FTC: Online Billing Service Deceptively Collected Medical Records

itwbennett writes The FTC has reached a proposed settlement with PaymentsMD, an Atlanta health billing company that used the sign-up process for its billing service to surreptitiously seek customers' consent to obtain detailed medical information. The medical information PaymentsMD requested included customers' prescriptions, procedures, medical diagnoses, lab tests performed and their results, and other information, the FTC said. The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

I take it

[msobkow]

I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

Re:

[dbc]

Eh, I think HIPPA (or whatever the acronym is..) only threatens you with draconian fines.

Re:

[Njorthbiatr]

So let's give them draconian fines.

Re:

[Anonymous Coward]

Criminal Penalties
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Re:

[cdrudge]

But it sounds like the service did tell customers they were collecting the information, and required for the consent to do so. It was just buried in a kajilion screens of 6 lines of text each. Shady? Yes. Should be fined? Definitely. Criminally culpable to the point that the guilty need to serve a prison sentence? eh...no so sure.

Re:I take it

[sribe]

I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

Why? If someone comes to your doctor with a release approved by you for your medical information, do you really expect your doctor to give them the third degree over exactly how they obtained that release from you?

Personally, I think it's remarkable that so many providers were apparently paying enough attention to notice some irregularity and question the requests.

"refused to comply"

[whoever57]

The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

Naturally. Those health care providers did not want any competition in selling their customers' data.

Seems logical

[EzInKy]

It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

BILLER, not PAYER

[jtara]

It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

No. did you bother to read the very first paragraph?

An online service allowing consumers to pay their medical bills failed to adequately inform them that it would also try to collect highly detailed medical information |from their pharmacies, medical labs and insurance companies, the U.S. Federal Trade Commission said.

They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

They don't need to know detailed medical information. They are acting as a billing agent for the doctor. They don't need to verify what the doctor did or what the patient had.

Re:

[cdrudge]

They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

They don't need to know detailed medical information.

Almost every bill that I've received has a diagnostic code on it, or a semi-detailed description of what the charge was for. My chiropractor bill showed which specific vertebrae was the focus of the adjustment. My dentist bill had that I had a cavity filled on a particular tooth. The supplier for my CPAP machine listed all the accessories I purchas

Re:

[mean pun]

Grow up.

And give us a report of at least 20 pages about the legal and societal differences between these two cases before Monday, or you'll go to bed without desert for two weeks.

Culture of lawlessness

[Anonymous Coward]

If PaymentMD is grabbing medical records, and telecoms are spying on their customers, and Uber is grabbing their location, apps they use, emails, SMSs and everything else in their mobile, its done for money.

On the one hand they know they can sell this data and make a healthy profit, on the other hand, they know the government is breaking all laws, lying in legal documents (parallel construction is perjury, the name tries to make it sound otherwise), so they really won't get punished.

So there is a market for

Who thought that's a good idea?

[gnasher719]

Someone in that company must have thought this is a good idea. Being in that line of business, they should have known that even with a user clicking on "consent", a health care provider giving them the information would be acting illegally. And then I wonder why did they want this information in the first place? You can't use it for anything that isn't again highly illegal.

Welcome to modern medicine

[Virtucon]

I can't believe that there was any legitimate reason to ever ask for this in the first place, meaning a few felonies have been committed. Hopefully the scumbags will be thrown in prison.