Dive Brief:
- The Federal Trade Commission has voted 5-0 to approve final orders to resolve the case of Atlanta-based medical billing company PaymentsMD and its former CEO, Michael C. Hughes, who were determined to have collected customers' medical data without obtaining consent.
- The FTC's complaint alleged that Payments MD had altered a consumer health billing website to get the signup to include permission to collect users' medical information for an EHR portal site. The company is said to have contacted healthcare organizations to obtain their information without adequately informing the consumers.
- The information sought included "prescriptions, procedures, medical diagnoses, lab tests performed and the results of tests, among other information." The FTC states that in all but one case, the organizations contacted for information denied the requests because they included requests for data on minors and for people who were not customers of those companies.
Dive Insight:
The terms of the settlements require that PaymentsMD and Hughes must "destroy any information collected related to the Patient Health Report service," the FTC states. In addition, they are expressly banned from "deceiving consumers about the way they collect and use information," and required to obtain consumers' "affirmative express consent before collecting health information about a consumer from a third party."
"Consumers' health information is as sensitive as it gets," said Jessica Rich, director of the FTC's Bureau of Consumer Protection, when the settlements were first announced in December. "Using deceptive tactics to gain consumers' 'permission' to collect their full health history is contrary to the most basic privacy principles."