An Atlanta-based health billing company and its former CEO settled Federal Trade Commission charges that they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.
The FTC charges that PaymentsMD LLC and its former CEO, Michael C. Hughes, used the sign-up process for a "Patient Portal" - where consumers could view their billing history - as a pathway to deceptively seek consumers' consent to receive detailed medical information about the consumers.
PaymentsMD operated a website where consumers could pay their medical bills, according to the complaint. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. To populate the medical records, though, the company first needed to acquire consumers medical information.
The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.
Consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once, according to the complaints.
Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for just that billing, the FTC said.
The complaint alleges that PaymentsMD used the consumers' registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy.
Under the terms of the settlements, PaymentsMD and Hughes must destroy any information collected related to the Patient Health Report service. The respondents also are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party. They further must obtain consumers affirmative express consent before collecting health information about a consumer from a third party.
"Consumers health information is as sensitive as it gets, said Jessica Rich, director of the FTCs Bureau of Consumer Protection. Using deceptive tactics to gain consumers' 'permission' to collect their full health history is contrary to the most basic privacy principles."
In all but one case, the healthcare companies contacted for data refused to comply with the requests, as they included requests for information about minors, as well for individuals who were not customers of the healthcare company contacted. Once PaymentsMD began informing customers that it was attempting to collect consumers health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.