Practice Fusion will settle with the U.S. Federal Trade Commission after charges that it misled users of its patient portal into reviewing their physicians – often including sensitive medical information that was then posted online.

The FTC complaint says Practice Fusion, in its efforts to launch a public-facing provider directory component of its Patient Fusion portal, sent emails to users with post-visit satisfaction surveys with their physicians' names at the bottom of the message. A disclosure underneath clarified that the email was “sent on behalf of Doctor [Healthcare Provider’s Name]’s office” by Practice Fusion.

While the site did have a privacy policy, FTC charges that for about a year between 2012 and 2013 it "did not indicate in this section or elsewhere in its privacy policy that it would publicly post reviews by patients of their providers."

Consumers were instructed not to volunteer personal information, but the alert was "in light grey type," according to the FTC complaint. Moreover, even though there was a pre-checked box to "keep this review anonymous," keeping it checked "did not anonymize anything a consumer wrote in the free text box, including a consumer’s identifying information."

Instead, it "only affected whether a review was posted on the Patient Fusion website under the handle 'Anonymous' or under a patient’s first name."

As a result, patients assuming that their reviews were only being shared with their care provider wrote freely – often including sensitive medical information and even phone numbers, according to FTC.

Among the responses made posted were patient notes mentioning potiential facelifts, yeast infections, shingles and wart removals. One patient asked their physician about upping their Xanax prescription; one was seeking help for a depressed and possibly suicidal relative; another mentioned their upcoming chemotherapy treatment.

"Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public," Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. "Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet."

Under the settlement, FTC will prohibit the company from making deceptive statements about the privacy or confidentiality of the data it collects, and will also require it – prior to making any consumer information publicly available – to "clearly and conspicuously disclose this fact" and obtain affirmative consent.

The FTC agreement will be subject to public comment through July 8, after which the commission will decide whether to make the proposed consent order final. Comments can be submitted at FTC.gov. 

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn