In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices. In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.
First, when dealing with health information, firms must, in the words of the settlement, “clearly and prominently disclose to consumers […] practices regarding the collection, use, storage, disclosure or sharing of health information prior to seeking authorization from a third party.”
“Clearly and prominently” will mean different things depending on the medium. Textual communications should be “of a type, size, and location sufficiently noticeable for an ordinary consumer to read and comprehend them, in print that contrasts highly with the background on which they appear.” When text communications are made online, the FTC believes that the required disclosures should conform to that format, and should be “unavoidable.” In the complaints, the FTC noted that PaymentsMD sought four separate, lengthy authorizations during registration for their free medical billing service. Two of the authorizations, if the user scrolled far enough, contained language allowing PaymentsMD to seek health information about the user from third parties. Each authorization had its own small text box, displaying only six lines of text at a time, and users could skip responding to each of the four by clicking a single box at the top of the page.
Second, firms must be clear about the purpose for which information is sought, and how it will be used. The FTC alleged that PaymentsMD used the authorization obtained by users registering for its free medical billing service to obtain information for its pay-only medical records service, a fact that PaymentsMD did not “disclose adequately” to users. The authorizations simply said that health information “may be used or disclosed.” Because this information “would be material to consumers in deciding whether to register” for the free service, FTC alleged that PaymentsMD had engaged in a “deceptive practice” under Section 5(a) of the FTC Act, 15 U.S.C. §45(a).
In its press release[link to press release], FTC Consumer Protection Bureau director Jessica Rich said, “Consumers’ health information is as sensitive as it gets.” The FTC takes health information seriously, as do consumers. Businesses should as well, right down to how they design their websites.