Lessons Learned from Practice Fusion’s FTC Charges and Settlement

Posted on July 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Almost 3 years ago I wrote an article about Practice Fusion violating some physicians’ trust in sending millions of emails to their patients. It’s still shocking to me to read through the physicians’ reaction to having emails unknowingly sent out in their name to their patients. I spent about a month researching that story. That’s longer than I’ve done for any other article by a significant margin. What I discovered was just that compelling.

When I first was told about the story, it seemed possible that each of those emails (we estimated 9 million) was a HIPAA violation. However, as we researched the story more and talked with multiple experts, it seemed like only a small subset could have possibly been considered a HIPAA violation. Practice Fusion had done a pretty reasonable job on the HIPAA front in our opinion. We all learned a lot about HIPAA and patient emails from the experience. Not to mention the importance of physician trust in your EHR product.

With that said, Forbes read my articles and decided to write an article that extended on the research that I’d done for the story along with a follow up article that looked at some of the things patients were posting publicly in these physician reviews. Forbes didn’t link to my article since I was pretty cautious with the whole thing after Practice Fusion had threatened sending their lawyers my way. I didn’t have a bevy of lawyers behind me like Forbes. Plus, some other crazy things happened like people trying to discredit me in the comments from the same IP address in San Francisco and a fabricated blog post to try and discredit what I’d written. Needless to say, it was quite the experience.

There were some people encouraging me to take it much further and to expose some of the crazy things that went down. That wasn’t my interest. I’d told an important story that needed to be told in what I believed was a fair an accurate way. I didn’t have any other goals despite some people insinuating that I might have other intentions.

Three years after I wrote that story it’s interesting to see that the FTC finally published the complaint against Practice Fusion (they also shared an analysis) and the Settlement agreement. I guess our government does work as slow as we all imagine.

I’m not going to dive into the details of the settlement here, but I did discuss the lessons we can learn from Practice Fusion’s FTC complaint and settlement with Shahid Shah and from our discussion I came up with these important lessons that apply to any company working in healthcare IT.

Healthcare Needs to Worry About More Than HIPAA and OCR
I think that many healthcare IT organizations only worried about HIPAA and OCR (which enforces HIPAA) when developing their products and implementing them in healthcare. This example clearly illustrates that the FTC is interested in what you do in healthcare and they’re not just going to defer to OCR to ensure that things are going right. This is particularly true as healthcare becomes more and more consumer oriented. This advice is also timely given ONC’s report to congress about health data oversight beyond HIPAA.

Healthcare Interoperability and Public Disclosure Might Be Worse
One challenge with the FTC settlement is that it could cause many other healthcare IT vendors to use it as an excuse not to take the next step in engaging patients, sharing health information where it’s needed, and other things that will help to improve healthcare. The fear of government condemnation could cause many to balk at progressive initiatives that would benefit patients.

While I do think healthcare IT companies should be cautious, fear of the FTC shouldn’t be used as an excuse to do nothing. The reality of the Practice Fusion case wasn’t that they shouldn’t have built the product they did, it was just that they needed to better communicate what they were doing to both doctors and patients. If they had done so I wouldn’t have had an article to write and the FTC wouldn’t have had any issue with what they were doing.

Communicate Properly to Patients
Reading the FTC claim was interesting to me. In the month I spent researching the story, I felt that Practice Fusion had done a great job in their privacy notice saying that the patient’s review would be posted publicly. It stated as much in their policy and I found no fault in their posting the patient reviews in public. That’s why I didn’t write about them in my articles. Certainly they could have made it more clear to patients, but I put the responsibility on the patient to read the privacy policy. If the patient chooses not to read the privacy policy when sharing really intimate personal details in an online form, then I don’t have much sympathy for them.

Of course, I’m not a lawyer and the FTC found very different. The FTC thought that the disclosure to the patient should have reached out and grabbed consumers and that the key facts shouldn’t be buried in a hard-to-understand privacy policy. A good lawyer can help an organization find the balance of effectively meeting the FTC requirements, but also not scaring patients away from participating. Although, it can certainly be a challenge.

If You Can Identify Private Information You Should
There are some obvious things that we all know shouldn’t be posted publicly. These days with technologies like NLP (natural language processing), you can identify many of these obvious pieces of private data and ensure they’re hidden and never go public. These technologies aren’t perfect, but having them in place will show that you’ve made a best effort to ensure that consumers health data is kept as private as possible.

Communicate Better with Doctors
This might be the biggest thing I learned from the experience. I find it interesting that the FTC complaint barely even talks about it (maybe it’s not under the FTC’s purview?). However, what came through loud and clear from this experience is that you need to effectively communicate what you’re doing to the doctor. This is particularly true if you’re doing something in the doctors name. If not, you’re going to lose the trust of doctors.

The FTC has a blog post up which has more lessons for those of us in the healthcare industry. They’re worthy of consideration if you’re a health IT company that’s working with patients (yes, that’s pretty much all of you).

P.S. I find it interesting that the Patient Fusion website still lists 30,061 doctors on patient fusion, 181,818 appointments today, 1,844718 reviews, and 98% doctors recommended. The same numbers that were listed back in 2013:

I guess that page isn’t a real time feed. I also looked at the Patient Fusion website today to see how they showed reviews now. I didn’t scour the whole website, but it appears that they now only show the quantitative review score and not the qualitative review.