FTC Orders Privacy Changes at Payments PortalExperts Compare PaymentsMD Case, HealthCare.gov Concerns
A new final order from the Federal Trade Commission that calls for medical billing company PaymentsMD to change its practices related to the collection and disclosure of consumers' personal health information raises issues that bear some similarities to concerns over Obamacare website HealthCare.gov's privacy practices.
The FTC recently approved a final settlement resolving complaints that Atlanta-based PaymentsMD and its former CEO, Michael C. Hughes, violated consumers' privacy by collecting personal medical information without their consent (see FTC Settles Deceptive Patient Portal Case).
The final order by the FTC resolves complaints the commission filed in early 2014, alleging the company and its CEO misled thousands of consumers who signed up for an online medical billing portal by failing to adequately inform them that the company would also seek detailed medical information from third parties, including pharmacies, medical labs and insurance companies.
As part of the settlement order, PaymentsMD agreed to destroy the consumer data it inappropriately collected, and it must obtain express consent from consumers before collecting health information from a third party.
Under the settlement, PaymentsMD must also not misrepresent how the company uses, maintains and protects the privacy and security of sensitive information collected from or about consumers. This includes sensitive consumer data that PaymentsMD seeks from, or shares with, third parties.
Similarities to HealthCare.gov Concerns?
Some privacy and security experts say the FTC's concerns about PaymentsMD's data privacy practices touch upon similar issues that emerged in a recent controversy over the Obamacare website HealthCare.gov sending consumer data to third-party commercial tracking websites (see HealthCare.gov Makes Privacy Fixes).
The Department of Health and Human Services last month made a number of fixes to the HealthCare.gov website to scale back the release of consumer data to third-party sites. The HHS fixes came in response to heavy criticism from privacy watchdogs who discovered that the HealthCare.gov site was sending personal information - including ZIP code, income level, smoking status, pregnancy status and more - to at least 14 third-party domains, even if the user had enabled "do not track."
"The FTC's enforcement [in the PaymentsMD case] does put the government in a strange spot, with the FTC bringing actions to impose greater transparency, while HHS fields criticism that its data sharing practices with respect to HealthCare.gov are not sufficiently transparent," says privacy attorney Adam Greene of law firm David Wright Tremaine. "But if the FTC had to wait for all of the federal government to demonstrate perfect privacy and security practices before taking actions against private entities, then we would not have much privacy and security enforcement anywhere."
Some privacy experts point out, however, that the FTC's complaint against PaymentsMD differs in several ways from the privacy concerns over HealthCare.gov.
"Reasonable minds can differ on whether it is appropriate for the government to share consumer information with third-party companies, but the [HealthCare.gov] website provides the consumer notice that such sharing could take place," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
Some members of Congress are seeking answers from the Obama administration about the privacy practices of HealthCare.gov in the wake of the revelation that consumer data was being sent to third-party sites. That includes a joint hearing dubbed, "Can Americans Trust the Privacy and Security of their Information on HealthCare.gov?" slated for Feb. 12 by the House Subcommittee on Research and Technology and House Subcommittee on Oversight.
But it's unlikely the FTC would get involved in the HealthCare.gov privacy dispute, Greene says.
"The issues surrounding HealthCare.gov may not be subject to FTC enforcement or that of most other privacy and security regulators," Greene says. "Rather, HealthCare.gov may be subject to the federal Privacy Act and Federal Information Security Management Act (FISMA), with the potential that the Department of Justice, HHS Office of Inspector General, or Government Accountability Office may be in the best position to review its practices. Of course, any issues surrounding HealthCare.gov represent a unique political firestorm."
The FTC case also offers a warning to others that deceive patients about their data privacy, he says. "The great majority of healthcare providers and operators of patient portals should be heartened that the government is policing the healthcare marketplace to weed out companies that undermine consumer trust by using deception to obtain private or sensitive information," Holtzman says.
The biggest impact of the FTC settlement with PaymentsMD, Greene says, is on "other commercial healthcare payment portals, with the PaymentsMD case providing guidance on what to do and what not to do." That's because "it is less clear whether the FTC case impacts most healthcare providers with respect to their patient portals, as there is some question regarding whether the FTC has jurisdiction over non-profits, since they arguably are not engaged in commerce."
Complaints Against PaymentsMD
According to the FTC complaint, PaymentsMD since 2008 operated a website on which consumers could pay their medical bills online. In 2012, PaymentsMD and a third-party vendor, Metis Health LLC, began developing a separate service, Patient Health Report, designed to provide consumers with online access to their comprehensive medical records.
The FTC alleged that to collect the patients' medical records to populate the Patient Health Record portal, PaymentsMD altered the registration process for its billing portal to include permission for the company and its partners to contact consumers' healthcare providers to obtain their medical information.
Neither PaymentsMD nor FTC responded to Information Security Media Group's request for comment.