The FTC recently reinforced its commitment to protecting consumer health data in its settlement with electronic health record company Practice Fusion. The company, which stores consumer health data in a cloud for healthcare providers, was charged with misleading consumers when it sought patients’ reviews of their doctors without disclosing that the information would be shared online.

According to the complaint, patients were asked to rate their doctors in an email sent by the company. The email indicated that the patient’s information would be shared with his or her physician. After providing an initial review, patients were then sent to a survey where they could give more information about their recent appointment. Included in the survey was a text box where the patient could share comments. Here, many patients entered private information. This included full names, phone numbers, and details about medical conditions. Practice Fusion’s privacy policy did not indicate that the company would publicly post reviews by patients.

Practice Fusion then launched a website providing reviews of the physicians. These reviews included the patients’ names, telephone numbers, and health information that they provided in their surveys. It wasn’t until after the information was posted online that Project Fusion updated its privacy policy and implemented procedures to keep personal information from appearing on the site.

Per the settlement, Practice Fusion is prohibited from misrepresenting its use of consumer data. Additionally, the company must disclose that it will make information publicly available, separate from a general “privacy policy” or “terms of use” page, and receive the consumer’s affirmative express consent to do so. The company must also refrain from sharing healthcare provider review information with anyone other than its clients.

This settlement highlights the FTC’s continued efforts to protect the privacy of consumer health data. In April, the FTC released compliance tools and best practices specifically for health app developers to ensure they were complying with the FTC’s expectations for health data providers. This came just after the Director of the FTC Bureau of Consumer Protection testified to a Congressional subcommittee about the need for the Commission to have increased data security authority to address the area of health privacy. Collectively, these efforts make clear that as consumers increasingly turn to the internet for health information, the FTC will expect companies large and small to be aware of their obligations to consumers and to comply with them.