The FTC has approved a final settlement against Practice Fusion, Inc., a company that describes itself as the “number one cloud-based electronic health record platform for doctors and patients.”  The FTC had alleged that Practice Fusion failed to adequately disclose that patient responses to an online healthcare provider satisfaction survey would be published on Practice Fusion’s public website.

According to the FTC’s complaint, problems arose in 2013 when Practice Fusion began planning for the launch of an online public-facing healthcare provider directory to supplement its core health record platform.  The directory was intended to allow current or prospective patients to search for healthcare providers by provider specialty or location, and to read existing patient reviews for those providers.  The problem, according to the FTC, was that the patient reviews made available on the directory contained sensitive patient information, and were obtained without adequate disclosures to the providing patients.

In order to populate the directory with patient reviews, in April 2012 Practice Fusion contacted patients by email post-visit, and asked them to complete a survey to help improve the patients’ “service in the future.”  The survey email indicated it was sent on behalf of the healthcare provider, and until April 8, 2013, Practice Fusion did not indicate in its privacy policy that it would publicly post patient reviews of their providers.  When patients who clicked on the email were taken to a survey form, the form asked patients to “Please leave a review for your provider,” but warned, “For your protection, do not include any personal information.”  A pre-checked box on the form read “Keep this review anonymous.”  According to the FTC, leaving this box checked did not anonymize the information written on the form, but instead determined whether the review appeared along with the handle “Anonymous” or with the patient’s first name.

Numerous patient reviews allegedly received by Practice Fusion and posted to the directory allegedly contained personal information, as illustrated by examples included in the complaint:

  • “Dr [healthcare provider name intentionally redacted by FTC staff], My Xanax prescription that I received on Monday was for 1 tablet a day but usually it’s for 2 tablets a day. I have not taken it to the pharmacy yet. Can I pick up a new one, or can I get a prescription called into a pharmacy? Thanks, [patient name intentionally redacted by FTC staff]” Date: May 21, 2012 (Xanax (alprazolam) is a medication typically prescribed to treat anxiety disorders, panic disorders, and anxiety caused by depression.)
  • “I was pleased with Dr. [healthcare provider name intentionally redacted by FTC staff]’s information on getting a facelift. I will call if I have further questions. Thank you, [patient name intentionally redacted by FTC staff]” Date: May 5, 2012

These reviews were among the 613,000 put online when Practice Fusion launched the public directory in April 2013.  The FTC alleged that, based on the sensitive content of the patient reviews, patients likely believed the communication was private.

Under its settlement with the FTC, Practice Fusion is prohibited from making any misrepresentations as to the extent to which it uses patient information, including the extent to which information will be made publicly available.  Further, prior to publicly disclosing any patient information, Practice Fusion will also have to obtain affirmative express consent, and make the appropriate disclosures.  The company will also be subject to certain ongoing record-keeping and compliance monitoring requirements.