The Federal Trade Commission (FTC) announced on June 8, 2016 that Practice Fusion, the largest cloud-based electronic health record (EHR) company in the United States, has settled FTC charges it violated Section 5(a) of the Federal Trade Commission Act (FTCA) by misleading consumers when soliciting reviews for their doctors, without sufficiently disclosing that these reviews would be publicly posted on the Internet, resulting in the public disclosure of patients’ sensitive personal and medical information.

According to the FTC complaint, for over one year, Practice Fusion emailed patients requesting that they complete patient satisfaction surveys and reviews of their providers’ services. Practice Fusion sent these post-visit emails to patients representing that the survey was a tool “to help improve your service in the future,” and that the emails were sent on behalf of the doctor’s, or other healthcare provider’s, office, and stating, “Thank you, [Healthcare Provider’s Name],” at the close of the email. In the smallest and lightest type used in the email, Practice Fusion included text reading: “Sent on behalf of [Healthcare Provider’s Name] office by: Practice Fusion….” While the email contained a link to Practice Fusion’s Privacy Policy, the Policy contained no notice that Practice Fusion would publish patient reviews online.

If patients followed the link provided in the email to complete the patient satisfaction survey, Practice Fusion included mechanisms by which patients could consent to the terms of the Patient Authorization and to “[k]eep this review anonymous,” but the FTC considers neither mechanism sufficient. The personal information entered into the box for a written review was not anonymized, and patients could check the box indicating consent without actually reviewing the Authorization in advance.

While patient reviews collected prior to April 2013 were not immediately available online, Practice Fusion incorporated these 613,000 reviews in its online healthcare provider directory which became publicly available starting in April 2013. These reviews contained identifying information such as full name or phone number combined with sensitive health condition, medications taken, medical procedures performed, or treatments received. At the time Practice Fusion’s directory became public, Practice Fusion revised its emails soliciting patient feedback to state that provider reviews will be publicly posted and also modified its privacy policy to state that responses will be made public.

The FTC alleges that Practice Fusion engaged in deceptive acts or practices by representing expressly or by implication that survey responses would be communicated to the patient's healthcare provider, and failed to adequately disclose that it also would publish the responses publicly. According to the FTC, these facts would have been material to consumers in deciding whether or how to respond to the survey.

The proposed Agreement Containing Consent Order requires Practice Fusion to, among other things:

  • Comply with the FTC’s Order for a 20-year period;
  • Create and maintain detailed documents related to compliance with Order for a five year period;
  • Submit a compliance report to the FTC and make subsequent reports available to the FTC upon request;
  • Obtain consumers’ express affirmative consent to publicly display personally identifiable information;
  • Provide a clear and conspicuous notice to consumers – separate from a privacy policy or terms of use – that personally identifiable information is made publicly available;
  • Not misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any personally identifiable information.

Along with releasing news of the proposed settlement, the FTC issued in a blog post advice to other EHR companies, including lessons for related businesses and other online providers. Lessons learned from the Practice Fusion Complaint and the proposed Agreement Containing Consent Order may be summarized as follows:

  • Use caution when handling personal health information.
  • Clearly state intentions for collecting and using data in all consumer communications and notices.
  • Obtain consumers’ express affirmative consent before publicly disclosing any sensitive personal information. Implicit consent is not sufficient.
  • A company bears the burden to educate consumers about how their personal information will be used.
  • Ensure consumers’ consent is informed.
  • Disclosures must be clear, conspicuous and noticeable. Use eye-catching methods for disclosures.
  • Do not bury or attempt to hide disclosures with small or light text.
  • A privacy policy and terms of use is no longer the only place to convey critical information to consumers about the purpose for data collection or the company’s intended use for the data.
  • Disclose critical information, such as the company’s intended use for the consumer’s personal information, in all consumer-facing communications and at the time of data collection.
  • Confirm the company’s privacy policy and terms of use accurately reflect intended uses for collected personal information.

The FTC will accept public comments about the proposed settlement until July 8, 2016.

In addition to the lessons described above, the FTC’s enforcement action reminds related businesses that HIPAA is not the only regulation which applies to the protection of healthcare information. Therefore, related businesses must be attune to the FTC’s jurisdiction over the security and privacy of health information in cases involving for-profit businesses. Related businesses must assess and prepare for the risks related to the Commission’s general regulatory authority to prohibit unfair and deceptive trade practices.

The proposed settlement and the FTC blog post advice should focus related businesses and online cloud service providers collecting consumer health information on ensuring that adequate internal controls exist within their companies. As companies consider this settlement agreement they should consider the below measures and determine if these controls are in place and operating effectively within their organization. Companies that adopt strong internal controls and good governance in these high risk areas may have a greater ability to effectively manage their legal compliance obligations as they conduct their business operations in these areas.

  • Establish oversight of data governance from the highest levels of the company.
  • Establish accountability among executive team for business decisions involving the use of data.
  • Evaluate and respond to internal proposals relating to the use of collected data and information obtained in connection with data use, analytics or publication.
  • Monitor implementation and compliance of processes, and, when appropriate, propose revisions to policies and procedures adopted by the company as necessary.
  • Provide oversight to senior management, the chief technology officer, and company employees in their efforts to reinforce good business practices and maintain legal compliance.
  • Conduct annual evaluations of the company’s data governance practices.
  • Consult with any advisors necessary to ensure that the company conducts its business activities in compliance with the law.