PaymentsMD, LLC; Analysis of Proposed Consent Order To Aid Public Comment, 73312-73314 [2014-28969]

Download as PDF mstockstill on DSK4VPTVN1PROD with NOTICES 73312 Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices their medical bills—and then used that authority to attempt to collect a massive amount of sensitive health information, including treatment information, from third parties without consumers’ knowledge or consent. Based on such authorization, sensitive health information about everyone who registered for the Patient Portal was then requested from a large number of health plans, pharmacies, and a medical lab. The first count of the Commission’s complaint alleges that Hughes, through his direction and control of PaymentsMD, represented that consumers registering for their free Patient Portal billing service could access and review their medical payment history, but failed to disclose adequately that PaymentsMD would also engage in a comprehensive collection of consumers’ sensitive health information for a Patient Health Report. The second count alleges that Hughes, through his direction and control of PaymentsMD, deceptively represented that the consumers’ authorizations were to be used exclusively to provide the billing service. The proposed order contains provisions designed to prevent Hughes from engaging in the future in practices similar to those alleged in the complaint. Part I prohibits Hughes or any entity he owns or controls from misrepresenting the extent to which he or any entity he owns or controls uses, maintains, and protects the privacy, confidentiality, and security of covered information collected from or about consumers, including but not limited to (1) the services for which consumers are being enrolled as part of any sign-up process; (2) the extent to which he will share covered information with, or seek covered information from, third parties; and (3) the purpose(s) for which covered information collected from third parties will be used. Part II requires Hughes or any entity he owns or controls to clearly and prominently disclose practices regarding the collection, use, storage, disclosure or sharing of health information prior to seeking authorization to collect health information from a third party, and to obtain affirmative express consent from consumers prior to collecting health information from a third party. Part III prohibits Hughes or any entity he owns or controls from using, collecting, or permitting any third party to use or maintain any covered information pursuant to any authorization obtained prior to the date of the order from consumers registering for the Patient Portal. Hughes also must, within sixty days, delete all covered VerDate Sep<11>2014 17:48 Dec 09, 2014 Jkt 235001 information in his possession or control that was collected in relation to the Patient Health Report service. Parts IV through VIII of the proposed order are reporting and compliance provisions. Part IV requires Hughes to retain documents relating to his compliance with the order. The order requires that Hughes retain all of the documents for a five-year period. Part V requires dissemination of the order for a period of five years to all current and future subsidiaries, principals, officers, directors, and managers, and to persons with responsibilities relating to the subject matter of the order for any business that Hughes is the majority owner of or controls directly or indirectly. Part VI ensures notification, for a period of five years, to the FTC of changes to Hughes’ current business or employment, or his affiliation with any new business or employment. Part VII mandates that Hughes submit a compliance report to the FTC within 60 days, and periodically thereafter as requested. Part VIII is a provision ‘‘sunsetting’’ the order after twenty (20) years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the Consent Agreement, and it is not intended to constitute an official interpretation of the proposed Decision and Order or to modify its terms in any way. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2014–28973 Filed 12–9–14; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION [File No. 132 3088] PaymentsMD, LLC; Analysis of Proposed Consent Order To Aid Public Comment Federal Trade Commission. Proposed consent agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order— embodied in the consent agreement— that would settle these allegations. DATES: Comments must be received on or before January 2, 2015. ADDRESSES: Interested parties may file a comment at https:// ftcpublic.commentworks.com/ftc/ paymentsmdllcconsent online or on SUMMARY: PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘PaymentsMD, LLC— Consent Agreement; File No. 132 3088’’ on your comment and file your comment online at https:// ftcpublic.commentworks.com/ftc/ paymentsmdllcconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘PaymentsMD, LLC— Consent Agreement; File No. 132 3088’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC– 5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Jacqueline Connor, Bureau of Consumer Protection, (202–326–2844), 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR § 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for December 3, 2014), on the World Wide Web, at http:// www.ftc.gov/os/actions.shtm. