After Practice Fusion settled charges with the Federal Trade Commission in June that it misled patients about the privacy of their data, the FTC has submitted its final order for the EHR vendor, detailing requirements related to handling patient privacy moving forward.
In June, Practice Fusion agreed to settle charges from the FTC alleging the vendor did not adequately inform patients that information they were submitting to a survey would be made public. The vendor was planning to launch a public-facing provider directory and sought patient reviews of physicians that used the vendor's platform using the information they provided in the survey. The complaint against Practice Fusion alleges the company did not inform patients their survey answers would be posted online.
The final order requires Practice Fusion to accurately represent how it plans to use, maintain and protect any covered information, and if it plans to make any consumers' information publicly available, the vendor must "clearly and conspicuously disclose to the consumer" its intentions and explicitly obtain their consent to do so.
The final order also requires Practice Fusion to acknowledge it has received the order. The vendor will also have to regularly submit compliance reports to the FTC.
The final order is valid for 20 years.
More articles on patient privacy:
Will understanding hackers' incentives reduce the threat of breaches?
From the Hippocratic Oath to HIPAA: A history of patient privacy
Apple CEO Tim Cook on encryption, privacy and the battle with the FBI