FTC: Medical Billing Company Used Deceptive Tactics to Collect Patient Information
A medical billing company used deceptive tactics to collect sensitive patient information, says the Federal Trade Commission (FTC).
PaymentsMD and its former CEO Michael Hughes have agreed to settle an FTC complaint charging that it used the sign-up process for a medical billing system as a way to gain consent to collect detailed medical information from pharmacies, medical labs and insurance companies.
According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as Patient Health Report, designed to provide consumers with comprehensive online medical records. In order to populate the medical records, though, the company first needed to acquire consumers' medical information. The complaints allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.
Consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once. Consumers registering for the Patient Portal billing service would have reasonably believed that the authorizations were to be used for billing and not compiling an online health record.
PaymentsMD used the consumers' registrations to gather sensitive health information from pharmacies, medical testing companies and insurance companies to create a patient health report. The complaints allege the company contacted pharmacies located near the consumers, without knowing whether the consumers in question were customers of the particular pharmacy. All but one healthcare company denied handing over patient information.
Consumers began filing complaints after they discovered PaymentsMD was trying to collect their information.
As part of the settlement with the FTC, PaymentsMD and Hughes must destroy all the collected information and are required to obtain a consumer's expressed consent before collecting health information.