The FTC’s recent settlement with a medical online payments company and its former CEO highlights the importance of using clear and non-deceptive notices when asking consumers to share or provide sensitive personal health information.

The FTC alleged that Atlanta-based PaymentsMD, LLC used deceptive methods to obtain permission from consumers to collect highly sensitive personal health information, including prescriptions, medical diagnoses, and lab test results.   (Click here for a copy of the complaint against PaymentsMD, LLC and here for a copy of the proposed consent order).  The FTC also issued a complaint and proposed consent order against the company’s part owner and former CEO, Michael Hughes, who was also the company’s sole employee.  According to the complaint against the former CEO, the alleged wrongdoing happened under his “direction and control.”

PaymentsMD operates an online medical billing portal that allows consumers to pay and view medical bills online.  Trouble arose when PaymentsMD began developing a separate service called “Patient Health Report” that allowed consumers to view their comprehensive online medical records.  To collect information for its new service, PaymentsMD revised the sign-up process for its standard “Patient Portal” billing service so, in addition to signing up to receive online billing information, consumers were also consenting to allow PaymentsMD to directly contact healthcare providers and request the consumer’s health information.

The FTC alleged that this consent process required consumers to give four separate consents that were presented in small windows that displayed only a small portion of the relevant text, and could all be simultaneously accepted by clicking only one box.

According to the FTC complaints, “Consumers would reasonably believe that all four authorizations were to be used to provide the Patient Portal billing services for which they were registering… At no point in registering for the Patient Portal would it have been clear to the consumer that they were purportedly giving respondent permission to obtain their sensitive health information from third parties for use in the Patient Health Report service.”

Although it agreed to the terms of the proposed consent order, PaymentsMD did not admit any wrongdoing.  As part of its settlement, PaymentsMD and its former CEO must:

  • destroy any information obtained in connection with the Patient Health Report service, and refrain from using such questionable consent procedures in the future;
  • clearly and prominently disclose its practices regarding the collection, use, storage, and sharing of health information to the consumer prior to seeking authorization to collect such information from a third party;
  • notify the FTC 30 days prior to any change, such as a dissolution, assignment, sale or merger, that may affect PaymentsMD’s compliance obligations under the consent order;
  • within 60 days, provide the FTC with a written report of the company’s compliance with the consent order, and provide a written report thereafter within 10 days if requested by the FTC; and
  • deliver a copy of the consent order to current and future subsidiaries, principals, officers, directors, managers, and to all current and future employees, agents and representatives with responsibilities related to the subject matter of the order;

The FTC enforcement arm will continue to monitor PaymentsMD for five years to ensure that it complies with the terms of its settlement.

The FTC will accept public comment on the PaymentsMD consent agreement for 30 days, through January 2, 2015.  Then the FTC will determine whether to make the proposed consent order final.

This case highlights the necessity of obtaining informed consent when gathering sensitive consumer information, in this case, personal health information which is also subject to protection under HIPAA.  Notably, however, the FTC was not offended here by the consent text itself.  Instead, the offense occurred in the manner the consent was obtained.  According to the FTC, PaymentsMD made it far too easy for a consumer to consent to allowing the company to obtain personal health information.  The FTC alleged that PaymentsMD acted deceptively by burying the relevant consent language in a long agreement that otherwise involved billing services, displaying the relevant text in “small windows”  and allowing consumers to express consent four times by simply clicking one box.