Practice Fusion, Inc., an e-health records company, recently agreed to settle Federal Trade Commission (FTC) charges over privacy allegations regarding its patient review website. According to the FTC complaint, Practice Fusion hoped to populate a new website with responses from surveys it emailed to consumers who had recently visited their doctors. The surveys appeared to have come from the doctors (“sent on behalf of Doctor [XXX] by: Practice Fusion”) for the doctor’s purposes, namely as a “tool Doctor [XXX] uses to deliver the highest quality of care to patients.” Of particular concern, the company did not make it clear that the surveys consumers filled out would be publicly posted on the website (not used for the doctor’s purposes), in violation the FTC alleged of Section 5 of the FTC Act.
In filling out a review, consumers could rank (among other things) doctors’ bedside manner, wait time, as well as whether or not their medical concern was addressed. These questions were followed with a free-form text box, which directed consumers not to leave “any personal information.” Before submitting this information, customers had to agree to a “patient authorization,” but did not need to view it. If they had, they would have seen a disclosure that the individual was authorizing the doctor and Practice Fusion to post the review online. Reviews were collected for a year before the site went live, so consumers would not have seen how the content they submitted might be viewed. Given these factors, the FTC alleged, consumers were likely to believe the information they submitted would be private. Indeed, in this text box, the FTC indicated in its complaint, consumers provided confidential health information, including information about removed warts, chemo treatment, and the like, which information was subsequently posted online in connection with both the doctor and the patient’s names.
TIP: Companies that permit individuals to post information online should take care to ensure it is clear that information submitted will be publicly posted. This is particularly true when individuals using the website or service might submit sensitive information like medical or financial information.