The Federal Trade Commission (FTC) announced on June 8, 2016 that Practice Fusion, the largest cloud-based electronic health record (EHR) company in the United States, has settled FTC charges it violated Section 5(a) of the Federal Trade Commission Act (FTCA) by misleading consumers when soliciting reviews for their doctors, without sufficiently disclosing that these reviews would be publicly posted on the Internet, resulting in the public disclosure of patients’ sensitive personal and medical information.
If patients followed the link provided in the email to complete the patient satisfaction survey, Practice Fusion included mechanisms by which patients could consent to the terms of the Patient Authorization and to “[k]eep this review anonymous,” but the FTC considers neither mechanism sufficient. The personal information entered into the box for a written review was not anonymized, and patients could check the box indicating consent without actually reviewing the Authorization in advance.
The FTC alleges that Practice Fusion engaged in deceptive acts or practices by representing expressly or by implication that survey responses would be communicated to the patient's healthcare provider, and failed to adequately disclose that it also would publish the responses publicly. According to the FTC, these facts would have been material to consumers in deciding whether or how to respond to the survey.
The proposed Agreement Containing Consent Order requires Practice Fusion to, among other things:
- Comply with the FTC’s Order for a 20-year period;
- Create and maintain detailed documents related to compliance with Order for a five year period;
- Submit a compliance report to the FTC and make subsequent reports available to the FTC upon request;
- Obtain consumers’ express affirmative consent to publicly display personally identifiable information;
- Not misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any personally identifiable information.
Along with releasing news of the proposed settlement, the FTC issued in a blog post advice to other EHR companies, including lessons for related businesses and other online providers. Lessons learned from the Practice Fusion Complaint and the proposed Agreement Containing Consent Order may be summarized as follows:
- Use caution when handling personal health information.
- Clearly state intentions for collecting and using data in all consumer communications and notices.
- Obtain consumers’ express affirmative consent before publicly disclosing any sensitive personal information. Implicit consent is not sufficient.
- A company bears the burden to educate consumers about how their personal information will be used.
- Ensure consumers’ consent is informed.
- Disclosures must be clear, conspicuous and noticeable. Use eye-catching methods for disclosures.
- Do not bury or attempt to hide disclosures with small or light text.
- Disclose critical information, such as the company’s intended use for the consumer’s personal information, in all consumer-facing communications and at the time of data collection.
The FTC will accept public comments about the proposed settlement until July 8, 2016.
In addition to the lessons described above, the FTC’s enforcement action reminds related businesses that HIPAA is not the only regulation which applies to the protection of healthcare information. Therefore, related businesses must be attune to the FTC’s jurisdiction over the security and privacy of health information in cases involving for-profit businesses. Related businesses must assess and prepare for the risks related to the Commission’s general regulatory authority to prohibit unfair and deceptive trade practices.
The proposed settlement and the FTC blog post advice should focus related businesses and online cloud service providers collecting consumer health information on ensuring that adequate internal controls exist within their companies. As companies consider this settlement agreement they should consider the below measures and determine if these controls are in place and operating effectively within their organization. Companies that adopt strong internal controls and good governance in these high risk areas may have a greater ability to effectively manage their legal compliance obligations as they conduct their business operations in these areas.
- Establish oversight of data governance from the highest levels of the company.
- Establish accountability among executive team for business decisions involving the use of data.
- Evaluate and respond to internal proposals relating to the use of collected data and information obtained in connection with data use, analytics or publication.
- Monitor implementation and compliance of processes, and, when appropriate, propose revisions to policies and procedures adopted by the company as necessary.
- Provide oversight to senior management, the chief technology officer, and company employees in their efforts to reinforce good business practices and maintain legal compliance.
- Conduct annual evaluations of the company’s data governance practices.
- Consult with any advisors necessary to ensure that the company conducts its business activities in compliance with the law.