Up until now, the criticism received by Practice Fusion about its free EHR solution appears unwarranted considering the number of ambulatory care providers who have adopted the certified EHR technology. However, a new wave of criticism could be merited if a recent report about the company’s handling of user privacy is in fact true.
According to Kashmir Hill of Forbes, San Francisco-based EHR developer may be in hot water over its handling of patient reviews which became public, potentially exposing sensitive patient data as well as personally identifiable information (PII).*
Editor’s note: Practice Fusion has responded to the article in Forbes. See the response in the comments section below.
The source of the problem is a doctor review site launched by Practice Fusion in April:
The site came as a surprise to some doctors — who knew the start-up emailed their patients appointment and prescription reminders but didn’t realize it had been reaching out to their patients after visits asking for reviews. And it is likely a surprise to some of the patients whose reviews are available publicly on the site. There are candid reviews with sensitive medical data and “anonymous reviews” that contain patients’ full names and/or contact details, suggesting they didn’t realize that what they were writing was going to be made public.
Around March, Practice Fusion informed physicians of their intentions with the review site and even game them a glimpse of what patients would receive, but the problem appears to be a lack of any mention that the reviews would be made public, reports Hill.
A representative from the company told Forbes that its practices are reviewed by HIPAA experts and that the emails themselves were HIPAA compliant. However, Hill has pointed to the possibility that the company could be motivated by a more business-oriented end. “While Practice Fusion says contacting patients for reviews is a service done on behalf of doctors — as is required by HIPAA — the cynical take is that they used their access to patient records for business purposes — to build a review site to compete with ZocDoc and Yelp,” she writes.
If patients weren’t properly informed about the public nature of their feedback and didn’t provide informed consent, I’d say that Practice Fusion has a whopping HIPAA privacy disclosure breach on its hands. Hopefully, HHS is looking into this whole thing. And if healthcare providers didn’t fully understand how Practice Fusion would be using the information provide, then that’s a second round of complaints/matter to be investigated.
With Stage 2 Meaningful Use staring down eligible professionals and Stage 1 still a focus on some providers late to the game, Practice Fusion’s handling of the situation could end up costing them in one form or another.