Practice Fusion Settles with FTC Over Patient Privacy Complaint | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Practice Fusion Settles with FTC Over Patient Privacy Complaint

June 10, 2016
by Heather Landi
| Reprints

The complaint against cloud-based electronic health records (EHR) vendor Practice Fusion provides important lessons about consumer health privacy for vendors in the health IT industry, according to a Federal Trade Commission blog post.

This week, the FTC announced a proposed settlement with San Francisco-based Practice Fusion after charges that the company misled consumers by soliciting reviews for their doctors, without disclosing adequately that the reviews would be publicly posted on the Internet. This resulted in the public disclosure of patients’ sensitive personal and medical information, according to the FTC.

In a one-count complaint, the FTC alleges that Practice Fusion represented expressly or by implication that survey responses would be communicated to the consumer’s healthcare provider, but failed to adequately disclose that it also would publish the responses publicly. According to the FTC, that fact would have been material to consumers in deciding whether or how to respond to the survey.

The settlement with the FTC will prohibit Practice Fusion from making deceptive statements about the privacy or confidentiality of the information it collects from consumers, and will also require the company, prior to making any consumers’ information publicly available, to clearly and conspicuously disclose this fact and obtain consumers’ affirmative consent.

“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”

According to the complaint by the FTC, Practice Fusion made plans to launch a public-facing healthcare provider directory in 2013.  In order to be able to populate the directory with patient reviews, Practice Fusion began sending emails in April 2012 to patients of healthcare providers utilizing Practice Fusion’s electronic health records service.  The emails appeared to be sent on behalf of the patients’ doctors, and asked consumers to rate their provider “[t]o help improve your service in the future.”

Consumers who clicked on the five-star rating image in the e-mail were taken to an online survey form with questions about their recent medical visit. The survey included a text box where patients could enter any information they wished within a set character limit.  Because patients likely thought the information was only shared with their provider, many of them included in the text box their full name or phone number along with personal health information inquiries, according to the FTC complaint.

In its complaint, the FTC cites examples of patient information that then appeared in reviews publicly posted by Practice Fusion, such as one customer asking for information on dosing of “my Xanax prescription.”

In a Business Blog post on the FTC site, Lesley Fair, a senior attorney at the FTC, wrote, “The terms of the settlement apply just to Practice Fusion, but there are lessons others in the industry can learn.” Fair then outlined six compliance tips:

If personal health information is involved, handle it with particular care. Consumers are concerned about the confidentiality of their health information. Given what’s at stake, industry members are on notice of the need for caution, Fair wrote.

Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.

Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.

Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach.

Fair offers some “FTC 101:” “If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, ‘clear and conspicuous’ is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention—graphics, color, big print, prominent placement, clear wording, etc.”

Don’t bury key facts in a hard-to-understand privacy policy. According to Fair, after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its privacy policy, but didn’t clearly disclose the information on the survey page itself. “Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details—for example, that you intend to post consumers’ sensitive health information publicly – is unwise,” Fair wrote.

Fair also advises that health IT companies consult FTC resources. “Companies accustomed just to HIPAA may be less familiar with the FTC’s approach. Visit the Business Center for compliance fundamentals. For example, .com Disclosures: How to Make Effective Disclosures in Digital Advertising talks about how to clearly convey important information online. TheMobile Health Apps Interactive Tool can help you figure out which federal law (and it may be more than one) applies to your business. And Mobile Health App Developers: FTC Best Practices offers an introduction to sound privacy and security,” Fair stated.

The FTC’s proposed agreement  with Practice Fusion will be subject to public comment until July 8, after which the FTC will decide whether to make the proposed consent order final.

 

 

 

 

 

 

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/news-item/privacy/practice-fusion-settles-ftc-over-patient-privacy-compliant
/news-item/privacy/should-hipaa-privacy-rules-change-hhs-seeks-input

Should HIPAA Privacy Rules Change? HHS Seeks Input

December 13, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The Office for Civil Rights (OCR) has issued an RFI seeking input from the public on how Health Insurance Portability and Accountability Act (HIPAA) Rules, particularly the HIPAA Privacy Rule, could be modified to reflect the administration’s goal of promoting coordinated, value-based care.

As the government noted in a press release on the RFI, “HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based healthcare.”

Now, the RFI serves to request “information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.”

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, according to HHS, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Eric Hargan.

He added, “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”

Comments are due by Feb. 11, 2019.

