Cloud-Based EHR Company Settles with FTC over Alleged Privacy Violations

Cloud-based EHR company Practice Fusion has agreed to settle a case with the Federal Trade Commission (FTC) after allegedly misleading consumers about the privacy of information collected by the company.

In 2012, Practice Fusion sent emails to consumers asking them to write reviews of their healthcare providers in order to populate its healthcare provider directory with data ahead of a planned 2013 launch.

Patients names and email addresses were taken from the company’s electronic health record service and emails were sent to patients asking them to review their physicians. Patients were told that the reviews would “help improve your service in the future.” The emails appeared to have been sent by the patients’ healthcare providers.

By clicking the link in the email, patients were directed to an online form where they were asked questions relating to their most recent healthcare visit. Patients were provided with a text box on the form where they were able to enter information. Many patients used the text box to submit highly personal information – Information that under HIPAA Rules would be classed as PHI.

Some patients entered their name and contact information in the text box, others spoke of prescriptions they had been given or their medical conditions. One of the examples provided by the FTC was that of a consumer who spoke of her child who was suffering with depression. She wrote “I think she is depressed and has stated several times this week that she wishes she was dead.”

The patients volunteered information; however, according to the complaint, it was not made clear that the reviews would be posted online and would be publicly available.

In the complaint it is alleged that Practice Fusion deceived consumers about the privacy of the information they submitted via the form. Patients were required to give their authorization for the data to be used by Practice Fusion, and those uses included posting the reviews on the company’s website.

However, patients were only required to click on a check box to accept the terms and conditions. Patients were not actually required to read the terms and conditions.

According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public.” Rich went on to say “companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”

Under the terms of the settlement, Practice Fusion has agreed not to misrepresent the extent to which data will be used and must maintain and protect the privacy and confidentiality of all data collected from consumers in the future. Practice Fusion must also clearly and conspicuously disclose its terms and conditions prior to using consumers’ data. The terms and conditions relating to data collection and use must be kept separate from its general privacy policy.

Practice Fusion has also been prohibited from displaying any reviews it collected during the period of time covered by the complaint.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.