Update: Practice Fusion responded to the Forbes story. See the Comments section below for a link to their statement.
Kashmir Hill writes:
Medical records start-up Practice Fusion has attracted a whopping $134 million in venture capital thanks to its appealing business model: it offers 100,000 (and counting) medical types free, web-based patient management services. The doctors get for free something that’s usually quite expensive, while cashing in on $150 million (so far) in government incentives to adopt electronic health record technology. Practice Fusion gets an attractive platform of doctors that medical labs, hospitals and medical billers pay to access. “Our community drives $100 billion in spend,” says CEO Ryan Howard. The start-up also gets data on 75 million patients’ health conditions and prescriptions, which it de-identifies and then makes available to analysts, pharma companies, and market research types, who also pay. You can see why a VC firm like Kleiner Perkins put $70 million into the start-up this September, valuing it at $700 million. It’s like Facebook but with tons of valuable medical data.
But the start-up could have a big privacy problem thanks to a doctor review site it launched in April. ‘Patient Fusion’ debuted with 30,000 doctor profiles and a stunning two million reviews, all from verified patients of the doctors. The site came as a surprise to some doctors – who knew the start-up emailed their patients appointment and prescription reminders but didn’t realize it had been reaching out to their patients after visits asking for reviews. And it is likely a surprise to some of the patients whose reviews are available publicly on the site. There are candid reviews with sensitive medical data and “anonymous reviews” that contain patients’ full names and/or contact details, suggesting they didn’t realize that what they were writing was going to be made public.
Read more on Forbes.
This sounds like a HIPAA/CMIA/FTC nightmare brewing. Practice Fusion has a lengthy privacy policy that says, in part:
Confidentiality of Health Information: Some of our users – such as healthcare providers – are subject to laws and regulations governing the use and disclosure of health information they create or receive. Included among them is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health of 2009 (“HITECH”), and the regulations adopted thereunder. When we store, process or transmit “individually identifiable health information” (as such term is defined by HIPAA) on behalf of a health care provider who has entered a Healthcare Provider User Agreement, we do so as its “business associate” (as also defined by HIPAA). Under this agreement, we are prohibited from, among other things, using individually identifiable health information in a manner that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity and availability of individually identifiable health information we store and process on behalf of such providers. To see our Healthcare Provider User Agreement, and to specifically review our business associate obligations, please review Sections 4.1.8 and 9 of that agreement. We are also subject to laws and regulations governing the use and information of certain personal and health information, including HIPAA, when we operate as a business associate of a healthcare provider.
If patients weren’t properly informed about the public nature of their feedback and didn’t provide informed consent, I’d say that Practice Fusion has a whopping HIPAA privacy disclosure breach on its hands. Hopefully, HHS is looking into this whole thing. And if healthcare providers didn’t fully understand how Practice Fusion would be using the information provided, then that’s a second round of complaints/matter to be investigated.
Update: Practice Fusion tweeted the following to me:
@PogoWasRight it’s hit-you-across-the-face-clear. Here’s the form patients filled out: pic.twitter.com/QXekvyGzXF
— Mototwit (@Mototwit) October 25, 2013
Well, now I can appreciate why thought they authorization was clear and sufficient, but it probably would have been prudent to not use any names at all on the public web site and have the option for the provider to receive the patient’s name at the patient’s option. I also think that they need to replace the “may be published online” to “will be published online if it adheres to our commenting policy.” In going back through Kashmir Hill’s article, she made what she thought (and a reasonable person might think) was a safe assumption that people might be bothered or embarrassed if their comments were publicly visible. In looking at her report again, while she actually found some reports showing doctors were upset, she did not have statements from any patients who were upset that their feedback appeared publicly. In a follow-up piece she wrote after Practice Fusion issued a response to the original story, she reported that she did reach out to some of the identifiable patients:
I reached out to two patients whose full names are revealed on the site. An Illinois woman who wrote that she needed a prescription for a “great deal of itch” told me that she didn’t know that the July 2013 message to her doctor was public but that she didn’t mind. “I guess it’s all right being up there. It probably won’t hurt me,” she said. “It was a while ago.”
A California man who used his full name to request a prescription for a cream that treats genital warts also said he didn’t realize he was writing a public review but that he “doesn’t mind it being up there.” “It’s for basal cell carcinoma,” he explained, saying he isn’t bothered by the world knowing that. He took pains to explain that his doctor is a good dermatologist, seeming protective of him and the implication that he would be blamed for the review being posted publicly.
I was not able to reach the patients who posted about burning sensations in their genitalia to see if they were equally comfortable with the public nature of their pubic problems.
The fact that the patients didn’t mind their review being publicly visible doesn’t negate the concern that despite what Practice Fusion says is a clear authorization, at least some patients may not fully understand what they are authorizing. And that is a problem.
Update 2: No sooner had I updated the above than Kashmir Hill pointed out to me that the screen shot Practice Fusion provided was not the screen patients saw in the past:
@Mototwit @a90 that has been altered/photoshopped. version Practice Fusion provided to me does not contain the orange http://t.coqTeI1aqLx6
— Kashmir Hill (@kashhill) October 25, 2013
In response, Practice Fusion acknowledged that what they provided me was a more recent screen shot but insist that consent was obtained:
@kashhill @a90 just confirmed the screenshot I provided is what patients see now. however, it is still false to say consent was not obtained
— Mototwit (@Mototwit) October 25, 2013
Practice Fusion’s official response to this story can be found here: http://www.practicefusion.com/blog/patient-surveys-and-appointment-booking/
Thank you for letting us know about the statement.