Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Lessons Learned from Practice Fusion’s FTC Charges and Settlement

Posted on July 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Almost 3 years ago I wrote an article about Practice Fusion violating some physicians’ trust in sending millions of emails to their patients. It’s still shocking to me to read through the physicians’ reaction to having emails unknowingly sent out in their name to their patients. I spent about a month researching that story. That’s longer than I’ve done for any other article by a significant margin. What I discovered was just that compelling.

When I first was told about the story, it seemed possible that each of those emails (we estimated 9 million) was a HIPAA violation. However, as we researched the story more and talked with multiple experts, it seemed like only a small subset could have possibly been considered a HIPAA violation. Practice Fusion had done a pretty reasonable job on the HIPAA front in our opinion. We all learned a lot about HIPAA and patient emails from the experience. Not to mention the importance of physician trust in your EHR product.

With that said, Forbes read my articles and decided to write an article that extended on the research that I’d done for the story along with a follow up article that looked at some of the things patients were posting publicly in these physician reviews. Forbes didn’t link to my article since I was pretty cautious with the whole thing after Practice Fusion had threatened sending their lawyers my way. I didn’t have a bevy of lawyers behind me like Forbes. Plus, some other crazy things happened like people trying to discredit me in the comments from the same IP address in San Francisco and a fabricated blog post to try and discredit what I’d written. Needless to say, it was quite the experience.

There were some people encouraging me to take it much further and to expose some of the crazy things that went down. That wasn’t my interest. I’d told an important story that needed to be told in what I believed was a fair an accurate way. I didn’t have any other goals despite some people insinuating that I might have other intentions.

Three years after I wrote that story it’s interesting to see that the FTC finally published the complaint against Practice Fusion (they also shared an analysis) and the Settlement agreement. I guess our government does work as slow as we all imagine.

I’m not going to dive into the details of the settlement here, but I did discuss the lessons we can learn from Practice Fusion’s FTC complaint and settlement with Shahid Shah and from our discussion I came up with these important lessons that apply to any company working in healthcare IT.

Healthcare Needs to Worry About More Than HIPAA and OCR
I think that many healthcare IT organizations only worried about HIPAA and OCR (which enforces HIPAA) when developing their products and implementing them in healthcare. This example clearly illustrates that the FTC is interested in what you do in healthcare and they’re not just going to defer to OCR to ensure that things are going right. This is particularly true as healthcare becomes more and more consumer oriented. This advice is also timely given ONC’s report to congress about health data oversight beyond HIPAA.

Healthcare Interoperability and Public Disclosure Might Be Worse
One challenge with the FTC settlement is that it could cause many other healthcare IT vendors to use it as an excuse not to take the next step in engaging patients, sharing health information where it’s needed, and other things that will help to improve healthcare. The fear of government condemnation could cause many to balk at progressive initiatives that would benefit patients.

While I do think healthcare IT companies should be cautious, fear of the FTC shouldn’t be used as an excuse to do nothing. The reality of the Practice Fusion case wasn’t that they shouldn’t have built the product they did, it was just that they needed to better communicate what they were doing to both doctors and patients. If they had done so I wouldn’t have had an article to write and the FTC wouldn’t have had any issue with what they were doing.

Communicate Properly to Patients
Reading the FTC claim was interesting to me. In the month I spent researching the story, I felt that Practice Fusion had done a great job in their privacy notice saying that the patient’s review would be posted publicly. It stated as much in their policy and I found no fault in their posting the patient reviews in public. That’s why I didn’t write about them in my articles. Certainly they could have made it more clear to patients, but I put the responsibility on the patient to read the privacy policy. If the patient chooses not to read the privacy policy when sharing really intimate personal details in an online form, then I don’t have much sympathy for them.

Of course, I’m not a lawyer and the FTC found very different. The FTC thought that the disclosure to the patient should have reached out and grabbed consumers and that the key facts shouldn’t be buried in a hard-to-understand privacy policy. A good lawyer can help an organization find the balance of effectively meeting the FTC requirements, but also not scaring patients away from participating. Although, it can certainly be a challenge.

If You Can Identify Private Information You Should
There are some obvious things that we all know shouldn’t be posted publicly. These days with technologies like NLP (natural language processing), you can identify many of these obvious pieces of private data and ensure they’re hidden and never go public. These technologies aren’t perfect, but having them in place will show that you’ve made a best effort to ensure that consumers health data is kept as private as possible.

Communicate Better with Doctors
This might be the biggest thing I learned from the experience. I find it interesting that the FTC complaint barely even talks about it (maybe it’s not under the FTC’s purview?). However, what came through loud and clear from this experience is that you need to effectively communicate what you’re doing to the doctor. This is particularly true if you’re doing something in the doctors name. If not, you’re going to lose the trust of doctors.

