On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
FTC Settles Claims Against Medical Billing Provider for Inadequate Data Collection Disclosures
According to the complaints, PaymentsMD operated a website where consumers could pay their medical bills and later launched a free “Patient Portal” that provided consumers with a place to view their billing history. Payments MD entered into an agreement with another company to develop a new service called Patient Health Report, a fee-based service that would enable consumers to access, review, and manage their consolidated health records through the Patient Portal accounts. In order to populate the Patient Health Report, PaymentsMD attempted to obtain the sensitive health information of consumers registering for the Patient Portal from health insurance plans, pharmacies, and a medical testing lab, without appropriate authorization from consumers.
The complaints detail how the patient portal interface failed to disclose that PaymentsMD would collect consumers’ sensitive health information for the Patient Health Report. Specifically, PaymentsMD obtained consumers’ consent by displaying four authorizations in tiny windows that displayed only six lines of text at a time. Under each text box was a check box that consumers could select in order to proceed with the registration process. Alternatively, consumers could select a single box at the top of the page, which would populate all four boxes to indicate that each of the four was authorized, The FTC’s complaints alleged that the site design simultaneously made it hard to read the authorizations in their entirety, and easy to skip over them by clicking a single check box that preceded all of the authorizations.
According to the complaints approximately 5,500 requests for consumers’ health information were sent to 31 different companies, but only one company fulfilled the request. Only one company provided the requested information. The others refused to fulfill the requests which was likely a result of concern about the validity of the requests, which in some cases related to minors or consumers who were not in fact a customer of the company receiving the requests. Ultimately PaymentsMD did not sell any Patient Health Reports.
The complaints allege that the respondents violated section 5 of the FTC Act by:
- failing to adequately disclose that if consumers registered for its free Patient Portal billing service, that the respondents would also engage in a comprehensive collection of information from their parties; and
- falsely representing that authorizations were to be used exclusively to provide the Patient Portal billing history service, when in fact, the authorizations were being used to attempt to collect sensitive health information.
The proposed consent agreements:
- require that the respondents destroy any information collected related to the Patient Health Report service;
- prohibit them from making misrepresentations to consumers about the way they collect and use information including how information they collect might be shared with or collected from a third party; and
- require that they obtain consumers’ affirmative express consent before collecting health information (defined in the order to include insurance account information, prescription information, medical records, information concerning a diagnoses or treatment, and medical or health related purchases).
Administrative settlements do not include monetary relief. The settlements will be subject to a 30 day comment period. The Commission will then vote to issue the settlements in final form after the comment period.
Companies that plan to collect sensitive information from consumers would be advised to confirm that they have appropriately disclosed relevant information, avoiding for example undersized text and hard-to-read formats, and have obtained appropriate consents.
Katherine Armstrong, Counsel in our Washington, D.C. Office, contributed to this entry.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016