The FTC charges that Atlanta-based PaymentsMD and its former CEO Michael Hughes “deceptively” obtained consumers’ consent to access their medical information through the registration process for the billing system’s patient portal. The system’s patient portal only allowed consumers a view of their billing history.
PaymentsMD and a third party allegedly started to develop a separate service, Patient Helath Report, that would provide consumers with online medical records. The companies had to acquire the medical information in order to create the medical records, the FTC charges.
The complaints allege consumers consented to making their health information available on authorizations presented while signing up for the patient portal. “Consumers registering for the patient portal billing service would have reasonably believed the authorizations were to be used for just that — billing,” according to an FTC news release.
PaymentsMD and Mr. Hughes must destroy any information they collected related to the Patient Health Report service and moving forward must obtain consumers clear consent before collecting health information about consumers from a third party.
More articles on data privacy:
8 statistics on consumer concerns with health data privacy
Americans unconcerned about health data privacy, poll shows
3 new challenges with HIPAA and data security
