Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Lessons Learned from Practice Fusion’s FTC Charges and Settlement

Posted on July 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Almost 3 years ago I wrote an article about Practice Fusion violating some physicians’ trust in sending millions of emails to their patients. It’s still shocking to me to read through the physicians’ reaction to having emails unknowingly sent out in their name to their patients. I spent about a month researching that story. That’s longer than I’ve done for any other article by a significant margin. What I discovered was just that compelling.

When I first was told about the story, it seemed possible that each of those emails (we estimated 9 million) was a HIPAA violation. However, as we researched the story more and talked with multiple experts, it seemed like only a small subset could have possibly been considered a HIPAA violation. Practice Fusion had done a pretty reasonable job on the HIPAA front in our opinion. We all learned a lot about HIPAA and patient emails from the experience. Not to mention the importance of physician trust in your EHR product.

With that said, Forbes read my articles and decided to write an article that extended on the research that I’d done for the story along with a follow up article that looked at some of the things patients were posting publicly in these physician reviews. Forbes didn’t link to my article since I was pretty cautious with the whole thing after Practice Fusion had threatened sending their lawyers my way. I didn’t have a bevy of lawyers behind me like Forbes. Plus, some other crazy things happened like people trying to discredit me in the comments from the same IP address in San Francisco and a fabricated blog post to try and discredit what I’d written. Needless to say, it was quite the experience.

There were some people encouraging me to take it much further and to expose some of the crazy things that went down. That wasn’t my interest. I’d told an important story that needed to be told in what I believed was a fair an accurate way. I didn’t have any other goals despite some people insinuating that I might have other intentions.

Three years after I wrote that story it’s interesting to see that the FTC finally published the complaint against Practice Fusion (they also shared an analysis) and the Settlement agreement. I guess our government does work as slow as we all imagine.

I’m not going to dive into the details of the settlement here, but I did discuss the lessons we can learn from Practice Fusion’s FTC complaint and settlement with Shahid Shah and from our discussion I came up with these important lessons that apply to any company working in healthcare IT.

Healthcare Needs to Worry About More Than HIPAA and OCR
I think that many healthcare IT organizations only worried about HIPAA and OCR (which enforces HIPAA) when developing their products and implementing them in healthcare. This example clearly illustrates that the FTC is interested in what you do in healthcare and they’re not just going to defer to OCR to ensure that things are going right. This is particularly true as healthcare becomes more and more consumer oriented. This advice is also timely given ONC’s report to congress about health data oversight beyond HIPAA.

Healthcare Interoperability and Public Disclosure Might Be Worse
One challenge with the FTC settlement is that it could cause many other healthcare IT vendors to use it as an excuse not to take the next step in engaging patients, sharing health information where it’s needed, and other things that will help to improve healthcare. The fear of government condemnation could cause many to balk at progressive initiatives that would benefit patients.

While I do think healthcare IT companies should be cautious, fear of the FTC shouldn’t be used as an excuse to do nothing. The reality of the Practice Fusion case wasn’t that they shouldn’t have built the product they did, it was just that they needed to better communicate what they were doing to both doctors and patients. If they had done so I wouldn’t have had an article to write and the FTC wouldn’t have had any issue with what they were doing.

Communicate Properly to Patients
Reading the FTC claim was interesting to me. In the month I spent researching the story, I felt that Practice Fusion had done a great job in their privacy notice saying that the patient’s review would be posted publicly. It stated as much in their policy and I found no fault in their posting the patient reviews in public. That’s why I didn’t write about them in my articles. Certainly they could have made it more clear to patients, but I put the responsibility on the patient to read the privacy policy. If the patient chooses not to read the privacy policy when sharing really intimate personal details in an online form, then I don’t have much sympathy for them.

Of course, I’m not a lawyer and the FTC found very different. The FTC thought that the disclosure to the patient should have reached out and grabbed consumers and that the key facts shouldn’t be buried in a hard-to-understand privacy policy. A good lawyer can help an organization find the balance of effectively meeting the FTC requirements, but also not scaring patients away from participating. Although, it can certainly be a challenge.

