According to the complaint, patients were asked to rate their doctors in an email sent by the company. The email indicated that the patient’s information would be shared with his or her physician. After providing an initial review, patients were then sent to a survey where they could give more information about their recent appointment. Included in the survey was a text box where the patient could share comments. Here, many patients entered private information. This included full names, phone numbers, and details about medical conditions. Practice Fusion’s privacy policy did not indicate that the company would publicly post reviews by patients.

Practice Fusion then launched a website providing reviews of the physicians. These reviews included the patients’ names, telephone numbers, and health information that they provided in their surveys. It wasn’t until after the information was posted online that Project Fusion updated its privacy policy and implemented procedures to keep personal information from appearing on the site.

Per the settlement, Practice Fusion is prohibited from misrepresenting its use of consumer data. Additionally, the company must disclose that it will make information publicly available, separate from a general “privacy policy” or “terms of use” page, and receive the consumer’s affirmative express consent to do so. The company must also refrain from sharing healthcare provider review information with anyone other than its clients.

This settlement highlights the FTC’s continued efforts to protect the privacy of consumer health data. In April, the FTC released compliance tools and best practices specifically for health app developers to ensure they were complying with the FTC’s expectations for health data providers. This came just after the Director of the FTC Bureau of Consumer Protection testified to a Congressional subcommittee about the need for the Commission to have increased data security authority to address the area of health privacy. Collectively, these efforts make clear that as consumers increasingly turn to the internet for health information, the FTC will expect companies large and small to be aware of their obligations to consumers and to comply with them.

Ms. Sweeney’s presentation, while highlighting the maxim that transparency establishes trust, documented the flow of consumer health data provided to hospitals, noting that consumer health data may flow – and often does flow – from hospitals to entities that are not covered by HIPAA. Additionally, although de-identified when sold, this information may be easily re-identified. Mr. Ho presented the results of an FTC study on the health information collected and transmitted by 12 mobile apps and two wearables. While the Commission did not review privacy policies, the study results revealed that the apps transmitted consumer health information to 76 third parties, many of which collected device information or persistent device identifiers (sometimes from multiple apps) and additional information, such as gender, zip code, and geolocation. Mr. Ho stated that there are significant health concerns when data is capable of being aggregated.

The panel, moderated by two FTC Division of Privacy and Identity Protection attorneys, featured Dr. Christopher Burrow, the Executive Vice President of Humetrix, Joseph Lorenzo Hall, Chief Technologist for the Center for Democracy and Technology, Sally Okun, Vice President for Advocacy, Policy and Patient Safety at PatientsLikeMe, and Joy Pritts, Chief Privacy Officer in the Department of Health & Human Services’ Office of the National Coordinator for Health Information Technology. The panelists spent a significant amount of time discussing the various entities covered – and not covered – by HIPAA, as well as the array of health-related websites and apps that are available to consumers. Some of the concerns raised were: (1) the potential for sensitive health information to be shared in ways consumers would not reasonably anticipate (and the inability to predict what consumers may deem “sensitive”); (2) the lack of a standard definition of “de-identified data”; (3) the potential for data re-identification; and (4) the ever-expanding definition of what constitutes “health” information.

Information on the seminar, including a transcript, is available here, and the FTC is accepting comments until June 9.