The complaint against cloud-based electronic health records (EHR) vendor Practice Fusion provides important lessons about consumer health privacy for vendors in the health IT industry, according to a Federal Trade Commission blog post.
This week, the FTC announced a proposed settlement with San Francisco-based Practice Fusion after charges that the company misled consumers by soliciting reviews for their doctors, without disclosing adequately that the reviews would be publicly posted on the Internet. This resulted in the public disclosure of patients’ sensitive personal and medical information, according to the FTC.
In a one-count complaint, the FTC alleges that Practice Fusion represented expressly or by implication that survey responses would be communicated to the consumer’s healthcare provider, but failed to adequately disclose that it also would publish the responses publicly. According to the FTC, that fact would have been material to consumers in deciding whether or how to respond to the survey.
The settlement with the FTC will prohibit Practice Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers, and will also require the company, prior to making any consumers’ information publicly available, to clearly and conspicuously disclose this fact and obtain consumers’ affirmative consent.
“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”
According to the complaint by the FTC, Practice Fusion made plans to launch a public-facing healthcare provider directory in 2013. In order to be able to populate the directory with patient reviews, Practice Fusion began sending emails in April 2012 to patients of healthcare providers utilizing Practice Fusion’s electronic health records service. The emails appeared to be sent on behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future.”
Consumers who clicked on the five-star rating image in the e-mail were taken to an online survey form with questions about their recent medical visit. The survey included a text box where patients could enter any information they wished within a set character limit. Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries, according to the FTC complaint.
In its complaint, the FTC cites examples of patient information that then appeared in reviews publicly posted by Practice Fusion, such as one customer asking for information on dosing of “my Xanax prescription.”
In a Business Blog post on the FTC site, Lesley Fair, a senior attorney at the FTC, wrote, “The terms of the settlement apply just to Practice Fusion, but there are lessons others in the industry can learn.” Fair then outlined six compliance tips:
If personal health information is involved, handle it with particular care. Consumers are concerned about the confidentiality of their health information. Given what’s at stake, industry members are on notice of the need for caution, Fair wrote.
Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.
Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.
Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach.
Fair offers some “FTC 101:” “If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, ‘clear and conspicuous’ is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention—graphics, color, big print, prominent placement, clear wording, etc.”
Don’t bury key facts in a hard-to-understand privacy policy. According to Fair, after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its privacy policy, but didn’t clearly disclose the information on the survey page itself. “Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details—for example, that you intend to post consumers’ sensitive health information publicly – is unwise,” Fair wrote.
Fair also advises that health IT companies consult FTC resources. “Companies accustomed just to HIPAA may be less familiar with the FTC’s approach. Visit the Business Center for compliance fundamentals. For example, .com Disclosures: How to Make Effective Disclosures in Digital Advertising talks about how to clearly convey important information online. TheMobile Health Apps Interactive Tool can help you figure out which federal law (and it may be more than one) applies to your business. And Mobile Health App Developers: FTC Best Practices offers an introduction to sound privacy and security,” Fair stated.
The FTC’s proposed agreement with Practice Fusion will be subject to public comment until July 8, after which the FTC will decide whether to make the proposed consent order final.
