- EHR vendor Practice Fusion has reached a settlement agreement with the Federal Trade Commission (FTC) in response to charges of misleading consumers about doctor reviews that were publicly posted without properly informing them of plans for disclosing this information.
“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the Internet.”
As part of the settlement, Practice Fusion is required to disclose plans for making consumer information publicly available and receive consumer consent prior to doing so. The data collected is also restricted from being used publicly.
The charges date back to 2012 and 2013 when the EHR vendor planned to launch Patient Fusion, a public healthcare provider directory. The FTC complaint alleges that Practice Fusion beginning in 2012 contacted patients on the behalf of their providers post-visit and requested these consumers to rate their providers without specifying how this information would be used:
According to the complaint, consumers who clicked on the five-star rating image in the e-mail were taken to an online survey form with questions about their recent medical visit. The survey included a text box where patients could enter any information they wished within a set character limit. Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries.
In April 2013, the EHR company launched its Patient Fusion site, comprising an estimated 613,000 reviews. At that time, Practice Fusion revised both its email communications to consumers and its section on surveys and ratings to include statements that consumer feedback could be made public.
The crux of the complaint stems from the belief of consumers and providers that their responses would remain private.
"Consumers submitted hundreds of survey responses where they disclosed identifying information such as their full name or phone number combined with a sensitive health condition, medications taken, medical procedures performed, or treatments received," the complaint stated.
The settlement agreement does not require Practice Fusion to accept or deny these allegations.
The EHR company issued a statement in response to the settlement:
The proposed consent agreement is not related to our core businesses, nor how we have operated the survey feature since April 2013. It does not represent an admission of wrongdoing by Practice Fusion, and there are no monetary damages imposed on Practice Fusion. The complaint associated with the consent agreement does not allege that anything that we are currently doing is problematic.
Since our inception, Practice Fusion has been committed to providing small, independent physician practices sophisticated, easy-to-use health care technology to help them modernize their practices and better treat their patients. We are proud of our accomplishments and look forward to continuing to serve our customers and enable physicians to improve their quality of care.
The FTC complaint followed a Forbes report in 2013 on the contents of Patient Fusion, which included personally identifiable information.
"The site came as a surprise to some doctors – who knew the start-up emailed their patients appointment and prescription reminders but didn’t realize it had been reaching out to their patients after visits asking for reviews," reported Kashmir Hill. "And it is likely a surprise to some of the patients whose reviews are available publicly on the site. There are candid reviews with sensitive medical data and 'anonymous reviews' that contain patients’ full names and/or contact details, suggesting they didn’t realize that what they were writing was going to be made public."
An official post on the FTC's blog provides a series of health privacy pointers for health IT companies following the settlement:
- If personal health information is involved, handle it with particular care.
- Explain your intentions.
- Get consumers’ express affirmative consent before publicly disclosing sensitive information.
- Disclosures should reach out and grab consumers.
- Consult FTC resources for business.
The FTC is accepting comments on the proposed consent agreement through July 8, 2016.