PaymentsMD, LLC, and its former CEO, Michael C. Hughes, recently settled separate Federal Trade Commission complaints alleging they misled consumers who signed up for the company’s online health billing portal. In particular, the FTC was concerned about misleading statements surrounding data the company collected. According to the FTC, PaymentsMD operated a website where consumers could register and then pay their medical bills. In 2012, the FTC alleged that Payments MD also implemented a separate service called “Patient Health Report” to provide consumers with comprehensive online medical records. According to the complaints, PaymentsMD altered its registration process for its billing portal to add additional authorizations to contact healthcare providers and obtain medical information about the user. The FTC charged that consumers registering for the billing services would reasonably assume the authorizations were just for collection of billing information, especially since each authorization was presented in small windows with six lines of extensive text at a time, and all four could be “accepted” by checking one box. According to the FTC, PaymentsMD used the registration information to gather (or attempt to gather) information about users’ prescriptions, procedures, medical diagnoses, lab tests, test results, and more from pharmacies, medical testing companies, and insurance companies. Under the terms of the settlements, PaymentsMD and Hughes must destroy the health information collected, and are banned from deceiving consumers about the way they (and third parties) collect and use information. The parties must also obtain consumers’ affirmative express consent before collecting health information about them from a third party.
Tip: Companies that collect information from consumers online should clearly and prominently disclose the types of information collected, and how that information is collected, used, and shared – particularly for categories of sensitive information like health information. Companies putting together a consent mechanism should consider FTC concerns about “clear and prominent” when designing their consent process.