Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC Settles Claims Against Medical Billing Provider for Inadequate Data Collection Disclosures

On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider,  PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies.

According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills and later launched a free “Patient Portal” that provided consumers with a place to view their billing history.  Payments MD entered into an agreement with another company to develop a new service called Patient Health Report, a fee-based service that would enable consumers to access, review, and manage their consolidated health records through the Patient Portal accounts.  In order to populate the Patient Health Report, PaymentsMD attempted to obtain the sensitive health information of consumers registering for the Patient Portal from health insurance plans, pharmacies, and a medical testing lab, without appropriate authorization from consumers.

The complaints detail how the patient portal interface failed to disclose that PaymentsMD would collect consumers’ sensitive health information for the Patient Health Report.   Specifically,  PaymentsMD obtained consumers’ consent by displaying four authorizations in tiny windows that displayed only six lines of text at a time.  Under each text box was a check box that consumers could select in order to proceed with the registration process.    Alternatively, consumers could select a single box at the top of the page, which would populate all four boxes to indicate that each of the four was authorized, The FTC’s complaints alleged that the site design simultaneously made it hard to read the authorizations in their entirety, and easy to skip over them by clicking a single check box that preceded all of the authorizations.

According to the complaints approximately 5,500 requests for consumers’ health information were sent to 31 different companies, but only one company fulfilled the request.   Only one company provided the requested information.  The others refused to fulfill the requests which was likely a result of concern about the validity of the requests, which in some cases related to minors or consumers who were not in fact a customer of the company receiving the requests.  Ultimately PaymentsMD did not sell any Patient Health Reports.

The complaints allege that the respondents violated section 5 of the FTC Act by:  

  1. failing to adequately disclose that if consumers registered for its free Patient Portal billing service, that the respondents would also engage in a comprehensive collection of information from their parties; and
  2. falsely representing that authorizations were to be used exclusively to provide the Patient Portal billing history service, when in fact, the authorizations were being used to attempt to collect sensitive health information.

The proposed consent agreements:

  1. require that the respondents destroy any information collected related to the Patient Health Report service;
  2. prohibit them from making misrepresentations to consumers about the way they collect and use information including how information they collect might be shared with or collected from a third party; and
  3. require that they obtain consumers’ affirmative express consent before collecting health information (defined in the order to include insurance account information, prescription information, medical records, information concerning a diagnoses or treatment, and medical or health related purchases).

Administrative settlements do not include monetary relief.  The settlements will be subject to a 30 day comment period.  The Commission will then vote to issue the settlements in final form after the comment period.

Companies that plan to collect sensitive information from consumers would be advised to confirm that they have appropriately disclosed relevant information, avoiding for example undersized text and hard-to-read formats, and have obtained appropriate consents.

Katherine Armstrong, Counsel in our Washington, D.C. Office, contributed to this entry.