Ambulatory care electronic health record vendor Practice Fusion has agreed to settle Federal Trade Commission (FTC) charges that it misled consumers by soliciting reviews about their doctors without disclosing adequately that the reviews would be made public and posted on the internet.
Practice Fusion, according to the FTC, launched a public facing healthcare provider directory. To garner patient reviews, the vendor began sending emails to patients of providers who use Practice Fusion's EHR system. The emails appeared to be sent on behalf of the individual doctors to improve future service. Because patients likely thought that the review would only be shared with their provider, many included their full name and phone number, along with personal health information and questions, which then ended up on the internet.
In the proposed settlement agreement, Practice Fusion is barred from misrepresenting the extent to which it uses, maintains and protects the privacy or confidentiality of the data that it collects. It also must clearly and conspicuously disclose, separate from any other privacy statement, that it is making information publicly available before it does so, and must get affirmative patient consent. Additionally, it can't publicly display the reviews collected during the time period covered by the FTC's complaint.
The agreement is subject to public comment through July 8. After that, the FTC will decide whether to make the proposed consent order final. Violation of such an order could result in civil penalties of up to $16,000 per violation.
"Practice Fusion's actions led consumers to share incredibly sensitive health information without realizing it would be made public," said Jessica Rich, director of the FTC's Bureau of Consumer Protection. "Companies that collect personal health information must be clear about how they will use it--especially before posting such information publicly on the internet."