PaymentsMD, LLC; Analysis of Proposed Consent Order To Aid Public Comment, 73312-73314 [2014-28969]
Download as PDF
<![CDATA[
mstockstill on DSK4VPTVN1PROD with NOTICES
73312
Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices
their medical bills—and then used that
authority to attempt to collect a massive
amount of sensitive health information,
including treatment information, from
third parties without consumers’
knowledge or consent. Based on such
authorization, sensitive health
information about everyone who
registered for the Patient Portal was then
requested from a large number of health
plans, pharmacies, and a medical lab.
The first count of the Commission’s
complaint alleges that Hughes, through
his direction and control of
PaymentsMD, represented that
consumers registering for their free
Patient Portal billing service could
access and review their medical
payment history, but failed to disclose
adequately that PaymentsMD would
also engage in a comprehensive
collection of consumers’ sensitive
health information for a Patient Health
Report. The second count alleges that
Hughes, through his direction and
control of PaymentsMD, deceptively
represented that the consumers’
authorizations were to be used
exclusively to provide the billing
service.
The proposed order contains
provisions designed to prevent Hughes
from engaging in the future in practices
similar to those alleged in the
complaint. Part I prohibits Hughes or
any entity he owns or controls from
misrepresenting the extent to which he
or any entity he owns or controls uses,
maintains, and protects the privacy,
confidentiality, and security of covered
information collected from or about
consumers, including but not limited to
(1) the services for which consumers are
being enrolled as part of any sign-up
process; (2) the extent to which he will
share covered information with, or seek
covered information from, third parties;
and (3) the purpose(s) for which covered
information collected from third parties
will be used. Part II requires Hughes or
any entity he owns or controls to clearly
and prominently disclose practices
regarding the collection, use, storage,
disclosure or sharing of health
information prior to seeking
authorization to collect health
information from a third party, and to
obtain affirmative express consent from
consumers prior to collecting health
information from a third party.
Part III prohibits Hughes or any entity
he owns or controls from using,
collecting, or permitting any third party
to use or maintain any covered
information pursuant to any
authorization obtained prior to the date
of the order from consumers registering
for the Patient Portal. Hughes also must,
within sixty days, delete all covered
VerDate Sep<11>2014
17:48 Dec 09, 2014
Jkt 235001
information in his possession or control
that was collected in relation to the
Patient Health Report service.
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. Part IV requires Hughes to
retain documents relating to his
compliance with the order. The order
requires that Hughes retain all of the
documents for a five-year period. Part V
requires dissemination of the order for
a period of five years to all current and
future subsidiaries, principals, officers,
directors, and managers, and to persons
with responsibilities relating to the
subject matter of the order for any
business that Hughes is the majority
owner of or controls directly or
indirectly. Part VI ensures notification,
for a period of five years, to the FTC of
changes to Hughes’ current business or
employment, or his affiliation with any
new business or employment. Part VII
mandates that Hughes submit a
compliance report to the FTC within 60
days, and periodically thereafter as
requested. Part VIII is a provision
‘‘sunsetting’’ the order after twenty (20)
years, with certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
Consent Agreement, and it is not
intended to constitute an official
interpretation of the proposed Decision
and Order or to modify its terms in any
way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2014–28973 Filed 12–9–14; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 132 3088]
PaymentsMD, LLC; Analysis of
Proposed Consent Order To Aid Public
Comment
Federal Trade Commission.
Proposed consent agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting deceptive acts or
practices. The attached Analysis to Aid
Public Comment describes both the
allegations in the draft complaint and
the terms of the consent order—
embodied in the consent agreement—
that would settle these allegations.
DATES: Comments must be received on
or before January 2, 2015.
