Federal Trade Commission settles charges against Practice Fusion for deceiving consumers about privacy of doctor reviews

June 11, 2016 |

Health information, like that information about one’s sexuality, political and religious beliefs, is highly sensitive.  It is defined in those terms within the Privacy Act 1988. There is an additional obligation upon health providers to maintain confidentiality.  Or one would have thought.  Unfortunately in the United States a practice has developed where health practitioners have retaliated to negative reviews on Yelp by providing responses which involve disclosing confidential information.  This is reported by Prop Publica in Stung by Yelp Reviews, Health Providers Spill Patient Secrets. On any level it is an appalling breach of privacy.  That it is supposedly a riposte to an unfair review in no way constitutes any form of justification.

On 21 October 2013 Forbes described a new business model by Practice Fusion, an health record company, in Medical Start-up Invited Millions Of Patients To Write Reviews They May Not Realize Are Public. Some Are Explicit where health professionals would obtain free web based management service while Practice Fusion would obtain government incentives to have professionals adopt electronic health technology and get access to data which can be made available for a fee. The problem was privacy.  Even then it was recognised as an issue. Personal health information was being made public without proper consent being obtained.  That was confirmed whenthe Federal Trade Commission took action against Practice Fusion, alleging that reviews from doctors were being made public without obtaining  the consumer’s consent first notwithstanding claiming to do so in its disclosures to those persons. The action is based on Practice Fusion making deceptive statements about privacy and confidentiality.

Practice Fusion has entered into a 20 year settlement with the FTC whereby it will

IT IS ORDEREDthat Respondent and Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service must not misrepresent in any manner, expressly or by implication:
A. the extent to which Respondent uses, maintains, and protects the privacy and confidentiality
of any covered information, including: the extent to which covered information shall be made publicly available, including by posting on the Internet

The compliance obligations are stringent, and no doubt expensive.

The media release provides:

Practice Fusion, a cloud-based electronic health record company, has agreed to settle Federal Trade Commission charges it misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the Internet resulting in the public disclosure of patients’ sensitive personal and medical information.

The settlement with the FTC will prohibit Practice Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers, and will also require the company, prior to making any consumers’ information publicly available, to clearly and conspicuously disclose this fact and obtain consumers’ affirmative consent.

“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”

According to the complaint, Practice Fusion made plans to launch a public-facing healthcare provider directory in 2013.  In order to be able to populate the directory with patient reviews, Practice Fusion began sending emails in April 2012 to patients of healthcare providers utilizing Practice Fusion’s electronic health records service. The emails appeared to be sent on behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future.”

According to the complaint, consumers who clicked on the five-star rating image in the e-mail were taken to an online survey form with questions about their recent medical visit. The survey included a text box where patients could enter any information they wished within a set character limit. Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries. For instance:

  • one consumer asked for information on dosing for “my Xanax prescription”;
  • one consumer included a request for help with a depressed child, writing “I think she is depressed and has stated several times this week that she wishes she was dead”; and
  • one consumer wrote that “I did a little research and I think I have a yeast infection called candida.”
    In its complaint, the FTC cites these examples of patient information that then appeared in reviews publicly posted by Practice Fusion.

Under the terms of the proposed settlement, Practice Fusion will be prohibited from misrepresenting the extent to which it uses, maintains and protects the privacy or confidentiality of data it collects. The company must also, prior to making consumers’ information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making such information publicly available and obtain consumers’ affirmative consent. The settlement also prohibits Practice Fusion from publicly displaying the reviews it collected from consumers during the time period covered by the complaint.

As is often the case with privacy litigation the reputational damage is an invariable additional rub of salt into the malefactor’s wounds.  This is no exception to that iron rule with no shortage of reports including EHR maker Practice Fusion settles with FTC over patient privacy complaint and Practice Fusion settles with FTC over illicit patient information disclosures.

One Response to “Federal Trade Commission settles charges against Practice Fusion for deceiving consumers about privacy of doctor reviews”

  1. Federal Trade Commission settles charges against Practice Fusion for deceiving consumers about privacy of doctor reviews | Australian Law Blogs

    […] Federal Trade Commission settles charges against Practice Fusion for deceiving consumers about priva… […]

Leave a Reply