The FTC has approved a final settlement against Practice Fusion, Inc., a company that describes itself as the “number one cloud-based electronic health record platform for doctors and patients.” The FTC had alleged that Practice Fusion failed to adequately disclose that patient responses to an online healthcare provider satisfaction survey would be published on Practice Fusion’s public website.
According to the FTC’s complaint, problems arose in 2013 when Practice Fusion began planning for the launch of an online public-facing healthcare provider directory to supplement its core health record platform. The directory was intended to allow current or prospective patients to search for healthcare providers by provider specialty or location, and to read existing patient reviews for those providers. The problem, according to the FTC, was that the patient reviews made available on the directory contained sensitive patient information, and were obtained without adequate disclosures to the providing patients.
Numerous patient reviews allegedly received by Practice Fusion and posted to the directory allegedly contained personal information, as illustrated by examples included in the complaint:
- “Dr [healthcare provider name intentionally redacted by FTC staff], My Xanax prescription that I received on Monday was for 1 tablet a day but usually it’s for 2 tablets a day. I have not taken it to the pharmacy yet. Can I pick up a new one, or can I get a prescription called into a pharmacy? Thanks, [patient name intentionally redacted by FTC staff]” Date: May 21, 2012 (Xanax (alprazolam) is a medication typically prescribed to treat anxiety disorders, panic disorders, and anxiety caused by depression.)
- “I was pleased with Dr. [healthcare provider name intentionally redacted by FTC staff]’s information on getting a facelift. I will call if I have further questions. Thank you, [patient name intentionally redacted by FTC staff]” Date: May 5, 2012
These reviews were among the 613,000 put online when Practice Fusion launched the public directory in April 2013. The FTC alleged that, based on the sensitive content of the patient reviews, patients likely believed the communication was private.
Under its settlement with the FTC, Practice Fusion is prohibited from making any misrepresentations as to the extent to which it uses patient information, including the extent to which information will be made publicly available. Further, prior to publicly disclosing any patient information, Practice Fusion will also have to obtain affirmative express consent, and make the appropriate disclosures. The company will also be subject to certain ongoing record-keeping and compliance monitoring requirements.