ADDRESSES: Interested parties may file a
comment at https://
ftcpublic.commentworks.com/ftc/
paymentsmdllcconsent online or on
SUMMARY:
PO 00000
Frm 00036
Fmt 4703
Sfmt 4703
paper, by following the instructions in
the Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘PaymentsMD, LLC—
Consent Agreement; File No. 132 3088’’
on your comment and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
paymentsmdllcconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, write ‘‘PaymentsMD, LLC—
Consent Agreement; File No. 132 3088’’
on your comment and on the envelope,
and mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW., Suite CC–
5610 (Annex D), Washington, DC 20580,
or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Jacqueline Connor, Bureau of Consumer
Protection, (202–326–2844), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR § 2.34, notice is
hereby given that the above-captioned
consent agreement containing consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for December 3, 2014), on
the World Wide Web, at https://
www.ftc.gov/os/actions.shtm.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before January 2, 2015. Write
‘‘PaymentsMD, LLC—Consent
Agreement; File No. 132 3088’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
E:\FR\FM\10DEN1.SGM
10DEN1
mstockstill on DSK4VPTVN1PROD with NOTICES
Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which . . . is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
paymentsmdllcconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘PaymentsMD, LLC—Consent
Agreement; File No. 132 3088’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue,
NW., Suite CC–5610 (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Sep<11>2014
17:48 Dec 09, 2014
Jkt 235001
Secretary, Constitution Center, 400 7th
Street, SW., 5th Floor, Suite 5610
(Annex D), Washington, DC 20024. If
possible, submit your paper comment to
the Commission by courier or overnight
service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before January 2, 2015. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent order applicable to
PaymentsMD, LLC (‘‘PaymentsMD’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
PaymentsMD’s principal line of
business is the delivery of electronic
billing records and the collection of
accounts receivable for medical
providers. In December 2011,
PaymentsMD launched a free ‘‘Patient
Portal’’ product that enabled consumers
to pay their bills and to view their
balance, payments made, adjustments
taken, and information for other service
dates.
The Commission’s complaint alleges
that PaymentsMD deceived consumers
regarding the collection of consumers’
sensitive health information from third
parties. In June 2012, PaymentsMD
entered into an agreement with Metis
Health LLC (‘‘Metis Health’’) to develop
an entirely new service called Patient
Health Report, a fee-based service that
would enable consumers to access,
review, and manage their consolidated
health records through a Patient Portal
account. In order to populate the Patient
Health Report, PaymentsMD obtained
consumers’ authorization to collect
sensitive health information for one
purpose—to track their medical bills—
and then used that authority to attempt
PO 00000
Frm 00037
Fmt 4703
Sfmt 4703
73313
to collect a massive amount of sensitive
health information, including treatment
information, from third parties without
consumers’ knowledge or consent.
Based on such authorization, sensitive
health information about everyone who
registered for the Patient Portal was then
requested from a large number of health
plans, pharmacies, and a medical lab.
The first count of the Commission’s
complaint alleges that PaymentsMD
represented that consumers registering
for their free Patient Portal billing
service could access and review their
medical payment history, but failed to
disclose adequately that PaymentsMD
would also engage in a comprehensive
collection of consumers’ sensitive
health information for a Patient Health
Report. The second count alleges that
PaymentsMD deceptively represented
that the consumers’ authorizations were
to be used exclusively to provide the
billing service.
The proposed order contains
provisions designed to prevent
PaymentsMD from engaging in the
future in practices similar to those
alleged in the complaint. Part I prohibits
PaymentsMD from making any future
misrepresentation regarding the extent
to which it uses, maintains, and protects
the privacy, confidentiality, and
security of covered information
collected from or about consumers,
including but not limited to: (1) The
services for which consumers are being
enrolled as part of any sign-up process;
(2) the extent to which PaymentsMD
will share covered information with, or
seek covered information from, third
parties; and (3) the purpose(s) for which
covered information collected from
third parties will be used. Part II
requires PaymentsMD to clearly and
prominently disclose its practices
regarding the collection, use, storage,
disclosure or sharing of health
information prior to seeking
authorization to collect health
information from a third party.
PaymentsMD must also obtain
affirmative express consent from
consumers prior to collecting health
information from a third party.
