1. Home
  2. |Insights
  3. |Sensitive Health Information and Deceptive Business Practices – FTC Releases Proposed Settlement with Practice Fusion, Inc.

Sensitive Health Information and Deceptive Business Practices – FTC Releases Proposed Settlement with Practice Fusion, Inc.

Client Alert | 24 min read | 06.15.16

On June 8, 2016, the Federal Trade Commission (FTC) released the terms of a deceptive business practices proposed settlement with Practice Fusion, Inc., one of the largest cloud-based technology and electronic health records (EHR) companies in the country.

The Charges

For over a year, Practice Fusion allegedly induced patients to complete online provider feedback surveys, and then posted that information online – including personal and sensitive patient health information – without proper advanced disclosure or patient consent.

The Emails

According to the FTC complaint, from April 5, 2012 through April 8, 2013, Practice Fusion emailed patients requesting that they complete patient satisfaction surveys and reviews of their providers’ services. Practice Fusion sent these post-visit emails to patients, representing that the survey was a tool to “help improve your service in the future,” that the emails were “[s]ent on behalf of Doctor [provider’s name],” and closing with a “Thank you, Doctor [provider’s name]”:


Source: Complaint, In re Practice Fusion, Inc.

Mistake #1: Representing to patients that their responses to the surveys would be communicated to the patient’s health care provider. Mistake #2: Despite including a “privacy statement” hyperlink at the bottom of the survey emails redirecting patients to Practice Fusion’s Privacy Policy, the Privacy Policy itself contained absolutely no notice that Practice Fusion would publish the patient reviews online.

The Survey

Patients who clicked on the stars in the email message were redirected to a survey form, which included (among other things) a free text box asking patients to “[p]lease leave a review for your provider”:


Source: Complaint, In re Practice Fusion, Inc.

Although the instructions above the text box directed patients “not [to] include personal information” in their reviews, that is what many patients did, likely assuming that the communication was private. Patients included identifying information, such as their full name or phone number, combined with sensitive health information, including their health condition, medications taken, medical procedures performed, questions about their treatment, and requesting future appointments.

Although the survey allowed patients to check a box to “[k]eep this review anonymous” and required patients to check a box “agree[ing] to the terms of the Patient Authorization” prior to submission, neither of these mechanisms were considered sufficient: checking the “anonymous” box did absolutely nothing to anonymize the personal information entered into the text box, and the requirement that patients “agree to the terms of the Patient Authorization” did not require them to actually review the Authorization in advance. Mistake #3: Failing to adequately disclose to patients that their provider reviews would be posted publicly online.

It wasn’t until November 2013 – after identifying and sensitive health information had been publicly posted for over eight months – that Practice Fusion implemented automatic procedures to identify and withhold reviews with personal information, and to remove the sensitive reviews that had already been posted.

The Proposed Settlement

The terms of the proposed settlement prohibit Practice Fusion from:

  1. Misrepresenting (expressly or impliedly) the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information.
  2. Making a consumer’s covered information publicly available without first:
    1. Clearly and conspicuously disclosing to the consumer that the information will be made publicly available (separate and apart from any privacy policy, terms of use, or other such document).
    2. Obtaining the consumer’s affirmative express consent.
  3. Publicly displaying or maintaining any health care provider review information collected in response to the patient satisfaction survey from April 5, 2012 to April 8, 2013, except for review by Practice Fusion’s provider customers, or as permitted to comply with applicable laws.

The FTC’s message is loud and clear: transparency is key, and it is the technology company’s responsibility to make sure that patients understand – early and often – exactly how their sensitive information is being used. And of course, informed consent is the gold standard.

The FTC voted 3-0 to issue the administrative complaint and to accept the terms of the proposed settlement, which are subject to public comment. Comments are due by July 8, 2016, and may be submitted electronically.

Contacts

Insights

Client Alert | 3 min read | 12.10.24

Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars

The Federal Communications Commission (FCC) has recently issued a second report and order to modernize vehicle communication technology by transitioning to Cellular-Vehicle-to-Everything (C-V2X) systems within the 5.9 GHz spectrum band. This initiative is part of a broader effort to advance Intelligent Transportation Systems (ITS) in the U.S., enhancing road safety and traffic efficiency. While we previously reported on the frustrations with the long time it took to finalize rules concerning C-V2X technology, this almost-final version of the rule has stirred excitement in the industry as companies can start to accelerate development, now that they know the rules they must comply with. ...