FTC Settles Deceptive Patient Portal CaseAlleges Firm Collected Health Data Without Patients Knowing
A recent Federal Trade Commission settlement with a medical billing company shines a spotlight on deceptive practices related to the collection and disclosure of patient's personal health information.
The case illustrates why healthcare providers must assess authorizations carefully before releasing patient health data to third parties, especially as the exchange of electronic health information between disparate organizations becomes more widespread. And it spotlights the need for Web portal providers and others to explain clearly to consumers what data they collect and what they will do with that information.
The FTC disclosed earlier this month that it had settled a case with PaymentsMD, an Atlanta medical billing company, and its former CEO, Michael Hughes. As part of the settlement, the company agreed to destroy the consumer data it inappropriately collected.
The FTC earlier this year filed complaints against PaymentsMD and Hughes, alleging they misled thousands of consumers who signed up for an online medical billing portal by failing to adequately inform them that the company would also seek detailed medical information from third parties, including pharmacies, medical labs and insurance companies.
According to the FTC complaint, PaymentsMD since 2008 operated a website on which consumers could pay their medical bills online. However, in 2012, PaymentsMD and a third-party vendor, Metis Health LLC, began developing a separate service, Patient Health Report, designed to provide consumers with online access to their comprehensive medical records.
The FTC alleges that to collect the patients' medical records to populate the Patient Health Record portal, PaymentsMD "altered" the registration process for its billing portal to include permission for the company and its partners to contact consumers' healthcare providers to obtain their medical information.
Consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the billing portal, displaying only six lines of the extensive text at a time, the FTC says. The four authorizations also could be accepted by clicking one box to agree to all at once. "Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that - billing," the FTC says in the complaint.
The FTC alleges that PaymentsMD used the consumers' registrations to gather sensitive health information from pharmacies, medical testing labs and insurance companies to create a patient health report. The information requested included prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests. The complaint alleges that Metis Health, for the PaymentsMD health record effort, contacted pharmacies and other medical providers located near the consumers, without knowing whether the consumers were actually customers of the particular pharmacy or healthcare provider.
PaymentsMD made 5,500 requests for consumers' health information to 31 companies, according to the FTC. Fortunately, in all but one case, the healthcare companies contacted for data refused to comply with the information requests because the individuals in question were not patients of those companies. Also, many of the requests sent by PaymentsMD sought health information about minors, the FTC alleges.
David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the PaymentsMD case sends an important message to healthcare providers, Web portal companies and patients about practices involving the collection, use and disclosure of individuals' sensitive health information.
"The biggest lesson for healthcare providers is they need to be observant of the authorizations that they receive that appear to be signed by an individual for disclosure of sensitive and protected health information," he says. Inappropriately disclosing a patients' health information with invalid or fake authorizations can not only result in possible privacy breaches, but could also potentially result in personal information landing into the hands of cybercriminals for medical ID theft and other fraudulent purposes.
For consumers, the case offers a reminder about carefully reading and evaluating terms and conditions before agreeing to use a healthcare website portal or authorizing release of personal health information, Holtzman says. And Web portal developers and other companies that collect patient information need to be clear about their privacy practices, as well as obtain consumers' express consent before collecting health information about the patient from a third-party, he adds.
The FTC says that, initially, PaymentsMD did not inform consumers that the company was attempting to collect their sensitive health information. "When PaymentsMD began informing consumers, via an e-mail sent a day after users registered for Patient Portal, numerous consumers filed complaints with PaymentsMD regarding the collection of their sensitive health information," says the FTC complaint. "The common themes of the complaints were that consumers did not want their information collected, and that they had only registered for the Patient Portal to track their bills."
Among the terms of the FTC settlement, PaymentsMD and Hughes agreed to delete any information collected related to the online medical record portal service. In addition, the company must obtain affirmative express consent from consumers before collecting health information from a third party.
Also, PaymentsMD must not misrepresent how the company uses, maintains and protects the privacy, confidentiality, security or integrity of personal information collected from or about consumers.
"Companies should carefully explain to prospective customers and patients what the entity is doing, get express consent from consumers before collecting sensitive data, and live up to promises made to customers and patients," FTC says in a statement provided to Information Security Media Group.
"Consumers should read what they sign, but even if they had done that here [in the PaymentsMD case], they wouldn't have known that information was going to be collected from their pharmacies and other institutions," the FTC notes. "The bigger message is that businesses should be clear about what they're doing with consumers' sensitive personal information."
The FTC declined to comment on whether it was pursuing a complaint against Metis Health.
PaymentsMD did not respond to ISMG's request for comment.
The Department of Health and Human Services' Office for Civil Rights also declined to comment about whether the agency is investigating the PaymentsMD case for potential HIPAA violations.