On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.
According to the FTC’s complaint, Practice Fusion operated a website, Patient Fusion, which enabled patients to view and download their health records and transmit them to health care providers. In 2013, Practice Fusion created a public-facing directory on the website of health care providers. The directory would enable patients to search for providers and read patient reviews of those providers. To build the directory, Practice Fusion emailed surveys to patients asking for these reviews. The survey contained a free text box that advised patients to “Please leave a review for your provider,” which was accompanied by an admonition to “not include any personal information” in the review. A box stating “Keep this review anonymous” at the bottom of the survey was pre-checked, although that did not anonymize the information in the review, but rather only posted the review on the website as coming from “Anonymous.” Finally, patients were required to check a box agreeing to a Patient Authorization, but were not required to view the authorization, which stated that reviews would be posted publicly.
The proposed Agreement Containing Consent Order will obligate Practice Fusion to:
- not misrepresent the extent to which Practice Fusion uses, maintains and protects the privacy and confidentiality of any covered information, including the extent to which personal information shall be made publicly available, including by posting on the Internet;
- prior to making any patients’ covered information publicly available:
- obtain the consumer’s affirmative express consent;
- not publicly display any healthcare provider review information, and not maintain any healthcare provider review information, except for review and retrieval by its healthcare provider customers;
- deliver the order to relevant company officers, employees and others;
- submit compliance reports and notices to the FTC; and
- retain certain specified records for five years, including any records necessary to demonstrate full compliance with the Consent Order.
In the press release announcing the settlement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, stated that “[c]ompanies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”
This is the second important FTC enforcement action in the healthcare space in 2016. In January, we reported on the FTC’s settlement with Henry Schein Practice Solutions, Inc., a dental office management software provider.