 

More From Healthcare Informatics

/news-item/privacy/amia-calls-harmonization-data-privacy-policies

AMIA Calls for Harmonization of Data Privacy Policies

November 16, 2018
by
| Reprints

As the lines between consumer and clinical data systems continues to blur, there is a need to harmonize health sector data privacy policy, such as the Health Insurance Portability and Accountability Act (HIPAA) and consumer data policy to develop a new era of privacy policy, according to the American Medical Informatics Association (AMIA).

AMIA provided written comments last week in response to the National Telecommunications and Information Administration’s Request for Comment (RFC) on the Administration’s approach to consumer privacy. NTIA, an agency within the Department of Commerce, was seeking feedback on ways it can advance consumer privacy while also protecting innovation. The RFC sought feedback on how certain organizational privacy goals and outcomes can be achieved. These outcomes include organizational transparency, user control over personal information, reasonable minimization of data collection, organizational security practices, user access and correction, organizational risk management, and organizational accountability.

In its written comments, AMIA encouraged the Trump administration to closely examine both HIPAA and the Common Rule and develop an explicit goal to harmonize “health sector” and “consumer sector” data privacy policies. The informatics group cautioned the Administration against a patchwork of consumer privacy policies that is already the norm in the health sector.

Jeff Smith, vice president, public policy at AMIA, notes that given the health sector’s experience with HIPAA and the Common Rule, there is a unique opportunity to accomplish two aims with this executive and legislative branch conversation—harmonize health sector data privacy policy with consumer data privacy policy and develop a national forum and framework to allow states flexibility to address local needs and norms.

In its written comments, AMIA noted that differences in the interpretation of HIPAA have led to wild variations in application. The group thus urged the administration to balance the need for both prescriptive process-oriented policies and outcome-oriented policies, writing that “[a]n over-emphasis on vague or difficult-to-measure outcomes without guidance on process will result in the failings of HIPAA – wide variation in interpretation and inconsistent implementation.”

AMIA went on to not only reiterate its support for patients always having access to their data, but advocated extending this principle to other sectors of the economy and elevating it to “a prerequisite condition and central organizing principle from which other outcomes derive.”

Further, while AMIA broadly supported the RFC’s high-level goals, it recommended that the administration also focus on “closing regulatory gaps” that endanger data privacy. Citing a 2016 ONC report, AMIA pointed out that there are health-related technologies that exist outside the scope of HIPAA, Federal Trade Commission (FTC) regulation, or state law. Thus, a truly comprehensive approach to consumer privacy should address these gaps, AMIA wrote.

Finally, AMIA encouraged the administration to take several steps to address data governance and ethical use. It recommended that FTC “develop a framework for organizations to use that supports trust, safety, efficacy, and transparency across the proliferation of commercial and nonproprietary information resources,” in addition to an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

“We applaud the administration for initiating this long overdue conversation. As the lines between consumer and clinical devices continues to blur, the need for harmonized federal policy becomes more pronounced,” Douglas B. Fridsma, M.D., Ph.D, AMIA President and CEO, said in a statement. “Just as we strive to ensure that patients have access to and control over their data, we must strive to deliver the same for consumers. The administration should learn from the health sector and develop improved privacy policies across all sectors of the economy.”

 

Related Insights For: Privacy

/blogs/david-raths/privacy/time-end-wild-west-health-data-usage-hipaa-free-zones

Time to End ‘Wild West’ of Health Data Usage in HIPAA-Free Zones

| Reprints
Beyond consent, bioethicists argue for ethical guidelines governing fair use of data
Click To View Gallery

In a recent conversation, a CMIO described the era of Meaningful Use and ICD-10 to me as the “doldrums of regulatory reform” that “sucked up all the oxygen” in the industry, leaving little room for innovation. So I can see why there would be little appetite for more regulation related to health data, and obviously the current administration prefers market-based solutions to regulatory ones.

Yet the Oct. 22 meeting, “Data Min(d)ing: Privacy and Our Digital Identities,” put on by the U.S. Department of Health & Human Services, made it clear to me that as more health data is gathered (and sold) outside the clinical setting, there is a “Wild West” atmosphere in which pretty much anything goes in terms of what companies not covered by HIPAA can do with our health data.

As an example, an April 2018 CNBC article noted that Facebook “has asked several major U.S. hospitals to share anonymized data about their patients, such as illnesses and prescription information, for a proposed research project. Facebook was intending to match it up with user data it had collected in order to help the hospitals figure out which patients might need special care or treatment.” (That project is currently on hiatus, Facebook said.)

