On December 3, 2014, the Federal Trade Commission (FTC) announced that it reached a settlement with PaymentsMD, an Atlanta-based medical billing company, and its former CEO, Michael C. Hughes, for alleged violations of Section 5(a) of the Federal Trade Commission Act for using deceptive tactics to collect sensitive health information. Public comments on the FTC’s proposed Consent Orders are due January 2, 2015.
In a pair of concurrently issued administrative complaints (the Complaints), the FTC alleged that PaymentsMD, under the direction and control of Hughes, misled consumers by failing to inform them of the company’s plans to request the consumers’ detailed health information from third parties, such as health plans and pharmacies. According to the Complaints, in December 2011, PaymentsMD launched its “Patient Portal” product that enabled consumers to pay medical bills online and access detailed patient account information. As a follow-on to this product, PaymentsMD later partnered with consulting firm Metis Health LLC to develop a new fee-based service, the “Patient Health Report,” that allowed consumers to access, review and manage their health records through the Patient Portal account.
To populate the Patient Health Report, PaymentsMD and Metis Health purportedly contacted pharmacies, health plans and clinical laboratories to request sensitive health information for registered consumers. Metis Health allegedly sent over 5,000 information requests to 31 different companies, including health plans identified through PaymentsMD’s billing records and also contacted major commercial pharmacies located near consumers’ home addresses. Only one of the health care companies provided the requested information, according to the Complaints. The FTC alleged that PaymentsMD failed to inform consumers of the information collection efforts until after consumers registered for the Patient Portal service.
According to the FTC, even though one of the four authorizations specifically referenced a Personal Health Report, the Patient Portal interface nonetheless failed to adequately disclose that PaymentsMD planned to collect sensitive health information about consumers for the follow-on Patient Health Report service. Specifically, the Complaints allege that the Patient Health Report was framed as a “separate service” from the Patient Portal and that, although the Patient Portal registration process required consumers to consent to four separate authorizations, these authorizations were insufficient because they appeared in difficult-to-read small windows on the webpage and permitted a single-click authorization. This single-click authorization, according to the FTC, made it “easy to skip over them,” such that “[a]t no point . . . would it have been clear to the consumer that they were purportedly giving respondent permission to obtain their sensitive health information from third parties.”
Message of the Consent Order
Under the terms of the proposed Consent Orders approving the settlement, PaymentsMD and Hughes would agree to destroy all sensitive health information collected in relation to the Patient Health Report service. Further, the Consent Order requires PaymentsMD to obtain affirmative express consent from consumers before collecting information from third parties and provides clear instructions on the format and content of required disclosures.
The FTC has published the proposed Consent Orders in the Federal Register. The agreement will be subject to a 30-day public comment period. Once finalized, the orders remain binding on any future action by the parties. Violations may result in a civil penalty of up to $16,000 per violation. The Consent Orders would remain in effect for 20 years each and would necessitate that PaymentsMD and Hughes make certain information available to the FTC upon request for five years. Required documentation would include all forms used to obtain affirmative express consent to collect health information from third parties.
This settlement reveals that patient authorizations and collection of health information are an area subject to increased attention by the FTC. Companies involved in the collection of sensitive health information or solicitation of online patient authorizations should use extra caution when obtaining consent and take steps to make consents for related services prominent and distinct from those associated with the primary service. In particular, entities collecting health information from consumers or third parties should consider the safeguards proposed under the Consent Orders, such as the apparent “separate click” and “separate page” requirements to mitigate risk under the FTC Act and other potentially applicable laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).