I can't say if GoodRx is doing it, but Walgreen's seems to be selling information.
I was with a friend picking up his meds and I bleeped my rewards card to collect the points, since he didn't have one. Now I get offers in the mail to treat his condition.
So this has been a roller coaster. My initial thought was that this was a big HIPAA violation but then I decided to actually look to see if my assumption held up. According to the Department of Health & Human Services page on HIPAA and marketing [0], Walgreens can use personal health information (PHI) in marketing without violating HIPAA, as long as they have permission to do so.
So with that in mind, I went and looked at Walgreen's notice of privacy practices [1] and they say that they will get a written disclosure before using PHI (and that is restated in their Balance Reward ToS.
Bottom line is, if they are selling information then hopefully you're friend has signed a form authorizing use of the PHI otherwise Walgreens is violating HIPAA.
"GoodRx does not sell information regarding your drug prescriptions and medical conditions that are linked to your name, contact information and other personal data you provide us."
This could just mean pseudoanonymization. I.e. they staple you medical information to your IP, a cookie, or an advertising ID. A buyer can deanonymize that kind of data in many cases.
I was with a friend picking up his meds and I bleeped my rewards card to collect the points, since he didn't have one. Now I get offers in the mail to treat his condition.