Part III prohibits PaymentsMD from
using, collecting, or permitting any third
party to use or collect any covered
information pursuant to any
authorization obtained prior to the date
of the order from consumers registering
for the Patient Portal, except for the
purpose of offering health-related billpayment or bill history services.
PaymentsMD also must, within sixty
days, delete all covered information that
was collected in relation to the Patient
Health Report service. (PaymentsMD
need not destroy the information related
E:\FR\FM\10DEN1.SGM
10DEN1
73314
Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices
to the bill-payment or bill history
services that consumers actually signed
up for.)
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. Part IV requires
PaymentsMD to retain documents
relating to its compliance with the
order. The order requires that
PaymentsMD retain all of the
documents for a five-year period. Part V
requires dissemination of the order now
and in the future to all current and
future subsidiaries, principals, officers,
directors, and managers, and to persons
with responsibilities relating to the
subject matter of the order. Part VI
ensures notification to the FTC of
changes in corporate status. Part VII
mandates that PaymentsMD submit a
compliance report to the FTC within 60
days, and periodically thereafter as
requested. Part VIII is a provision
‘‘sunsetting’’ the order after twenty (20)
years, with certain exceptions.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2014–28969 Filed 12–9–14; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
Ebola Virus Disease Vaccines
Notice of Declaration under the
Public Readiness and Emergency
Preparedness Act.
ACTION:
The Secretary is issuing a
declaration pursuant to section 319F–3
of the Public Health Service Act (42
U.S.C. 247d–6d) to provide liability
protection for activities related to Ebola
Virus Disease Vaccines consistent with
the terms of the declaration.
DATES: The declaration is effective as of
December 3, 2014.
FOR FURTHER INFORMATION CONTACT:
Nicole Lurie, MD, MSPH, Assistant
Secretary for Preparedness and
Response, Office of the Secretary,
Department of Health and Human
Services, 200 Independence Avenue
SW., Washington, DC 20201, Telephone
(202) 205–2882 (this is not a toll-free
number).
SUPPLEMENTARY INFORMATION:
mstockstill on DSK4VPTVN1PROD with NOTICES
SUMMARY:
Background
The Public Readiness and Emergency
Preparedness Act (‘‘PREP Act’’)
authorizes the Secretary of Health and
Human Services (‘‘the Secretary’’) to
VerDate Sep<11>2014
17:48 Dec 09, 2014
Jkt 235001
issue a declaration to provide liability
immunity to certain individuals and
entities (‘‘Covered Persons’’) against any
claim of loss caused by, arising out of,
relating to, or resulting from the
administration or use of medical
countermeasures (‘‘Covered
Countermeasures’’), except for claims
that meet the PREP Act’s definition of
willful misconduct. Using this
authority, the Secretary is issuing a
declaration to provide liability
immunity to Covered Persons for
activities related to the Covered
Countermeasures, Ebola Virus Disease
Vaccines as listed in Section VI of the
Declaration, consistent with the terms of
this declaration.
The PREP Act was enacted on
December 30, 2005, as Public Law 109–
148, Division C, Section 2. It amended
the Public Health Service (‘‘PHS’’) Act,
adding section 319F–3, which addresses
liability immunity, and section 319F–4,
which creates a compensation program.
These sections are codified in the U.S.
Code as 42 U.S.C. 247d–6d and 42
U.S.C. 247d–6e, respectively.
The Pandemic and All-Hazards
Preparedness Reauthorization Act
(PAHPRA), Public Law 113–5, was
enacted on March 13, 2013. Among
other things, PAHPRA added sections
564A and 564B to the Federal Food,
Drug, & Cosmetic (FD&C) Act to provide
new emergency authorities for
dispensing approved products in
emergencies and products held for
emergency use. PAHPRA accordingly
amended the definitions of ‘‘Covered
Countermeasures’’ and ‘‘qualified
pandemic and epidemic products’’ in
section 319F–3 of the Public Health
Service Act (the PREP Act provisions),
so that products made available under
these new FD&C Act authorities could
be covered under PREP Act
declarations. PAHPRA also extended
the definition of qualified pandemic and
epidemic products that may be covered
under a PREP Act declaration to include
products or technologies intended to
enhance the use or effect of a drug,
biological product, or device used
against the pandemic or epidemic or
against adverse events from these
products.
