FTC Settles with Health Records Company for Deceiving Consumers on Doctor Review Privacy | Practical Law

FTC Settles with Health Records Company for Deceiving Consumers on Doctor Review Privacy | Practical Law

Practice Fusion, Inc. has settled with the Federal Trade Commission (FTC) on charges that it deceived consumers by soliciting online doctor reviews without adequately disclosing that they would be posted on a publicly available provider directory and could include sensitive personal and health information.

FTC Settles with Health Records Company for Deceiving Consumers on Doctor Review Privacy

by Practical Law Intellectual Property & Technology
Published on 08 Jun 2016USA (National/Federal)
Practice Fusion, Inc. has settled with the Federal Trade Commission (FTC) on charges that it deceived consumers by soliciting online doctor reviews without adequately disclosing that they would be posted on a publicly available provider directory and could include sensitive personal and health information.
On June 8, 2016, the Federal Trade Commission (FTC) announced a settlement with Practice Fusion, Inc. on charges that it deceived consumers by soliciting online doctor reviews without adequately disclosing that they would be posted on a publicly available provider directory and could include sensitive personal and health information. The consent agreement requires Practice Fusion to take additional steps to provide clear notice to consumers and obtain their affirmative consent before disclosing sensitive information.
Practice Fusion, an electronic health records company, emailed patients of healthcare providers who use its system in a way that made the messages appear to have been sent on the doctors' behalf. Patients who clicked a link in the email were directed to an online survey that included a text box where they were asked to enter information about a recent medical visit.
Because they likely thought the information would only be shared with their providers, many patients included their full name or phone number along with personal health information in the text box. However, Practice Fusion posted this information in publicly available reviews on its website.
The FTC alleged that Practice Fusion violated Section 5(a) of the Federal Trade Commission Act (15 U.S.C. § 45(a)) by:
  • Misrepresenting that survey responses would be communicated to patients' healthcare providers.
  • Failing to adequately disclose that survey responses, including sensitive personal and health information, would be publicly posted on its website.
Under the settlement agreement, Practice Fusion:
  • Is prohibited from making deceptive statements about the privacy or confidentiality of information it collects from consumers.
  • Must, before making consumers' sensitive personal information publicly available:
    • provide clear and conspicuous notice that it is making the information publicly available, separate from any privacy policy, terms of use, or similar document; and
    • obtain affirmative consent.
  • Is prohibited from making publicly available the reviews it collected from consumers during the period covered by the complaint.
This FTC action is notable for applying heightened notice and consent requirements to the collection and disclosure of sensitive personal and health information.