase before you go to the store set a calendar reminder for 3 months in the future to remind you to opt out from their DB.
