FTC cracks down on Practice Fusion for privacy violations

02:05 pm

On Tuesday, the U.S. Federal Trade Commission approved a final order with EHR vendor Practice Fusion that will consent to a 20-year privacy practice order, stemming from its highly-publicized privacy scandal.

The settlement was first announced in June, and after a 30-day comment period, the final order was unanimously approved, 3-0.

Practice Fusion was charged with soliciting reviews from patients and posting them online -- without concealing personal identification information. According to the FTC, the patients in question were unaware their information would be disseminated online.

The FTC charged that although there was a privacy policy online, from 2012-2013 Practice Fusion didn’t warn patients their reviews would be publically available.

"Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public," Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a statement. "Companies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet."

Under the final agreement, Practice Fusion is prohibited from misrepresenting the extent of its use of any patient information, including the data it makes publicly available and the vendor cannot post any personal identifiable information of its patients online without the explicit consent of the patient.

Further, Practice Fusion is prohibited from commercially exploiting or publicizing  review information - which was the cornerstone of the scandal. The FTC will be allowed access to company records and use any means to make sure Practice Fusion remains compliant.

Practice fusion will be liable for civil penalties up to $40,000 per violation of the final order, according to FTC Secretary Donald S. Clark.

“As is the case with all Commission orders, Commission staff will closely monitor Practice Fusion’s conduct to determine whether any violations occur,” Clark continued in a statement. “In light of these considerations, the Commission has determined that the public interest would best be served by issuing the Decision and Order in the above-titled proceeding in final form without any modifications.”

The FTC’s order spans 20 years and, as such, terminates on August 15, 2036.


The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!