Electronic Health Record Firm Settles With FTC Over Improper Patient Disclosures
Electronic health record company Practice Fusion settled FTC charges that it misled consumers into providing doctor reviews without telling them such feedback would be publicly posted on the internet, disclosing sensitive personal and medical information, the commission said in news release Wednesday. The commission voted 3-0 to issue an administrative complaint and accept the consent agreement, which will be published soon in the Federal Register and be open for public comment through July 8. “Companies that collect personal health information must be clear about how they will use it -- especially before posting such information publicly on the Internet," said FTC Consumer Protection Bureau Director Jessica Rich in a statement. The settlement will require the cloud-based EHR company to get a patient's "affirmative consent" and "clearly and conspicuously disclose" that such information would be publicly available, the release said. The agreement also bars the company from making deceptive privacy or confidentiality statements about collected patient data. FTC said Practice Fusion sought to launch a public healthcare provider directory in 2013 and, during the prior year, solicited feedback through a "satisfaction survey" from patients of providers using the company's EHR service. Patients believed such feedback would be shared only with their providers and many included personal data, such as their full name, phone number and medical inquiries, the release said. For example, one patient asked about a Xanax prescription and dosage, while another inquiry related to the mental state of the consumer's daughter and provided a phone number, the complaint said. Practice Fusion said in a blog post Wednesday the consent agreement "does not represent an admission of wrongdoing," doesn't impose monetary damages nor allege its current actions are "problematic."