Companies operating in the healthcare arena, especially nontraditional ones, must take seriously the privacy concerns of patients—the good, the bad, and the warts (literally). That critical need to keep patient privacy top of mind is the key takeaway from a recent Federal Trade Commission (FTC) action against Practice Fusion, a cloud-based electronic health record (EHR) company, in which the FTC alleged that Practice Fusion collected patient comments about doctors without properly advising the patients that the comments would eventually be posted publicly in the patient review portion of a healthcare provider directory.
As might be expected, some of these comments contained information that a patient likely does not want shared publicly. For instance, one patient thanked the provider for removing a wart (which had been under a callus) and advising that another wart may be growing on the other foot. Additional examples include comments about facelifts, Xanax prescriptions, yeast infections, and the suicidal tendencies of a child.
According to the FTC, Practice Fusion sent out emails to patients asking for feedback on the treatment they received from their providers. The FTC states that Practice Fusion failed to disclose to the patients that the information they provided would be publicly shared in patient reviews for future patients to read, and rely on, in determining which healthcare providers they may want to visit. The heart of the FTC's case was that patients' comments about their health status were of such a private nature that the public disclosure of these statements necessarily required their knowledge and consent.
Companies across many different industries are seeking new and different ways to engage with consumers. While the digital age allows for new methods to be executed at blinding speeds, traditional rules about disclosure and consumer choice remain as prominent now as they were in the last century. Mix these concepts in with the sensitivity of patients' health information, and companies can quickly find themselves foundering on the rocks and shoals of the Health Insurance Portability and Accountability Act of 1995 (HIPAA) and state privacy laws, as well as the traditional consumer protection rules and regulations.
The Importance of Clear and Conspicuous Disclosures
The FTC asserted that the eventual publication of private health information was a material term, and that Practice Fusion should have clearly and conspicuously advised patients that their information would be used this way. Material disclosures should find the consumer, not the other way around. Adhering to this simple maxim can avoid the expense and loss of customers' goodwill that accompany FTC investigations.
Materiality always will be dependent on the circumstances. Costs and fees almost always count as "material," but money is not the only concern when it comes to materiality, as demonstrated in the Practice Fusion case. In Practice Fusion, the FTC asserted that health information was material, given that the heart of the matter involved accumulating personal data to be used in the comment section of a provider directory. But whatever is at issue, the cardinal rule with material disclosures is that they must be "clear and conspicuous."
The Four Ps That Define "Clear and Conspicuous"
"Clear and conspicuous" is a phrase that has been examined in countless actions by the FTC and state attorneys general. One helpful phrase used to flesh out the meaning of "clear and conspicuous" is the four Ps—prominence, presentation, placement, and proximity.
The "prominence" of a disclosure is often a function of the message's size and clarity. This can be a particular concern for disclosures made on mobile devices. Enforcing agencies can be very unforgiving of disclosures that can be viewed well on a desktop but are barely readable on a phone. Color contrast can be an issue that undermines a message's prominence, as well. Disclosures in a cream-colored text on a white background probably run afoul of the "prominence" standard.
"Presentation" relates to the ability of the disclosure to be understood by readers. The terms used in the language must be understandable to the average reader. Similarly, "placement" means that the disclosure needs to be in a location where the consumer could reasonably be expected to find the terms. Lastly, to meet the "proximity" standard, the disclosure must not only be in a place the consumer can be expected to find it, but in a place that is relevant to the material claim at issue.
The Special Considerations That HIPAA Adds
Beyond the traditional disclosure standards from the FTC, companies need to take into account the special considerations related to the healthcare industry, such as HIPAA. HIPAA, among other things, protects patient health information from unauthorized access, use and disclosure by healthcare providers. For example, if a company receives information from the medical practices with which it contracts, then use of that information is governed by HIPAA.
HIPAA permits healthcare providers and health plans (known as covered entities) to share health information with third-party vendors—known as business associates—such as electronic medical records companies. Business associates are required to comply with HIPAA regulations.
Using the patient information provided by healthcare providers (such as names and email addresses) in a manner unrelated to the services provided by the business associate to the provider would be a breach of HIPAA and the business associate agreement (BAA). Further, using this information in a manner that resulted in public disclosure of patient health information without the consumer's consent likely would trigger an investigation by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), the agency responsible for overseeing and enforcing HIPAA. Business associates are subject to civil and, in some cases, criminal penalties for making uses and disclosures of patient health information in violation of HIPAA and their BAAs.
Practice Fusion: An Important Reminder
As alleged by the FTC, Practice Fusion, while trying to develop a new service to help consumers find a healthcare provider, found itself in the vortex of both healthcare and traditional consumer protection concerns. The case serves as a critical reminder that in this data-driven communication age, personal health data can be as important as financial data. Collecting sensitive health information requires careful consideration; publishing it requires the clear and knowing consent of the patient, whether covered by HIPAA or not.
There are fantastic opportunities for consumers, providers and patients to engage with businesses and each other in this digital age. As Practice Fusion demonstrates, however, the FTC expects companies to remember and apply time-tested laws and rules about privacy and disclosures.