I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]. Thank you! [patient name]” – Patient Review, December 31, 2012

The Federal Trade Commission (FTC) and cloud-based electronic health record company Practice Fusion, Inc. (Practice Fusion), recently agreed to a proposed settlement to resolve allegations that the company engaged in deceptive practices in soliciting and handling consumer-generated health information over a 12-month period. According to the FTC complaint, Practice Fusion operated a service for healthcare providers that allowed patients to make and track appointments, access their electronic health records, and directly communicate with providers via a secure web portal. As part of a plan to offer a public directory of physicians, accompanied by patient reviews, Practice Fusion e-mailed patients post-visit satisfaction surveys that appeared to have come directly from the provider. Believing that the surveys were a private communication with the provider, patients submitted hundreds of responses with their names, phone numbers and personal health information.

The FTC complaint enumerated a number of misrepresentations contained in the survey that resulted in the public posting of patient information:

  • The survey appeared to have come directly from the healthcare provider after the patient’s visit.
  • The text of the warning to patients not to include personal information in the survey’s open text fields appeared in small font that was a very light color.
  • The check box for “keep this review anonymous” only anonymized the name of the patient and not the open text information.
  • The check box that said “I agree to the terms of the Patient Authorization” did not require the patient to read the Patient Authorization prior to checking the box.
  • The Patient Authorization stated that the patient was authorizing the provider and Practice Fusion to publish the survey response on the website with the purpose of making the review available to the provider’s current and prospective patients and members of the public.

In April 2013, Practice Fusion publicly launched the provider directory portion of the website, posting approximately 613,000 reviews the company had collected from patients during the previous year. At the same time, Practice Fusion updated the patient survey to indicate that reviews “may be publicly visible on Practice Fusion to help patients find doctors in the area” and to state that survey responses would be public.

It was not until the Forbes Technology Blog wrote an article about the company’s public directory that noted the posting of sensitive information that Practice Fusion, weeks later, implemented automated procedures to identify and take down reviews containing personal information from the Internet.

The proposed settlement agreement defines “Covered Information” to include “health information, including demographic data that relates to past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present or future payment for the provision of healthcare to the individual,” and requires that Practice Fusion:

  • Prior to making patient information publicly available, clearly and conspicuously disclose – separate and apart from a privacy policy, terms of use or other similar document – that it is making the information publicly available and obtain the patient’s affirmative consent;
  • Not publicly display or maintain any healthcare provider review information that the company collected from consumers during the time period covered by the complaint; and
  • Submit a compliance report within 90 days after the effective date of the settlement agreement.

Under the terms of the proposed settlement agreement, Practice Fusion must also collect and retain the following documentation for a period of five years:

  • All records of consumer complaints concerning covered information, whether received directly or indirectly, and any response.
  • All records necessary to demonstrate full compliance with the settlement agreement, including submissions to the FTC.
  • All forms, websites and other methods used by Practice Fusion to obtain feedback from patients on the company’s own behalf or on behalf of its healthcare provider customers.
  • A copy of each widely disseminated representation by Practice Fusion that describes the extent to which it maintains or protects the privacy and confidentiality of covered information, including any representation concerning a change in any website or other service controlled by the company that relates to the privacy and confidentiality of covered information.
  • All records, prepared by or on behalf of Practice Fusion, that show noncompliance with the settlement agreement.

The FTC also prepared compliance recommendations that contain six suggested “health privacy pointers” to help business entities manage consumer-generated health information “with particular care” including obtaining the express affirmative consent of consumers before publicly disclosing sensitive information and an admonition not to “bury key facts in a hard-to-understand privacy policy.” It noted that because “companies accustomed just to HIPAA may be less familiar with the FTC’s approach,” the compliance recommendations encourage businesses to consult FTC resources for “compliance fundamentals.”