via Moak: Patient information released without OK, feds say, clarionledger.com
A company that produces Electronic Health Records has agreed to settle allegations from federal regulators that it allowed sensitive health information to be posted online without letting patients know it would be disclosing the information.
In 2012 and 2013, California-based Practice Fusion, described by the Federal Trade Commission as a “cloud-based electronic records company,” allegedly began posting online patient reviews of doctors it had collected, but failed to tell the patients the details of how they would be used. In some cases, sensitive information allegedly appeared in the reviews.
“Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the Internet.”
Electronic Health Records have been controversial, with advocates promising they will create a more seamless experience for patients who see multiple providers, help lower costs through greater efficiency and reduce the risk of errors. But privacy watchdogs have warned that consumer information could be compromised if the information is not handled with great care. In a 2012 survey conducted by Xerox, just over a quarter of Americans said they wanted their records to be digitized. It should be noted Practice Fusion wasn’t accused of allowing the compromise of EHR data, but of failing to give proper notification to patients before posting the information online.
Federal laws require any business that handles sensitive health information to go to great lengths to protect that information, with stiff penalties for violations. And consumers must be informed of any intent to share that information (that’s why you get those annual notices about protecting your privacy and have to sign separate privacy acknowledgement forms when you visit the doctor).
According to the FTC’s complaint, Practice Fusion began a public-facing, health care provider directory in 2013, including reviews of physicians. To populate the reviews, Practice Fusion began sending emails to patients of physicians who had contracted with Practice Fusion to provide electronic health records services. The emails allegedly were sent to “help improve your service in the future,” and asked them to answer questions about their recent visit to the doctor.
But when consumers discussed their recent visit, they often included details and could leave their name and contact information. For example, one consumer talked about a depressed child, another revealed she was concerned about a yeast infection and another spoke of a “Xanax prescription.”
Although the company didn’t admit any wrongdoing, it noted in a statement that it had discontinued the system in 2013. “The proposed consent agreement is not related to our core businesses, nor how we have operated the survey feature since April 2013,” noted a statement on the company’s website. “The complaint associated with the consent agreement does not allege that anything that we are currently doing is problematic.”