What do you get when you combine two of the highest-profile consumer protection topics: health privacy and consumer-generated online content? A proposed FTC settlement with Practice Fusion, the largest cloud-based electronic health records company in the United States, and six compliance tips for other companies in the industry.
One of San Francisco-based Practice Fusion’s key products is an electronic records system for outpatient providers. In 2009, the company launched “Patient Fusion,” an online portal where patients whose providers already use Practice Fusion can view or download their health information or transfer it to other providers. Patient Fusion also allows patients to send and receive secure messages from their providers.
A few years later, the company decided to expand Patient Fusion to include a public directory where current and potential participants can search for doctors by geography or specialty, read patient reviews of providers and request an appointment. But Practice Fusion had to ask itself a question familiar to many online companies: How do we get content — in this case, patient reviews? This is the focus of the FTC lawsuit.
According to the complaint, Practice Fusion collected data in a misleading manner that led some patients to believe they were sending follow-up information about diagnoses, treatments, prescriptions, etc. directly to their doctors, rather than providing content to a public website. However, Practice Fusion has populated its new website with information provided by these individuals, some of which is highly sensitive.
Here’s the thing. After making an appointment with a doctor, patients receive an email titled “How was your visit?” The message continues, “To help you improve your service in the future, please let us know about your visit,” and includes a link with a rating star. The message ended like this:
Thank you,
PhD. [Name]
The message reads in the footer: “This email was sent to you by Patient Fusion® (Doctor Tools). [Name] To provide the highest quality care to patients. ” Below it in smaller font it says “Sending on Behalf of Doctor” [Name]The Office: Practice Fusion. “
If patients click on the link, they are taken to a page asking for feedback on how long they will have to wait for an appointment, the doctor’s bedside manner, and whether their medical concerns are being addressed.
There is also a text box that invites patients to “leave a review for your provider.” Below is a pre-checked box that says “Keep this comment anonymous.”
What do some people put in that box? Highly sensitive information is sent directly to their doctors, rather than shared publicly for evaluation. Here are just a few examples:
- “PhD [name], the Xanax prescription I received on Monday was for 1 pill a day, but normally it is 2 pills a day. I haven’t taken it to the pharmacy yet. Can I buy a new one, or can I go to the pharmacy and get a prescription? Thanks, [patient’s full name]
- “I called today and left a message about my daughter but no one has returned my calls. I think she is depressed and has stated multiple times this week that she wishes she was dead. Can someone please call me [phone number]? “
- “Cefoxime axetil doesn’t seem to be doing anything for me. I’ve done some research and I think I have a yeast infection called candida. Not sure what to do yet. I think I’ll try changing my diet first Habits. Drugs? [patient’s full name]
- “I would like to make an appointment to treat my back pain and possible shingles. Can you call me@ [phone number]? Thank you! [patient’s full name]”
- “I don’t have an infection [healthcare provider name]. Everything went well after my visit so it’s my chemo day…Thanks Hope I’ll see you at Methodist Hospital tomorrow…Thanks… [patient’s full name]”
The smallest, lightest font on the page reads “To protect your interests, please do not include any personal information.” But the FTC said the information some patients entered into the box (full name, phone number, prescription received or surgery performed) indicated that they believed they were sending follow-up questions directly to the doctor’s office.
How about that pre-checked “Keep this comment anonymous” box? According to the FTC, it does not anonymize what patients write. Instead, it simply affects whether it appears “anonymously” or under the patient’s name on the public Patient Fusion website.
The FTC said this continued for about a year until ” Forbes Highlights the sensitivity of some of the comments and questions posted in the text box posted on Patient Fusion. At the time, the company implemented automated procedures to prevent the publication of reviews in which consumers entered personal information.
In a separate complaint, the FTC alleges that Practice Fusion explicitly or implicitly communicated investigation responses to consumers’ health care providers but failed to adequately disclose that it would also publicly release investigation responses. According to the FTC, this fact is important for consumers to decide whether or how to respond to this survey.
In order to resolve the case, Practice Fusion agreed not to misrepresent the extent to which it uses, maintains and protects the privacy and confidentiality of any information involved. Additionally, if a company wants to disclose covered information to consumers, it must first: 1) clearly and conspicuously disclose to consumers—separate from a privacy policy, terms of use page, or similar document—its intent to disclose the information; 2) Obtain explicit consent from consumers.
The terms of the settlement apply only to Practice Fusion, but others in the industry can learn lessons.
If personal health information is involved, please handle it with special caution. Consumers are concerned about the confidentiality of their health information, and they have good reason to be. Given how much is at stake, industry members note the need to proceed with caution.
Explain your intentions. Especially with new products and services, don’t assume consumers share your expertise. Be straightforward and use simple words to explain what you want to do with their material.
Obtain explicit consent from consumers before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) will ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When health care information goes awry, now is not the time to plead with negative options or other less clear methods of consent.
Disclosure should reach and engage consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach, so here’s some FTC 101: If disclosure is necessary to prevent deception, the information must be clear and compelling. For the FTC, “clear and conspicuous” is a performance criterion, not font size. Pretty footnotes, dense blocks of text, jargon-filled puns, or cryptic hyperlinks will probably not cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: When you really want to grab a potential customer’s attention, think about the eye-catching methods you use regularly—graphics, color, large fonts, prominent placement, clear wording, etc.
Don’t hide key facts in a privacy policy that’s difficult to understand. You’ll have to read the complaint to learn the details, but after Practice Fusion began collecting and publishing consumer survey results, it changed the content in its privacy policy without explicitly disclosing the information on the survey page itself. Of course, a company’s privacy policy and terms of use pages should be accurate and easy to understand, but it would be unwise to rely on these pages as the sole means of communicating key details (for example, that you intend to publicly release a consumer’s sensitive health information).
See FTC Business Resources. Companies that are only used to HIPAA may not be familiar with the FTC’s practices. Visit the Business Center to learn about compliance basics. For example, .com Disclosure: How to Disclose Effectively in Digital Advertising discusses how to clearly communicate important messages online. The Mobile Health App interactive tool can help you determine which federal law (and there may be more than one) applies to your business. Mobile Health App Developers: FTC Best Practices for Good Privacy and Security.
The FTC will accept public comments on its proposed settlement with Practice Fusion until July 8, 2016.
5 Comments
Pingback: Practice Fusion case makes 6 health privacy recommendations – Tech Empire Solutions
Pingback: Practice Fusion case makes 6 health privacy recommendations – Marshall Henri
Pingback: Practice Fusion case makes 6 health privacy recommendations – Mary Ashley
Pingback: Practice Fusion case makes 6 health privacy recommendations – Shanon Wardon
Pingback: Practice Fusion case makes 6 health privacy recommendations – Paxton Willson