An electronic health record company has agreed to settle with the Federal Trade Commission over allegations it posted patients' reviews of doctors online—including personal medical information—without telling the patients.
Practice Fusion, a cloud-based EHR company in San Francisco, allegedly asked consumers to review their doctors without adequately warning them that the reviews would be posted on the Web. This allegedly led to public disclosure of some patients' personal and medical information.
For example, one consumer wrote about having a wart removed, another wrote about having a yeast infection and yet another talked about a depressed child, writing the girl “has stated several times this week that she wishes she was dead.” Some of the consumers were identified by name online.
The company did not admit to any wrongdoing as part of the settlement agreement (PDF).
"The proposed consent agreement is not related to our core businesses, nor how we have operated the survey feature since April 2013," the company said in a statement. "The complaint associated with the consent agreement does not allege that anything that we are currently doing is problematic."
The settlement prohibits Practice Fusion from making deceptive statements about the confidentiality of information it collects from consumers and requires the company to get affirmative approval from consumers before making their information publicly available in the future.
According to the complaint (PDF), in 2012 Practice Fusion first started asking patients who were using its EHR service to write reviews of their doctors to “help improve your service in the future.” The company wanted the reviews for a public healthcare provider directory it planned to launch.
Consumers who agreed to write reviews were directed to an online survey with questions about their recent medical visits. That survey included a space where patients could write anything they wanted. Above the box, a small warning told consumers, “For your protection, do not include any personal information.” But many patients still included personal information such as medical questions—likely because they thought the information was going directly to their doctors, according to the FTC.
Consumers were also required to check a box agreeing to certain terms, including an authorization for Practice Fusion to publish their reviews online. But consumers were not required to read through the terms before clicking that they agreed to them.
According to the FTC, some of Practice Fusions' providers were also surprised to see feedback about them posted publicly.
In its statement, Practice Fusion described the survey as "a free service that allows Practice Fusion's health care professional clients to request feedback from their patients about their treatment experiences." The company said that service allows providers to publish the feedback on the company's website, where patients can find doctors and book appointments.