The EHR vendor solicited patient information without adequately explaining that the information would be made public, according to the Federal Trade Commission.
Practice Fusion, which claims to be the largest cloud-based electronic health records platform in the U.S., this week settled federal charges that it publicly displayed personal and medical information obtained from its clients' patients deceptively.
According to the settlement document filed by the Federal Trade Commission, Practice Fusion solicited patient reviews of providers intended for a public-facing directory via emails that appeared to be from their providers, and which did not disclose that their responses would be shared with anyone but patients' healthcare providers.
The emails, which the San Francisco-based company sent beginning in April 2012 for a planned 2013 launch of the directory, prompted patients to comment in a free-text box that would "help improve your service in the future."
Within that box, patients not only included their names and addresses but also were prompted for personal information. Among the responses garnered:
- A request for information on dosing for "my Xanax prescription";
- A request for help with a depressed child who expressed suicidal thoughts;
- Self-diagnosis of a yeast infection
The bottom of the emails linked to a privacy statement about surveys, questionnaires, and polls that did not indicate until April 2013 that such responses would be posted publicly.
Nor was the intention to publicly share the information mentioned elsewhere in the company's privacy policy during that timeframe.
Agreement Open to Public Comment
As a result of the settlement, Practice Fusion is prohibited from making deceptive statements about the privacy or confidentiality of the information it collects from consumers.
It is also required, prior to making any consumers' information publicly available, to clearly and conspicuously disclose this fact and obtain consumers' affirmative consent.
The company is also banned from posting reviews it obtained during the timeframe of the complaint. The agreement will be subject to public comment until July 8.
"Practice Fusion's actions led consumers to share incredibly sensitive health information without realizing it would be made public," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection, in an annoucement.
"Companies that collect personal health information must be clear about how they will use it—especially before posting such information publicly on the Internet."