The Ebola virus causes an acute,
serious illness that is often fatal. Since
March 2014, West Africa has been
experiencing the largest and most
complex Ebola outbreak since the Ebola
virus was first discovered in 1976,
affecting populations in multiple West
African Countries and travelers from
West Africa to the United States and
other countries. The World Health
Organization has declared the Ebola
Virus Disease Outbreak as a Public
PO 00000
Frm 00038
Fmt 4703
Sfmt 4703
Health Emergency of International
Concern (PHEIC) under the framework
of the International Health Regulations
(2005).
Unless otherwise noted, all statutory
citations below are to the U.S. Code.
Section I, Determination of Public
Health Emergency or Credible Risk of
Future Public Health Emergency
Before issuing a declaration under the
PREP Act, the Secretary is required to
determine that a disease or other health
condition or threat to health constitutes
a public health emergency or that there
is a credible risk that the disease,
condition, or threat may in the future
constitute such an emergency. This
determination is separate and apart from
a declaration issued by the Secretary
under section 319 of the PHS Act that
a disease or disorder presents a public
health emergency or that a public health
emergency, including significant
outbreaks of infectious diseases or
bioterrorist attacks, otherwise exists, or
other declarations or determinations
made under other authorities of the
Secretary. Accordingly, in Section I, the
Secretary determines that there is a
credible risk that the spread of Ebola
virus and the resulting disease may in
the future constitute a public health
emergency.
Section II, Factors Considered
In deciding whether and under what
circumstances to issue a declaration
with respect to a Covered
Countermeasure, the Secretary must
consider the desirability of encouraging
the design, development, clinical testing
or investigation, manufacture, labeling,
distribution, formulation, packaging,
marketing, promotion, sale, purchase,
donation, dispensing, prescribing,
administration, licensing, and use of the
countermeasure. In Section II, the
Secretary states that she has considered
these factors.
Section III, Recommended Activities
The Secretary must recommend the
activities for which the PREP Act’s
liability immunity is in effect. These
activities may include, under conditions
as the Secretary may specify, the
manufacture, testing, development,
distribution, administration, or use of
one or more Covered Countermeasures
(‘‘Recommended Activities’’). In Section
III, the Secretary recommends activities
for which the immunity is in effect.
Section IV, Liability Immunity
The Secretary must also state that
liability protections available under the
PREP Act are in effect with respect to
the Recommended Activities. These
E:\FR\FM\10DEN1.SGM
10DEN1
]]>Agencies
[Federal Register Volume 79, Number 237 (Wednesday, December 10, 2014)]
[Notices]
[Pages 73312-73314]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-28969]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 132 3088]
PaymentsMD, LLC; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting deceptive acts or practices. The
attached Analysis to Aid Public Comment describes both the allegations
in the draft complaint and the terms of the consent order--embodied in
the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before January 2, 2015.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent online or on paper,
by following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``PaymentsMD, LLC--
Consent Agreement; File No. 132 3088'' on your comment and file your
comment online at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent by following the instructions on the web-based
form. If you prefer to file your comment on paper, write ``PaymentsMD,
LLC--Consent Agreement; File No. 132 3088'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Jacqueline Connor, Bureau of Consumer
Protection, (202-326-2844), 600 Pennsylvania Avenue NW., Washington, DC
20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR Sec.
2.34, notice is hereby given that the above-captioned consent agreement
containing consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for December 3, 2014), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before January 2, 2015.
Write ``PaymentsMD, LLC--Consent Agreement; File No. 132 3088'' on your
comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the
Commission tries to remove individuals' home contact information from
comments before placing them on the Commission Web site.
