Practice Fusion Settles With FTC Over Patient Privacy Disclosures | Practical Law

Practice Fusion Settles With FTC Over Patient Privacy Disclosures | Practical Law

Practice Fusion, a cloud-based electronic health record company, has agreed to settle with the Federal Trade Commission (FTC) over charges that the company failed to adequately disclose to patients that their sensitive personal and medical information in healthcare provider reviews would be made public on the company's website.

Practice Fusion Settles With FTC Over Patient Privacy Disclosures

Practical Law Legal Update w-002-5747 (Approx. 4 pages)

Practice Fusion Settles With FTC Over Patient Privacy Disclosures

by Practical Law Commercial Transactions
Published on 13 Jun 2016USA (National/Federal)
Practice Fusion, a cloud-based electronic health record company, has agreed to settle with the Federal Trade Commission (FTC) over charges that the company failed to adequately disclose to patients that their sensitive personal and medical information in healthcare provider reviews would be made public on the company's website.
On June 8, 2016, the Federal Trade Commission (FTC) announced a settlement with Practice Fusion, a cloud-based electronic health record company, for failing to adequately disclose that the healthcare provider reviews it solicited would be made public on its website.

Practice Fusion's Failure to Disclose

Practice Fusion sought to launch a public-facing healthcare provider directory in 2013. In order to populate the directory with patient reviews before its official launch, Practice Fusion solicited reviews from patients of healthcare providers who were already using the company's electronic health records service.
Apparently believing that their doctors' offices were soliciting the reviews directly for private use, some patients disclosed sensitive, private information in their comments. When Practice Fusion launched its healthcare provider directory with 613,000 reviews in April 2013, these comments were made public.
The FTC's complaint alleged that Practice Fusion committed several deceptive acts resulting in this public disclosure of private information, including:
  • Using the healthcare providers' names in soliciting reviews, which led patients to believe they were communicating directly with their doctors.
  • Including a link to a privacy policy that made no mention of Practice Fusion's intent to publicly post reviews.
  • Including an option to "Keep this review anonymous," which may have led patients to assume confidentiality.
  • Allowing patients to accept the terms of the "Patient Authorization" without having to view the terms, which included an authorization to make the review public and a waiver of the patient's Health Insurance Portability and Accountability Act (HIPAA) rights.
The complaint also notes that Practice Fusion changed the language in both its review solicitation email and its Privacy Policy to indicate that the reviews would be made public on the website. By then, hundreds of patients had submitted reviews containing personal information. In November 2013, Practice Fusion implemented automated procedures to help identify reviews with personal information and prevent their publication, or to remove from the website if they were already published.

Practice Fusion's Settlement and Next Steps

The FTC's complaint concluded that these failures represented a deceptive act or practice in violation of Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 U.S.C. § 45).
In the settlement, Practice Fusion agreed to:
  • Stop misrepresenting the way it uses, maintains, and protects private and confidential information from patients, including the extent to which the information will be made public.
  • Clearly and conspicuously disclose that information will be made publicly available. This disclosure must be:
    • difficult to miss; and
    • easily understandable by ordinary consumers.
  • Obtain affirmative express consent from patients for use of their reviews on the provider directory.
  • Submit a compliance report within 90 days of the settlement's effective date.
  • Create and retain detailed records of activities related to the settlement for five years after the settlement's effective date.
  • Submit to compliance monitoring by the FTC.
The settlement will not take effect until the end of a 30-day comment period, to conclude on July 8, 2016, after which the FTC will decide whether to make the settlement final.

Practical Implications

The Practice Fusion case illustrates how careful companies must be when interacting with consumers online, particularly when consumers may be sharing sensitive information. In any situation where consumers are providing something of value, whether it is a credit card payment or a consumer review, companies should adhere to the gold standard of disclosure by making sure:
  • Disclosure of pertinent information is clear and conspicuous.
  • Affirmative express consent is given.
For more information on complying with the FTC Act, including its disclosure requirements, see Practice Note, Advertising: Overview: The Federal Trade Commission Act.
For more general information on online terms and conditions, see Terms and Conditions for Online Sales by Manufacturers to Consumers.