If You Can Identify Private Information You Should
There are some obvious things that we all know shouldn’t be posted publicly. These days with technologies like NLP (natural language processing), you can identify many of these obvious pieces of private data and ensure they’re hidden and never go public. These technologies aren’t perfect, but having them in place will show that you’ve made a best effort to ensure that consumers health data is kept as private as possible.

Communicate Better with Doctors
This might be the biggest thing I learned from the experience. I find it interesting that the FTC complaint barely even talks about it (maybe it’s not under the FTC’s purview?). However, what came through loud and clear from this experience is that you need to effectively communicate what you’re doing to the doctor. This is particularly true if you’re doing something in the doctors name. If not, you’re going to lose the trust of doctors.

The FTC has a blog post up which has more lessons for those of us in the healthcare industry. They’re worthy of consideration if you’re a health IT company that’s working with patients (yes, that’s pretty much all of you).

P.S. I find it interesting that the Patient Fusion website still lists 30,061 doctors on patient fusion, 181,818 appointments today, 1,844718 reviews, and 98% doctors recommended. The same numbers that were listed back in 2013:

I guess that page isn’t a real time feed. I also looked at the Patient Fusion website today to see how they showed reviews now. I didn’t scour the whole website, but it appears that they now only show the quantitative review score and not the qualitative review.

Android Security Risks May Outweigh Benefits

Posted on April 26, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, my colleague John Lynn made a compelling pitch for the Android platform, arguing that it’s likely to take over healthcare eventually given its flexibility.  That flexibility stands in sharp contrast to Apple phones and tablets, which work quite elegantly but also impose rigid requirements on app developers.

That being said, however, there’s security risks associated with Android that might outweigh its advantages. The major carriers are doing little or nothing to upgrade and patch the Android versions on the phones they sell, leaving them open to security breaches.

The Android security problem is so egregious that the American Civil Liberties Union has filed a complaint with the  Federal Trade Commission, asking the agency to investigate how AT&T, Verizon, Sprint and T-Mobile handle software updates on their phones.

In the complaint, the civil liberties group argues that the carriers have been engaging in “unfair and deceptive business practices” by failing to let customers know about well-known unpatched security flaws in the Android devices that they sell.

What makes things worse, the ACLU suggests, is that the carriers aren’t even offering consumers the option to update their phones.  Though Google has continued to fix flaws in the Android OS, these fixes aren’t being bundled and pushed out to the wireless carriers’ customers.  As the ACLU rightly notes, such behavior is unheard of in the world of desktop operating systems, where consumers regularly get updates from Apple and Microsoft.

In its complaint the ACLU argues that the carriers must either provide security updates to customers or allow them to get refunds on their devices and terminate their contracts without any penalty. It’s asking the FTC to force the carriers’ hand.

In the mean time, with healthcare requiring strict data security under HIPAA, one has to wonder whether hospitals and medical practices should be using Android devices at all (at least for their work).  Of course, clinicians who are accustomed to using their personal Android phones or tablets will be inconvenienced and probably fairly annoyed too.  But as things stand, hospital CIOs better be really careful about how they handle Android phones in the healthcare environment.

Redesigning The Patient Medical Record, the Healthcare Challenge’s Results

Posted on January 28, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Carl Bergman from EHR Selector.

The Obama administration’s, Challenge.gov site encourages the public to submit suggestions that solve specific, public policy questions. To do this, it’s set up dozens of contests or challenges. For example, the FTC has a $50,00 challenge for a solution to illegal robo calls that often come from off shore.

In healthcare, the VA and the ONC recently ran a Health Design Challenge for a better patient health record announcing the winners a few days ago.

The challenge asked for a record that:

  • Improves the visual layout and style of the information from the medical record
  • Makes it easier for a patient to manage his/her health
  • Enables a medical professional to digest information more efficiently
  • Aids a caregiver such as a family member or friend in his/her duties and responsibilities with respect to the patient

The entries were judged by a twelve person panel ranging from Wired Magazine’s Executive Editor, Thomas Goetz to Facebook’s Product Designer, Nicholas Felton to Dr. Sophia Chang, the director of the Chronic Disease Care program of the California Health Care Foundation. They looked at several features of a revamped record from overall appeal to how readily it shows important information and how accessible it is for physicians, patients, etc.

