When it comes to patient information, so much of the focus is on HIPAA. However, a proposed settlement announced on December 3, 2014 by the FTC serves as a reminder that the Federal Trade Commission (FTC) also enforces privacy matters. The FTC announced the proposed settlement with PaymentsMD, LLC and its former CEO for allegedly failing to adequately inform patients that it would seek detailed medical information from the patients’ health providers such as pharmacies, labs, and insurance companies. The FTC specifically alleged that the company operated a website for patients to pay their medical bills. The company later began developing a separate service to provide consumers with online medical records. To populate those records, the company allegedly needed to obtain the medical information. According to the FTC complaints, the company obtained patient authorization to collect the data through four authorizations on the website that were presented in small windows, displaying only six lines at a time of the extensive text. In addition, the complaints alleged that all four authorizations could be accepted by clicking just one box. The FTC also alleged that it was not made clear on the website that the patients would be giving permission to collect their medical information for the medical record product. Therefore, the FTC alleged that patients registering for the billing service would have reasonably believed that the authorizations were to be used for billing. Under the terms of the proposed settlements, the company and former CEO must destroy all patient information collected and are banned from deceiving consumers about the way they collect and use information. The FTC will publish a description of the proposed settlement in the Federal Register and the agreement will be subject to public comment through January 2, 2015. The important takeaway from this matter is that the even a disclosure allowed under HIPAA may subject a Covered Entity or Business Associate to FTC enforcement for practices that the FTC determines are “deceptive.”