Dec 162014

New FTC Settlement Reveals Heightened Agency Scrutiny Regarding Patient Authorizations and the Collection of Health Information

Sidley Data Matters Contributors

On December 3, 2014, the Federal Trade Commission (FTC) announced that it reached a settlement with PaymentsMD, an Atlanta-based medical billing company, and its former CEO, Michael C. Hughes, for alleged violations of Section 5(a) of the Federal Trade Commission Act for using deceptive tactics to collect sensitive health information. Public comments on the FTC’s proposed Consent Orders are due January 2, 2015.

Factual Allegations

In a pair of concurrently issued administrative complaints (the Complaints), the FTC alleged that PaymentsMD, under the direction and control of Hughes, misled consumers by failing to inform them of the company’s plans to request the consumers’ detailed health information from third parties, such as health plans and pharmacies. According to the Complaints, in December 2011, PaymentsMD launched its “Patient Portal” product that enabled consumers to pay medical bills online and access detailed patient account information. As a follow-on to this product, PaymentsMD later partnered with consulting firm Metis Health LLC to develop a new fee-based service, the “Patient Health Report,” that allowed consumers to access, review and manage their health records through the Patient Portal account.

To populate the Patient Health Report, PaymentsMD and Metis Health purportedly contacted pharmacies, health plans and clinical laboratories to request sensitive health information for registered consumers. Metis Health allegedly sent over 5,000 information requests to 31 different companies, including health plans identified through PaymentsMD’s billing records and also contacted major commercial pharmacies located near consumers’ home addresses. Only one of the healthcare companies provided the requested information, according to the Complaints. The FTC alleged that PaymentsMD failed to inform consumers of the information collection efforts until after consumers registered for the Patient Portal service.

According to the FTC, even though one of the four authorizations specifically referenced a Personal Health Report, the Patient Portal interface nonetheless failed to adequately disclose that PaymentsMD planned to collect sensitive health information about consumers for the follow-on Patient Health Report service. Specifically, the Complaints allege that the Patient Health Report was framed as a “separate service” from the Patient Portal and that, although the Patient Portal registration process required consumers to consent to four separate authorizations, these authorizations were insufficient because they appeared in difficult-to-read small windows on the webpage and permitted a single-click authorization. This single-click authorization, according to the FTC, made it “easy to skip over them,” such that “[a]t no point . . . would it have been clear to the consumer that they were purportedly giving respondent permission to obtain their sensitive health information from third parties.”

Message of the Consent Order

Under the terms of the proposed Consent Orders approving the settlement, PaymentsMD and Hughes would agree to destroy all sensitive health information collected in relation to the Patient Health Report service. Further, the Consent Order requires PaymentsMD to obtain affirmative express consent from consumers before collecting information from third parties and provides clear instructions on the format and content of required disclosures.

The FTC’s intended meaning of affirmative express consent is frequently defined only in retrospect, and it seems to be different in different contexts based on the FTC’s view of the relevant facts and circumstances. In this case, these Consent Orders require that disclosures must be, “of a type, size, and location sufficiently noticeable for an ordinary consumer to read and comprehend them” and located “[s]eparate and apart from” any end user license agreement, privacy policy or terms of use page.

The FTC has published the proposed Consent Orders in the Federal Register. The agreement will be subject to a 30-day public comment period. Once finalized, the orders remain binding on any future action by the parties. Violations may result in a civil penalty of up to $16,000 per violation. The Consent Orders would remain in effect for 20 years each and would necessitate that PaymentsMD and Hughes make certain information available to the FTC upon request for five years. Required documentation would include all forms used to obtain affirmative express consent to collect health information from third parties.

Implications

This settlement reveals that patient authorizations and collection of health information are an area subject to increased attention by the FTC. Companies involved in the collection of sensitive health information or solicitation of online patient authorizations should use extra caution when obtaining consent and take steps to make consents for related services prominent and distinct from those associated with the primary service. In particular, entities collecting health information from consumers or third parties should consider the safeguards proposed under the Consent Orders, such as the apparent “separate click” and “separate page” requirements to mitigate risk under the FTC Act and other potentially applicable laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.

Anna L. Spencer
Partner
+1.202.736.8445
aspencer@sidley.com

Meenakshi Datta
Partner
+1.312.853.7169
mdatta@sidley.com

Andrew J. Strenio
Partner
+1.202.736.8614
astrenio@sidley.com

Edward R. McNicholas
Partner
+1.202.736.8010
emcnicholas@sidley.com

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.

HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA

Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months.  However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear.  Now, the Department of Health and Human Services is seeking to provide clarity.