Privacy & Information Security Law Blog

On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.

According to the FTC’s complaint, Practice Fusion operated a website, Patient Fusion, which enabled patients to view and download their health records and transmit them to health care providers. In 2013, Practice Fusion created a public-facing directory on the website of health care providers. The directory would enable patients to search for providers and read patient reviews of those providers. To build the directory, Practice Fusion emailed surveys to patients asking for these reviews. The survey contained a free text box that advised patients to “Please leave a review for your provider,” which was accompanied by an admonition to “not include any personal information” in the review. A box stating “Keep this review anonymous” at the bottom of the survey was pre-checked, although that did not anonymize the information in the review, but rather only posted the review on the website as coming from “Anonymous.” Finally, patients were required to check a box agreeing to a Patient Authorization, but were not required to view the authorization, which stated that reviews would be posted publicly.

The Patient Fusion website published the patient reviews, which in some cases included patient names and phone numbers, as well as information regarding patients’ medical conditions and medications they were taking. Importantly, these reviews included those taken from patients before April 2013, when Practice Fusion updated its privacy policy to indicate, for the first time, that the patients’ doctor reviews would be “presumed public.” Taken together, the FTC alleged that Practice Fusion “failed to disclose adequately” that it would “publish the responses on its public healthcare provider review website.” Because this information would be “material to consumers in deciding whether or how to respond to the survey,” Practice Fusion’s failure to disclose it constitutes a deceptive act or practice.

The proposed Agreement Containing Consent Order will obligate Practice Fusion to:

• not misrepresent the extent to which Practice Fusion uses, maintains and protects the privacy and confidentiality of any covered information, including the extent to which personal information shall be made publicly available, including by posting on the Internet;
• prior to making any patients’ covered information publicly available:
  • clearly and conspicuously disclose to the consumer, separate and apart from “privacy policy,” “terms of use” page, or similar document, that such information is being made publicly available, including by posting on the Internet; and
  • obtain the consumer’s affirmative express consent;
• not publicly display any healthcare provider review information, and not maintain any healthcare provider review information, except for review and retrieval by its healthcare provider customers;
• deliver the order to relevant company officers, employees and others;
•  submit compliance reports and notices to the FTC; and
• retain certain specified records for five years, including any records necessary to demonstrate full compliance with the Consent Order.

In the press release announcing the settlement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, stated that “[c]ompanies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”

This is the second important FTC enforcement action in the healthcare space in 2016. In January, we reported on the FTC’s settlement with Henry Schein Practice Solutions, Inc., a dental office management software provider.