Seasons greetings from the Federal Trade Commission (FTC).
Yesterday, the FTC published its Agreement Containing Consent Order and attendant press release regarding its settlement with a medical billing company (PaymentsMD) and the company CEO for alleged failure to adequately inform patients regarding the company’s collection of their medical records. Although not arising under HIPAA (which is separately regulated by HHS’s Office for Civil Rights), FTC’s enforcement of consumer privacy rights here emphasizes the federal government’s emphasis on the importance and sensitivity of patient medical records, particularly in cases where there is a high probability of consumer/patient confusion or lack of transparency.
Notably, the settlement arose amid allegations that PaymentsMD failed to provide adequate notice and “authorization” to obtain individuals’ medical records: “The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.” FTC Press Release (Dec. 3, 2014) (“Press Release”). It appears that the critical facts (in FTC’s view) were the arguably misleading manner in which the company obtained four separate authorizations with a single on-screen check box, allowing only for a very limited display of the authorization text at any one time, and doing so in the context of the patients’ request only to use an online billing portal:
According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that – billing, according to the complaint. [paragraph] The complaint alleges that PaymentsMD used the consumers’ registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, and more. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.
Press Release (emphasis added).
The settlement firmly underscores the importance of maintaining clarity and transparency in all patient communications, particularly when any use or disclosure of PHI is contemplated. Following OCR’s implementation of the HITECH Act, of course, both HIPAA Covered Entities and their Business Associates should consider these issues carefully.
So double check those authorizations, consent forms, and other patient communications. No one needs a stocking stuffed by FTC (or HHS).