On June 8th, 2016 the Federal Trade Commission (FTC) announced a settlement with Practice Fusion, Inc. The EHR vendor was charged with illegally disclosing consumers’ protected health information (PHI) without providing information about how it would be used, maintained, and protected, in addition to neglecting to obtain their clients’ consent.
The HIPAA FTC Settlement
Practice Fusion is an electronic health records (EHR) platform used by healthcare providers to store patients’ protected health information (PHI). The FTC found that Practice Fusion had solicited consumers for reviews of their doctors without giving adequate disclosure that they were planning to publicly post these reviews on the internet, leading to a serious breach of patients’ rights to privacy.
The complaint that launched the investigation was made in 2013 after Practice Fusion decided to start a “public-facing healthcare provider directory”–essentially a review platform similar to Yelp where patients could provide feedback about doctors and the services they received.
Practice Fusion sent emails to patients of healthcare providers using its EHR platform starting in April of 2012 that appeared to be on behalf of these patients’ doctors. The emails expressly asked consumers to rate their doctor “to help improve your service in the future.”
Patients who responded to the email were taken to a survey form with questions about their medical experiences. The survey included a comment box, where patients disclosed all kinds of personal information including full names, phone numbers, and medical history after being falsely lead to believe that they were providing this information to their doctors.
The FTC hopes that the settlement will discourage these kinds of deceptive business practices from becoming an industry-wide issue. Practice Fusion is expressly forbidden from making statements about the privacy or confidentiality of the information it gathers from patients and consumers that are intentionally misleading. The company is also required to clearly communicate their intent to make patients’ information public and obtain affirmative consent before doing so in the future.
EHR Vendors and HIPAA Compliance
Though the settlement at hand deals with the FTC, the exposure of patients’ PHI elevates the issue to other conversations of data security going on at the national level.
When patient data is breached, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will often step in to investigate. Under HIPAA, business associates such as EHR platforms are responsible for maintaining the integrity of PHI in the same way as covered entities such as doctors and insurance companies.
“Practice Fusion is playing a dangerous game with their customers’ data,” said Marc Haskelson, President of Compliancy Group. “Any time PHI is mishandled, EHR platforms put themselves one step closer to a HIPAA audit. Unfortunately, we’ve seen misinformation spread throughout the EHR industry for years now, often misleading doctors and consumers about the way health data is going to be used.”
He continued: “We’re anticipating the day that one of these breaches launches a full HIPAA audit and OCR investigation. This settlement strikes us as a sign of things to come for EHR platforms and the doctors who use them–the audits are coming, and when they arrive they’re going to cause major disruptions in the EHR market.”