Federal Trade Commission settle charges regarding privacy breaches by Medical Billing Provider

December 4, 2014 |

The Federal Trade Commission (” the FTC”) has announced a settlement with PaymentsMD LLC and its former CEO regarding egregious privacy invasive practices.  Consumers in signing up for an on line billing portal, to allow them to view their billing history, were in fact providing consent for the company and its partners to access their medical information.  By no reasonable measure could the authorisation constitute a proper consent for access to medical information, as press release makes clear. The settlement is reported in FTC: Online billing service deceptively collected medical records and FTC: Online billing service deceptively collected medical records.

The Complaint is found here.  The settlement is found here.

The media release provides:

Respondents Failed to Inform Consumers They Would Seek Detailed Info From Pharmacies, Insurance Companies and Laboratories

An Atlanta-based health billing company and its former CEO have settled Federal Trade Commission charges they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.

In a pair of complaints, the FTC charges that PaymentsMD, LLC, and its former CEO, Michael C. Hughes, used the sign-up process for a “Patient Portal” — where consumers could view their billing history — as a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.

“Consumers’ health information is as sensitive as it gets,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.”

According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. In order to populate the medical records, though, the company first needed to acquire consumers’ medical information. The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.

According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that – billing, according to the complaint.

The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.

According to the complaints, in all but one case, the healthcare companies contacted for data refused to comply with the requests, as they included requests for information about minors, as well for individuals who were not customers of the healthcare company contacted. Once PaymentsMD began informing customers that it was attempting to collect consumers’ health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.

Under the terms of the settlements, PaymentsMD and its former CEO, Hughes, must destroy any information collected related to the Patient Health Report service. In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.

One Response to “Federal Trade Commission settle charges regarding privacy breaches by Medical Billing Provider”

  1. Federal Trade Commission settle charges regarding privacy breaches by Medical Billing Provider | Australian Law Blogs

    […] Federal Trade Commission settle charges regarding privacy breaches by Medical Billing Provider […]

Leave a Reply





Verified by MonsterInsights