Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation. There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers. Read on …..

I. What Happened?

According to the FTC complaint, from April 5, 2012 until April 8, 2013, patients who visited an outpatient healthcare provider in the Practice Fusion system received an automated message post-visit asking the patient to review their recent visit. This email indicated that it was sent by the healthcare provider’s office for the purpose of improving service. A small line at the bottom of the email stated that it was “Sent on behalf of Doctor [Healthcare Provider’s Name]’s office” by Practice Fusion. A linked privacy policy did not indicate prior to April 8, 2013 that collected responses would be public displayed.

Clicking on the link in the email brought the consumer to a survey form. At the end of the form was a text box in which the consumer could leave a written review. Small, light grey type just above the box warned “For your protection, do not include any personal information.” Below the free text box, a pre-checked box indicated that the consumer could “[k]eep this review anonymous.” The only anonymizing factor was whether the review would be posted under an “Anonymous” user name or the consumer’s first name. It had no further effect on the information provided.

Consumers were then required to indicate affirmatively their consent to the terms of a “Patient Authorization” that included the statements: “I authorize my provider and Practice Fusion, Inc. to publish my review on the Practice Fusion website . . . . The purpose of publishing my review is to make it available to patients and prospective patients of my provider and other members of the public.” The Authorization further stated that the Health Insurance Portability and Accountability Act did not cover the information provided.

Practice Fusion did not publicly post these reviews during the period from April 2012 to April 2013. Thus, a consumer visiting the Practice Fusion website (the “Practice Fusion Site”) would not have found any posted reviews to give historical or contextual reference to the fact that the information provided would be publicly posted and not given to the healthcare provider being reviewed.

In April 2013, Practice Fusion’s healthcare provider directory portion of the Practice Fusion Site went live and approximately 613,000 consumer reviews were publicly available on the Practice Fusion Site. At that time, Practice Fusion also revised the automated email communications soliciting survey responses from consumers to state that the healthcare provider reviews will be publicly posted and changed the “Surveys and Ratings” section of the Practice Fusion Site privacy policy to state for the first time that survey responses will be made public.

II. The FTC Complaint

As described in the FTC complaint, for a full year beginning in April 2012, consumers submitted hundreds of healthcare provider reviews to Practice Fusion which included highly sensitive personally identifying and medical information, “such as their full name or phone number combined with a sensitive health condition, medications taken, medical procedures performed, or treatments received.” Examples include: a patient describing having received a prescription for Xanax and asking for an increased dosage, a parent writing on behalf of her suicidal daughter and including a contact phone number asking for immediate assistance; a named patient requested a callback to make an appointment and including a phone number; and a named patient identifying her hospital and anticipated chemotherapy visit.

In response to Practice Fusion’s public disclosure of this sensitive health information, the FTC filed a complaint alleging that Practice Fusion had engaged in deceptive acts or practices in violation of Section 5(a) of the Federal Trade Commission Act because Practice Fusion (1) represented directly or indirectly that the healthcare satisfaction survey responses would be sent to the patient’s healthcare provider and (2) failed to adequately disclose that the healthcare satisfaction survey responses submitted by consumers would be posted on the Practice Fusion Site, resulting in public disclosure of sensitive consumer medical and personal information.

III. The Proposed Settlement

The proposed FTC settlement agreement requires Practice Fusion, among other things, to:

  • Not misrepresent “in any manner, expressly or by implication” the extent to which it uses, maintains, and protects the privacy and confidentiality of any personally identifiable information, including the extent to which such information is made publicly available (including by posting on the Internet).
  • Clearly and conspicuously disclose to consumers, separate and apart from a “privacy policy” or “terms of use” or similar documents, that personally identifiable information is made publicly available (including by posting on the Internet) and obtain the consumer’s express affirmative consent to publicly display such information.
  • Cease (1) the public display of any healthcare provider review information obtained from consumer between April 5, 2012 and April 8, 2013 and (2) maintaining such information, except for review and retrieval by the applicable healthcare providers or as permitted to comply with applicable law, regulation, or legal process. Practice Fusion must provide a written statement to the FTC confirming compliance with these obligations within sixty (60) days after the effective date of the FTC Order.
  • Submit a compliance report to the FTC ninety (90) days after the effective date of the FTC Order and make available to the FTC information and subsequent compliance reports, as requested by the FTC from time to time.
  • Create and maintain documents related to compliance with the FTC order for a five (5) year period.
  • Comply with the FTC Order for a period of twenty (20) years.

Interested parties can submit public comments about the proposed settlement with Practice Fusion until July 8, 2016.

IV. Lessons Learned

Here are a few notable lessons to be learned from the Practice Fusion case, and not just for healthcare IT companies:

  • Use caution when dealing with personal health information! The protection of personal health information is on the radar of both consumers and consumer protection agencies, so handle this information with due care.
  • Clearly state your intentions when collecting personal information in all consumer-facing documents: consumers should be well aware of the actual purpose for which their personal information is collected and how their information is used and disclosed. The FTC emphasized in the Practice Fusion press release that “Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”
  • Provide clear and conspicuous consumer disclosures at the point of collection and do not hide key disclosures in privacy policies. The FTC emphasizes that disclosures should be “clear and conspicuous” and encourages companies to make their disclosures in the same way the companies attempt to attract customers—with graphics, color, big print, prominent placement and clear wording.
  • Obtain express affirmative consent prior to publicly disclosing sensitive personal information. In the words of the FTC, “when healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.”