Analysis: FTC's Privacy Settlement with EHR VendorAttorney Explains When Regulations Other than HIPAA Apply
A settlement between the Federal Trade Commission and Practice Fusion, an electronic health records system vendor, serves as a reminder that regulations other than HIPAA apply to protecting patient privacy, says attorney Adam Greene, a healthcare regulations expert.
The FTC announced on June 8 that Practice Fusion agreed to settle charges that the cloud-based EHR vendor "misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the internet, resulting in the disclosure of patients' sensitive personal and medical information."
The FTC in its complaint against Practice Fusion charged the EHR vendor with "deceptive acts or practices" in violation of Section 5(a) of the Federal Trade Commission Act. In the settlement however, Practice Fusion does not admit to wrongdoing.
"One of the most important lessons [from this case] is that HIPAA is not the only law out there that covered healthcare information," says Greene, a partner at law firm Davis Wright Tremaine, who was not involved in the case. "This is an important reminder that the FTC also has jurisdiction" over the security and privacy of health information in cases involving for-profit businesses, he says in an interview with Information Security Media Group.
The settlement, which does not contain a financial penalty, prohibits Practice Fusion "from making deceptive statements about the privacy or confidentiality of the information it collects from consumers, and will also require the company, prior to making any consumers' information publicly available, clearly and conspicuously disclose this fact and obtain consumers' affirmative consent," the FTC says.
Although the Department of Health and Human Services Office for Civil Rights is responsible for enforcement of the HIPAA privacy and security rules, "the FTC has general regulatory authority to prohibit unfair and deceptive trade practices, and they've used that to mean any practices that really violate consumer's privacy or information security reasonable expectations," Greene says.
The FTC said Practice Fusion, as part of plans to launch a healthcare provider directory in 2013 that included patient reviews of physicians, began sending emails in April 2012 to patients of healthcare providers utilizing its EHR service. The emails appeared to be sent on behalf of the patients' doctors and asked consumers to rate their provider to "'help improve your service in the future.'"
The survey included a text box where patients could enter any information within a set character limit, the FTC said. However, because some patients mistakenly thought the information was only to be shared with their provider, many of the individuals included in the text box their names, phone numbers and personal health information.
As cited in the FTC complaint, postings on the Practice Fusion website included a patient, using their name, who asked a physician a question about dosing on "my Xanax prescription" and another patient who inquired about a facelift, Greene notes.
Organizations that allow free-form text fields to be used in collecting data from consumers run the risk of gathering sensitive personal information the entity wasn't expecting to get, he says. [But] it can be very tough to screen when you have these text fields ... unless you proactively review everything or have sophisticated tools that may not be perfect in trying to identify information that doesn't belong there."
The FTC noted in its statement: "Companies that collect personal health information must be clear about how they will use it - especially before posting such information publicly on the internet."
In a blog, Practice Fusion said the consent agreement signed with the FTC, "does not represent an admission of wrongdoing by Practice Fusion, and there are no monetary damages imposed on Practice Fusion. The complaint associated with the consent agreement does not allege that anything that we are currently doing is problematic."
Greene notes that the FTC in 2014 settled a similar case with PaymentsMD, in which the medical billing company and one of its business associates allegedly collected information with patient authorization, "but the FTC thought the authorization was somewhat buried" in the online registration information provided to consumers, he says.
In the interview, Greene also discusses:
- Why the Practice Fusion case is relevant to other health IT vendors and their customers;
- Lessons that organizations outside the healthcare sector can learn from case;
- Why the Practice Fusion settlement with FTC didn't contain a financial penalty.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.