The FTC has a blog post up which has more lessons for those of us in the healthcare industry. They’re worthy of consideration if you’re a health IT company that’s working with patients (yes, that’s pretty much all of you).

P.S. I find it interesting that the Patient Fusion website still lists 30,061 doctors on patient fusion, 181,818 appointments today, 1,844718 reviews, and 98% doctors recommended. The same numbers that were listed back in 2013:

I guess that page isn’t a real time feed. I also looked at the Patient Fusion website today to see how they showed reviews now. I didn’t scour the whole website, but it appears that they now only show the quantitative review score and not the qualitative review.

Accountable Care Organizations and SCOTUS

Posted on June 19, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Supreme Court ruling on SCOTUS is likely to come sometime this month. There are all sorts of opinions out there about what’s going to happen to the ruling, but a recent tweet caused me to stop and think about the real impact of SCOTUS. The tweet (which sadly I can’t find again) said something about the Supreme Court’s ruling on Obamacare and SCOTUS really doesn’t matter to healthcare since the change in care model has already been started.

I take one slight exception to this comment. I agree that the ACO (Accountable Care Organization) movement and all that it embodies is already upon us and won’t be affected by the Supreme Court’s decision on SCOTUS. However, I think the SCOTUS legal decision does matter and will still have an impact on healthcare. Not to mention the politics related to the decision. Although, I’ll leave both of those topics for a different blog.

I do think it’s worth exploring ACOs and why SCOTUS or NO-SCOTUS, ACOs are here to stay in healthcare.

Dave Chase recently said in a Forbes article that “More than 80% of the newly formed ACOs are driven solely by private sector efforts.

I believe that Dave Chase got these numbers from an ACO Watch article about a Leavitt Partners study on ACO growth and dispersion. It’s a powerful number to consider that despite all the efforts by government to move to accountable care organizations that only 20% of the newly formed ACOs came from the government. What a healthy thing and a great illustration of why SCOTUS won’t impact ACOs in any major way.

Dave Chase in the above linked article adds this additional quote from Philip Betbeze:

As Philip Betbeze stated, “In their day-to-day-lives, it [the SCOTUS decision] largely won’t affect the 180-degree shift they’re making in reimbursement philosophy. For most systems, those changes are taking place largely at the behest of commercial plans and local employers.” The fee-for-value train has left the station. Woe is the health system that hasn’t made aggressive moves to reinvent themselves.

We’re still early in the reimbursement philosophy switch, but the winds of change are upon us. Personally I’m excited to see how health systems reinvent themselves. I think this reinvention will be around these key pillars:

*Communication – ACO’s will drive better communication. This will include patient to doctor, doctor to doctor, and even patient to patient. The beauty is that in an ACO, the goal will be for the patient not to come to the office instead of the de facto, come to the office answer most practices give today.

*Data – Practices better be preparing for the tsunami of healthcare data on the horizon. How an ACO takes that data and uses it to improve patient care is going to be key.

If you look at these pillars of an ACO, are they even possible to deal with without technology?

Terrible Forbes Article – “Open Source Debut in Healthcare”

Posted on December 13, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I still have a hard time calling myself a writer or even press (although it’s convenient for getting into conferences). Plus, I think I reach, influence and interact with as many or more people than the traditional healthcare journalist. However, there’s something liberating about being called a blogger instead of a journalist because the standard and approach is different.

At least I thought that was the case until I read this article on Forbes.com which declares Allscripts new API as “Open Source’s Debut in Healthcare.” Ok, to be fair, it was written written on a Forbes healthcare blog and not their magazine, but as a blogger I’m embarrassed that a Forbes blogger would write such a terrible article.

Let me set the record straight. Allscripts launched an interesting API (which they call an “Application Sote & Exchange”). It’s a sort of app store for healthcare IT. This is interesting news and worthy of a story. What it’s not is open source entering healthcare.

Maybe there is some sliver of open source software that’s part of the Allscripts API/App store (or maybe not), but that’s backed by a heavy set of proprietary Allscripts software. It’s not like Allscripts has open sourced their MyWay or Allscripts Professional EHR. Then, you could really talk about Allscripts entering the open source EMR world. This is NOT!

Besides the fact of saying that is open source when it’s not, is the blogger’s headline that this is the first open source in health care. That’s just absolutely silly. Here’s just a few of the Open Source EMR on the EMR and HIPAA wiki page that have been around for quite a while and led I believe by OpenEMR and the various flavors of Open Source Vista EMR.

Honestly, Zina Moukheiber should be embarrassed by what she wrote. Even a blogger should be held to a higher standard than what she wrote. Of course, the sad part is that her mistakes likely drove a ton of traffic to the post. It’s her top post with 51 people tweeting the post and 15 people sharing it on Facebook. Too bad she lost all credibility in the process so the short term spike won’t turn into long term readers.