The HHS meeting brought together industry leaders and researchers for some thought-provoking presentations about the many ways genetic, wearable and EHR health data is being used. For instance, James Hazel, Ph.D, J.D., a research fellow at the Center for Biomedical Ethics and Society at the  Vanderbilt University Medical Center, presented his research that involved a survey of the privacy policies proffered by U.S. direct-to-consumer genetic testing companies. Hazel noted that there has been huge growth in direct-to-consumer genetic testing, with an estimated 12 million people tested in the United States. Beyond offering consumers the services, these companies doing the testing wish to monetize that data through partnerships with pharmaceutical companies and academic researchers. There is also value to government and law enforcement officials – to solve cold cases, for instance.

There is a patchwork of federal and state laws governing disclosure of secondary data usage to consumers, but the industry is largely left to self-regulate, he said. In his survey of 90 companies offering these genetic data services, “10 percent had no policies whatsoever,” he said. About 55 companies had genetic data policies, but there was tremendous variability in policies about collection and use. Less than half had information on the fate of the sample. In terms of secondary use, the majority of policies refer to internal uses of genetic data. However, very few addressed ownership or commercialization. And although almost all made claims to being good stewards of the data, 95 percent did not provide for notification in case of a data breach. The provisions for sharing de-identified data are even less restrictive. Hazel noted that 75 percent share it without additional consent from the consumer.

Hazel’s take-home message: “We saw variability across the industry. Also, we had a group of law students and law professors read the policies and there was widespread disagreement about what they meant,” he said. “Also, nearly every company reserves the right to change the policy at any time, and hardly any company provided for individual notice in event of a change.” He finished his presentation with a question. “What is the path forward? Additional oversight by the Federal Trade Commission? Or allowing industry efforts to take the lead before stepping in?”

In a separate presentation, Efthimios Parasidis, J.D., a professor of Law and Public Health at the Ohio State University, spoke about the need for an ethical framework for health data.

Parasidis began by noting that beyond data security and privacy, consent and notice are inadequate ethical markers. “If one looks at regulations, whether it is HIPAA, the European Union’s GDPR, or California’s recently enacted consumer privacy law, the regulatory trend has been to emphasize consent, deletion rights and data use notifications,” he said. While these are important regulatory levers, missing is a forum for assessing what is fair use of data. “Interestingly, few areas of data collection require ethics review,” he stressed. HIPAA does not speak to when data use is ethical but rather establishes guidelines for maintaining and sharing certain identifiable health information. Even those protections are limited. HIPAA only applies to covered entities, he noted. It does not apply to identifiable health information held by a wide variety of stakeholders, including social media, health and wellness apps, wearables, life insurers, workers’ compensation insurers, retail stores, credit card companies, Internet searches, and dating companies.

“While the volume of identifiable health information held in HIPAA-free zones engulfs that which is protected by HIPAA and may support more accurate predictions about health than a person’s identifiable medical records,” Parasidis said, “the limits of HIPAA’s protections go beyond scope. For data on either side of the HIPAA divide, an evaluation of ethical implications is only required for human subject research that falls under the Common Rule. Much of data analytics falls outside the Common Rule or any external oversight.”

Citing the Facebook example mentioned above, Parasidis noted that tech giant Amazon, Apple, Google, Microsoft and Uber are entering the digital health space. “The large swathes of identifiable information that these entities hold raise a host of ethical questions,” he added, “including widespread re-identification of de-identified health information, health profiling of individuals or groups and discrimination based on health conditions.”

Policies and guidelines can supplement the small subset of data covered under legally mandated ethics review, he explained. For instance, federal agencies sometimes use internal disclosure review boards to examine ethical implications of data disclosure. But it is not clear this type of review is happening in the private sector.

Parasidis described work he has done with Elizabeth Pike, director of Privacy Policy in the Office of the Chief Information Officer at HHS, and Deven McGraw, who served as deputy director of health information privacy at HHS, on a framework for ethical review of how health data is used.

One way to think about more robust ethics review is the use of data ethics review boards, he said. Their structure can be modeled on institutional review boards or disclosure review boards. “This new administrative entity is necessary because much of contemporary data analytics falls outside existing frameworks,” he said. “We argue that these boards should focus on choice, responsiveness, accountability, fairness and transparency — a CRAFT framework. For instance, choice goes beyond consent. Individuals have an ongoing interest in their health data and should be able to specify how it is collected, analyzed and used.”

Reasonable minds can disagree on the relative weight of ethical principles or how they should be enacted into the context of data use deliberations, he said. “We nevertheless believe there remains an urgent need to craft an ethical framework for health data.”

 

 

See more on Privacy

betebet sohbet hattı betebet bahis siteleringsbahis