[[Page 73313]]
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which . . . is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``PaymentsMD, LLC--Consent
Agreement; File No. 132 3088'' on your comment and on the envelope, and
mail your comment to the following address: Federal Trade Commission,
Office of the Secretary, 600 Pennsylvania Avenue, NW., Suite CC-5610
(Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street, SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before January 2, 2015. You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent order applicable to PaymentsMD, LLC
(``PaymentsMD'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
PaymentsMD's principal line of business is the delivery of
electronic billing records and the collection of accounts receivable
for medical providers. In December 2011, PaymentsMD launched a free
``Patient Portal'' product that enabled consumers to pay their bills
and to view their balance, payments made, adjustments taken, and
information for other service dates.
The Commission's complaint alleges that PaymentsMD deceived
consumers regarding the collection of consumers' sensitive health
information from third parties. In June 2012, PaymentsMD entered into
an agreement with Metis Health LLC (``Metis Health'') to develop an
entirely new service called Patient Health Report, a fee-based service
that would enable consumers to access, review, and manage their
consolidated health records through a Patient Portal account. In order
to populate the Patient Health Report, PaymentsMD obtained consumers'
authorization to collect sensitive health information for one purpose--
to track their medical bills--and then used that authority to attempt
to collect a massive amount of sensitive health information, including
treatment information, from third parties without consumers' knowledge
or consent. Based on such authorization, sensitive health information
about everyone who registered for the Patient Portal was then requested
from a large number of health plans, pharmacies, and a medical lab.
The first count of the Commission's complaint alleges that
PaymentsMD represented that consumers registering for their free
Patient Portal billing service could access and review their medical
payment history, but failed to disclose adequately that PaymentsMD
would also engage in a comprehensive collection of consumers' sensitive
health information for a Patient Health Report. The second count
alleges that PaymentsMD deceptively represented that the consumers'
authorizations were to be used exclusively to provide the billing
service.
The proposed order contains provisions designed to prevent
PaymentsMD from engaging in the future in practices similar to those
alleged in the complaint. Part I prohibits PaymentsMD from making any
future misrepresentation regarding the extent to which it uses,
maintains, and protects the privacy, confidentiality, and security of
covered information collected from or about consumers, including but
not limited to: (1) The services for which consumers are being enrolled
as part of any sign-up process; (2) the extent to which PaymentsMD will
share covered information with, or seek covered information from, third
parties; and (3) the purpose(s) for which covered information collected
from third parties will be used. Part II requires PaymentsMD to clearly
and prominently disclose its practices regarding the collection, use,
storage, disclosure or sharing of health information prior to seeking
authorization to collect health information from a third party.
PaymentsMD must also obtain affirmative express consent from consumers
prior to collecting health information from a third party.
Part III prohibits PaymentsMD from using, collecting, or permitting
any third party to use or collect any covered information pursuant to
any authorization obtained prior to the date of the order from
consumers registering for the Patient Portal, except for the purpose of
offering health-related bill-payment or bill history services.
PaymentsMD also must, within sixty days, delete all covered information
that was collected in relation to the Patient Health Report service.
(PaymentsMD need not destroy the information related
[[Page 73314]]
to the bill-payment or bill history services that consumers actually
signed up for.)
Parts IV through VIII of the proposed order are reporting and
compliance provisions. Part IV requires PaymentsMD to retain documents
relating to its compliance with the order. The order requires that
PaymentsMD retain all of the documents for a five-year period. Part V
requires dissemination of the order now and in the future to all
current and future subsidiaries, principals, officers, directors, and
managers, and to persons with responsibilities relating to the subject
matter of the order. Part VI ensures notification to the FTC of changes
in corporate status. Part VII mandates that PaymentsMD submit a
compliance report to the FTC within 60 days, and periodically
thereafter as requested. Part VIII is a provision ``sunsetting'' the
order after twenty (20) years, with certain exceptions.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2014-28969 Filed 12-9-14; 8:45 am]
BILLING CODE 6750-01-P
