From the FTC:
An Atlanta-based health billing company and its former CEO have settled Federal Trade Commission charges they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.
In a pair of complaints, the FTC charges that PaymentsMD, LLC, and its former CEO, Michael C. Hughes, used the sign-up process for a “Patient Portal” — where consumers could view their billing history — as a pathway to deceptively seek consumers’ consent to obtain detailed medical information about the consumers.
“Consumers’ health information is as sensitive as it gets,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.”
According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. In order to populate the medical records, though, the company first needed to acquire consumers’ medical information. The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.
According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that – billing, according to the complaint.
The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.
According to the complaints, in all but one case, the healthcare companies contacted for data refused to comply with the requests, as they included requests for information about minors, as well for individuals who were not customers of the healthcare company contacted. Once PaymentsMD began informing customers that it was attempting to collect consumers’ health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.
Under the terms of the settlements, PaymentsMD and its former CEO, Hughes, must destroy any information collected related to the Patient Health Report service. In addition, the respondents are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers’ affirmative express consent before collecting health information about a consumer from a third party.
The Commission vote to issue the complaint and accept the proposed consent order for public comment was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 2, 2015, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically (PaymentsMD, LLC | Michael C. Hughes) by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.
See also A Pain in the Privacy on FTC’s Business Blog.