It’s Not Just About HIPAA: Patient Communications and a Lesson from the FTC

In a one-count complaint, the Federal Trade Commission (FTC) alleges that Practice Fusion, the country’s largest cloud-based electronic health records company, engaged in deceptive acts or practices under Section 5(a) of the Federal Trade Commission Act.  Specifically, the FTC alleges that Practice Fusion misled patients of its healthcare providers to believe they were sending messages to their physicians—including messages containing their health information—when, in fact, they were submitting them for content to be published on a public website.  The FTC enforcement action against Practice Fusion is sobering for those engaged in communications with what the FTC calls “healthcare provider customers.”

Practice Fusion has, for several years, provided “Patient Fusion,” an online patient portal to health care providers so patients could view or download their health information and transmit it to another provider, as well as send and receive secure messages with their providers.  Patient Fusion then expanded to acquire patient information for purposes of a public directory to include, among other things, patient reviews.  To obtain that information, Practice Fusion sent emails to the patients of their provider clients which some patients then used to link to a webpage asking them to provide reviews of their provider, including whether all of their medical concerns had been addressed.  The questionnaire advised patients to not provide personal information and also provided a check off where a patient could request that the review be kept anonymous.  Unfortunately, many patients misunderstood what they were agreeing to and how the information they provided would be used by Patient Fusion.

The FTC found Patient Fusion’s instructions and disclaimers inadequate and misleading.  According to the FTC complaint, patients who clicked on the five-star rating image in the email were linked to an online survey form with questions about their recent medical visit, including a text box where patients could enter any information they wished within a set character limit.  Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries intended for their physician.

To settle the case, Practice Fusion has agreed not to misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information. It also must: 1) clearly and conspicuously disclose to the consumer – separate and apart from a privacy policy, terms of use page, or similar document – its intention to make the information public; and 2) get the consumer’s express affirmative consent.

While the terms of the settlement apply only to Practice Fusion, the FTC details the lessons to be learned by others in the healthcare provider customer industry:

If personal health information is involved, handle it with particular care.  Consumers are concerned about the confidentiality of their health information and they have good reason to be. Given what’s at stake, industry members are on notice of the need for caution.

Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.

Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.

Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach, so here’s some FTC 101: If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, “clear and conspicuous” is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention – graphics, color, big print, prominent placement, clear wording, etc.

Don’t bury key facts in a hard-to-understand privacy policy. You’ll want to read the complaint for the details, but after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its Privacy Policy, but didn’t clearly disclose the information on the survey page itself. Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details – for example, that you intend to post consumers’ sensitive health information publicly – is unwise.

The proposed settlement agreement is under review and the final terms will be the subject of a future post on this blog.  Clearly, the lessons noted above should be heeded by companies involved in the online solicitation and publication of any sensitive personal information from consumers, and appropriate policies and procedures developed and implemented.