The Winners

The judges picked three big winners and three winners in the Problem History, Medication and Lab Summaries areas. Here’s a brief look at the top entries, but the submissions should be looked at more as a resource than a race result, as I’ll discuss.
Nightingale
First place went to Nightingale an anonymous group that won $16,000. Others won smaller amounts. In the next few months, elements of the winning designs will be put together and put up on Github.

Nightingale’s design stressed that health was a continuing concern and that a user should be able to see an improving or declining trend without having to dig for the data. They did this by integrating the often disparate information in visits, exams and lab results. You can see this emphasis in their lipid panel screen. Sliders place each test result for each test’s in a range. Good results slide to green while poorer result move to red.
StudioTACK
Second place StudioTACK took a somewhat similar approach to creating a problem history, which they call a medical strategy rather than a record. They did this by bringing their findings into a body map with references to location and organ.

Matthew Sanders’ CCD scored the best Problem History section award. Sanders rearranged and redesigned the traditional note not by condition nor by past chronology, but into a timeline of past, present and future actions. While he admits that his approach is somewhat redundant for meds, he emphasizes that this arrangement helps all the users maintain a focus on the most important areas for action. Sanders presentation notably describes how he implemented his approach. To do this, he stripped out standard label text, clarified terms and gave the remaining items visual emphasis. This type of analysis makes going through the submissions worth it.
Sanders CCD
This isn’t to say that the way the contest was run and the approach of many submissions  — including some prize winners — were without shortcomings. There were some notable problems.

The Contest’s Problems

The contest’s operators needed to be far more specific about what they wanted and how they judged the results.

The challenge’s purpose was far from clear:

The purpose of this effort is to improve the design of the medical record so it is more usable by and meaningful to patients, their families, and others who take care of them. This is an opportunity to take the plain-text Blue Button file and enrich it with visuals and a better layout. Innovators will be invited to submit their best designs for a medical record that can be printed and viewed digitally.

A medical record is an on going repository of a person’s health context, status, prognosis, plans, etc. It has many contributors and users. The VA’s Blue Button is a snapshot of the person’s status for their use. However, the contest uses these terms interchangeably. Due to this muddle, many of the submissions sent in designs for a medical record, while others, a minority, only redid the Blue Button’s outline. Thus, not all submissions were developed on the same basis. Indeed, the judges seem to acknowledge this since they gave first place to Nightingale, which claims, “to be a new take on health records.” The contest would have done much better if it asked for particular types of screens putting everyone on the same page, as it were.

The contest judging panel while distinguished, had no practicing physicians, nurses or practice managers, a significant failing. While three of the twelve judges are MDs, not one is a practicing physician.

Finally, if you’re going to hand out $50,000 in public funds, you might just want to say why you thought the winners stood out.

The Submissions

The contestants almost universally got one thing right. They designed their entries for desktops/laptops, pads and phones. They showed a great understanding that we don’t work on just one platform, but move from one to the other almost continuously. In this, they deserve much praise. However, all this cross platform awareness is done in by an appalling over, under and misuse of font color, and size. As one post noted about Nightingale:

The text is too small and medium gray on light gray is very hard to see, especially for older people and people on cheap computers with low contrast displays. How can this possibly be the first place winner?

The comment is generous. Nightingale’s gray on gray font is almost unreadable. Granted their submission is a PDF of a prototype, nonetheless the possibility of staring at their screens all day would give me a headache.

They are not alone in color misuse. Second place winner, Studio TACK, goes to excess the other way with a white text on red iPhone screen. It’s more suited to public safety than health.
StudioTack Mobile
Going through the submissions, however, can be most rewarding. I found a gem of a summary page in Uncorkit’s submission. Their infographic approach puts not only labs and weight history on timelines, but also includes BP, conditions and meds. It gives you a great overview and a logical place to drive down for detail information without overwhelming your senses.

The Health Challenge submissions have much to recommend them. Just remember how they came about and what they may or may not include.
Uncorkit