Governance & Risk Management , Privacy

FTC Orders Privacy Changes at Payments Portal

Experts Compare PaymentsMD Case, Concerns
FTC Orders Privacy Changes at Payments Portal

A new final order from the Federal Trade Commission that calls for medical billing company PaymentsMD to change its practices related to the collection and disclosure of consumers' personal health information raises issues that bear some similarities to concerns over Obamacare website's privacy practices.

See Also: Zero Trust Cybersecurity for Federal Agencies: Building an Integrated Approach

The FTC recently approved a final settlement resolving complaints that Atlanta-based PaymentsMD and its former CEO, Michael C. Hughes, violated consumers' privacy by collecting personal medical information without their consent (see FTC Settles Deceptive Patient Portal Case).

The final order by the FTC resolves complaints the commission filed in early 2014, alleging the company and its CEO misled thousands of consumers who signed up for an online medical billing portal by failing to adequately inform them that the company would also seek detailed medical information from third parties, including pharmacies, medical labs and insurance companies.

As part of the settlement order, PaymentsMD agreed to destroy the consumer data it inappropriately collected, and it must obtain express consent from consumers before collecting health information from a third party.

Under the settlement, PaymentsMD must also not misrepresent how the company uses, maintains and protects the privacy and security of sensitive information collected from or about consumers. This includes sensitive consumer data that PaymentsMD seeks from, or shares with, third parties.

Similarities to Concerns?

Some privacy and security experts say the FTC's concerns about PaymentsMD's data privacy practices touch upon similar issues that emerged in a recent controversy over the Obamacare website sending consumer data to third-party commercial tracking websites (see Makes Privacy Fixes).

The Department of Health and Human Services last month made a number of fixes to the website to scale back the release of consumer data to third-party sites. The HHS fixes came in response to heavy criticism from privacy watchdogs who discovered that the site was sending personal information - including ZIP code, income level, smoking status, pregnancy status and more - to at least 14 third-party domains, even if the user had enabled "do not track."

"The FTC's enforcement [in the PaymentsMD case] does put the government in a strange spot, with the FTC bringing actions to impose greater transparency, while HHS fields criticism that its data sharing practices with respect to are not sufficiently transparent," says privacy attorney Adam Greene of law firm David Wright Tremaine. "But if the FTC had to wait for all of the federal government to demonstrate perfect privacy and security practices before taking actions against private entities, then we would not have much privacy and security enforcement anywhere."

Some privacy experts point out, however, that the FTC's complaint against PaymentsMD differs in several ways from the privacy concerns over

"Reasonable minds can differ on whether it is appropriate for the government to share consumer information with third-party companies, but the [] website provides the consumer notice that such sharing could take place," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.

"There is a significant distinction between the activities in which PaymentsMD engaged in and the information sharing alleged by," he notes. "PaymentsMD was found to have engaged in deceptive trade practices because it used trickery to obtain the authorizations to disclose the protected health information of individuals that were then presented to the patient's healthcare treatment providers and health insurers to obtain sensitive health information without their knowledge or consent. has a privacy policy that is available through every page on its website that describes 'how uses third-party websites and applications,' and 'links to other sites'."

Government Scrutiny

Some members of Congress are seeking answers from the Obama administration about the privacy practices of in the wake of the revelation that consumer data was being sent to third-party sites. That includes a joint hearing dubbed, "Can Americans Trust the Privacy and Security of their Information on" slated for Feb. 12 by the House Subcommittee on Research and Technology and House Subcommittee on Oversight.

But it's unlikely the FTC would get involved in the privacy dispute, Greene says.

"The issues surrounding may not be subject to FTC enforcement or that of most other privacy and security regulators," Greene says. "Rather, may be subject to the federal Privacy Act and Federal Information Security Management Act (FISMA), with the potential that the Department of Justice, HHS Office of Inspector General, or Government Accountability Office may be in the best position to review its practices. Of course, any issues surrounding represent a unique political firestorm."

As for the FTC's settlement with PaymentsMD, the case offers a lesson for all healthcare-related entities, Holtzman says. "Healthcare providers and portal operators should take this opportunity to review their terms of use agreement and privacy policies to make sure that they fully disclose the type of information collected from patients, that consumers are given choices on how much information is collected as well as providing consumers controls or choice on what is shared with third parties, and for what purposes."

The FTC case also offers a warning to others that deceive patients about their data privacy, he says. "The great majority of healthcare providers and operators of patient portals should be heartened that the government is policing the healthcare marketplace to weed out companies that undermine consumer trust by using deception to obtain private or sensitive information," Holtzman says.

The biggest impact of the FTC settlement with PaymentsMD, Greene says, is on "other commercial healthcare payment portals, with the PaymentsMD case providing guidance on what to do and what not to do." That's because "it is less clear whether the FTC case impacts most healthcare providers with respect to their patient portals, as there is some question regarding whether the FTC has jurisdiction over non-profits, since they arguably are not engaged in commerce."

Complaints Against PaymentsMD

According to the FTC complaint, PaymentsMD since 2008 operated a website on which consumers could pay their medical bills online. In 2012, PaymentsMD and a third-party vendor, Metis Health LLC, began developing a separate service, Patient Health Report, designed to provide consumers with online access to their comprehensive medical records.

The FTC alleged that to collect the patients' medical records to populate the Patient Health Record portal, PaymentsMD altered the registration process for its billing portal to include permission for the company and its partners to contact consumers' healthcare providers to obtain their medical information.

Neither PaymentsMD nor FTC responded to Information Security Media Group's request for comment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.