The opening sentence of the Press Release by the Federal Trade Commission (FTC) on its proposed settlement with one of the biggest electronic medical record (EMR) providers, Practice Fusion, Inc., was designed to grab the attention of the EMR and healthcare provider sectors in that it plows new ground on transparency for uses of sensitive health information:
“Combine two of the most talked-about consumer protection topics – health privacy and consumer-generated online content – and what do you get? A proposed FTC settlement with Practice Fusion, the largest cloud-based electronic health records company in the country, and six compliance tips for others in the industry.”
It succeeded. The proceeding and settlement are a neon sign advertising the FTC’s enhanced enforcement activity in health privacy. The “six compliance tips: in the Press Release provide guidance for EMR and healthcare providers can be read as an indication of the FTC’s criteria for future proceedings with regard to disclosures of health information.
The FTC brought a Complaint against Practice Fusion with regard to its patient portal. Many EMR systems use such portals, which allow patients to securely communicate with their caregivers. The difficulty with Practice Fusion’s portal, however, was that it contained a page that included a box in which the patient could provide a review of the provider and the patient’s experience.
That review would be publicly available, but this was not clearly indicated in the portal. Perhaps as a result, many patients provided highly sensitive information. This went on for about a year until an article in Forbes magazine revealed the publication of such information. The pre-checked box to “Keep this review anonymous” did not, in fact, anonymize the information, the FTC alleged, and the admonition “For your protection do not include any personal information” was “in the smallest and lightest type on the page.” The failures to adequately disclose how the information would be used, the FTC contended, constituted deceptive trade practices.
The settlement Agreement and Consent Order does not comprise civil monetary penalties, but Practice Fusion will nonetheless incur considerable legal and consulting expense in meeting terms of the Order that require revisions to the portal, recordkeeping with regard to compliance and submission of compliance reports to the FTC.
With this Complaint and settlement, the FTC has served notice that it will investigate and, where it finds cause, proceed against electronic medical record providers. If you have questions regarding electronic medical record system compliance with federal and state regulations, please contact Kenneth N. Rashbaum.