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 2, 2015. Write ‘‘PaymentsMD, LLC—Consent Agreement; File No. 132 3088’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. E:\FR\FM\10DEN1.SGM 10DEN1 mstockstill on DSK4VPTVN1PROD with NOTICES Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ paymentsmdllcconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘PaymentsMD, LLC—Consent Agreement; File No. 132 3088’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue, NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). VerDate Sep<11>2014 17:48 Dec 09, 2014 Jkt 235001 Secretary, Constitution Center, 400 7th Street, SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 2, 2015. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at http://www.ftc.gov/ftc/privacy.htm. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, a consent order applicable to PaymentsMD, LLC (‘‘PaymentsMD’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement’s proposed order. PaymentsMD’s principal line of business is the delivery of electronic billing records and the collection of accounts receivable for medical providers. In December 2011, PaymentsMD launched a free ‘‘Patient Portal’’ product that enabled consumers to pay their bills and to view their balance, payments made, adjustments taken, and information for other service dates. The Commission’s complaint alleges that PaymentsMD deceived consumers regarding the collection of consumers’ sensitive health information from third parties. In June 2012, PaymentsMD entered into an agreement with Metis Health LLC (‘‘Metis Health’’) to develop an entirely new service called Patient Health Report, a fee-based service that would enable consumers to access, review, and manage their consolidated health records through a Patient Portal account. In order to populate the Patient Health Report, PaymentsMD obtained consumers’ authorization to collect sensitive health information for one purpose—to track their medical bills— and then used that authority to attempt PO 00000 Frm 00037 Fmt 4703 Sfmt 4703 73313 to collect a massive amount of sensitive health information, including treatment information, from third parties without consumers’ knowledge or consent. Based on such authorization, sensitive health information about everyone who registered for the Patient Portal was then requested from a large number of health plans, pharmacies, and a medical lab. The first count of the Commission’s complaint alleges that PaymentsMD represented that consumers registering for their free Patient Portal billing service could access and review their medical payment history, but failed to disclose adequately that PaymentsMD would also engage in a comprehensive collection of consumers’ sensitive health information for a Patient Health Report. The second count alleges that PaymentsMD deceptively represented that the consumers’ authorizations were to be used exclusively to provide the billing service. The proposed order contains provisions designed to prevent PaymentsMD from engaging in the future in practices similar to those alleged in the complaint. Part I prohibits PaymentsMD from making any future misrepresentation regarding the extent to which it uses, maintains, and protects the privacy, confidentiality, and security of covered information collected from or about consumers, including but not limited to: (1) The services for which consumers are being enrolled as part of any sign-up process; (2) the extent to which PaymentsMD will share covered information with, or seek covered information from, third parties; and (3) the purpose(s) for which covered information collected from third parties will be used. Part II requires PaymentsMD to clearly and prominently disclose its practices regarding the collection, use, storage, disclosure or sharing of health information prior to seeking authorization to collect health information from a third party. PaymentsMD must also obtain affirmative express consent from consumers prior to collecting health information from a third party. Part III prohibits PaymentsMD from using, collecting, or permitting any third party to use or collect any covered information pursuant to any authorization obtained prior to the date of the order from consumers registering for the Patient Portal, except for the purpose of offering health-related billpayment or bill history services. PaymentsMD also must, within sixty days, delete all covered information that was collected in relation to the Patient Health Report service. (PaymentsMD need not destroy the information related E:\FR\FM\10DEN1.SGM 10DEN1 73314 Federal Register / Vol. 79, No. 237 / Wednesday, December 10, 2014 / Notices to the bill-payment or bill history services that consumers actually signed up for.) Parts IV through VIII of the proposed order are reporting and compliance provisions. Part IV requires PaymentsMD to retain documents relating to its compliance with the order. The order requires that PaymentsMD retain all of the documents for a five-year period. Part V requires dissemination of the order now and in the future to all current and future subsidiaries, principals, officers, directors, and managers, and to persons with responsibilities relating to the subject matter of the order. Part VI ensures notification to the FTC of changes in corporate status. Part VII mandates that PaymentsMD submit a compliance report to the FTC within 60 days, and periodically thereafter as requested. Part VIII is a provision ‘‘sunsetting’’ the order after twenty (20) years, with certain exceptions. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2014–28969 Filed 12–9–14; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary Ebola Virus Disease Vaccines Notice of Declaration under the Public Readiness and Emergency Preparedness Act. ACTION: The Secretary is issuing a declaration pursuant to section 319F–3 of the Public Health Service Act (42 U.S.C. 247d–6d) to provide liability protection for activities related to Ebola Virus Disease Vaccines consistent with the terms of the declaration. DATES: The declaration is effective as of December 3, 2014. FOR FURTHER INFORMATION CONTACT: Nicole Lurie, MD, MSPH, Assistant Secretary for Preparedness and Response, Office of the Secretary, Department of Health and Human Services, 200 Independence Avenue SW., Washington, DC 20201, Telephone (202) 205–2882 (this is not a toll-free number). SUPPLEMENTARY INFORMATION: mstockstill on DSK4VPTVN1PROD with NOTICES SUMMARY: Background The Public Readiness and Emergency Preparedness Act (‘‘PREP Act’’) authorizes the Secretary of Health and Human Services (‘‘the Secretary’’) to VerDate Sep<11>2014 17:48 Dec 09, 2014 Jkt 235001 issue a declaration to provide liability immunity to certain individuals and entities (‘‘Covered Persons’’) against any claim of loss caused by, arising out of, relating to, or resulting from the administration or use of medical countermeasures (‘‘Covered Countermeasures’’), except for claims that meet the PREP Act’s definition of willful misconduct. Using this authority, the Secretary is issuing a declaration to provide liability immunity to Covered Persons for activities related to the Covered Countermeasures, Ebola Virus Disease Vaccines as listed in Section VI of the Declaration, consistent with the terms of this declaration. The PREP Act was enacted on December 30, 2005, as Public Law 109– 148, Division C, Section 2. It amended the Public Health Service (‘‘PHS’’) Act, adding section 319F–3, which addresses liability immunity, and section 319F–4, which creates a compensation program. These sections are codified in the U.S. Code as 42 U.S.C. 247d–6d and 42 U.S.C. 247d–6e, respectively. The Pandemic and All-Hazards Preparedness Reauthorization Act (PAHPRA), Public Law 113–5, was enacted on March 13, 2013. Among other things, PAHPRA added sections 564A and 564B to the Federal Food, Drug, & Cosmetic (FD&C) Act to provide new emergency authorities for dispensing approved products in emergencies and products held for emergency use. PAHPRA accordingly amended the definitions of ‘‘Covered Countermeasures’’ and ‘‘qualified pandemic and epidemic products’’ in section 319F–3 of the Public Health Service Act (the PREP Act provisions), so that products made available under these new FD&C Act authorities could be covered under PREP Act declarations. PAHPRA also extended the definition of qualified pandemic and epidemic products that may be covered under a PREP Act declaration to include products or technologies intended to enhance the use or effect of a drug, biological product, or device used against the pandemic or epidemic or against adverse events from these products. The Ebola virus causes an acute, serious illness that is often fatal. Since March 2014, West Africa has been experiencing the largest and most complex Ebola outbreak since the Ebola virus was first discovered in 1976, affecting populations in multiple West African Countries and travelers from West Africa to the United States and other countries. The World Health Organization has declared the Ebola Virus Disease Outbreak as a Public PO 00000 Frm 00038 Fmt 4703 Sfmt 4703 Health Emergency of International Concern (PHEIC) under the framework of the International Health Regulations (2005). Unless otherwise noted, all statutory citations below are to the U.S. Code. Section I, Determination of Public Health Emergency or Credible Risk of Future Public Health Emergency Before issuing a declaration under the PREP Act, the Secretary is required to determine that a disease or other health condition or threat to health constitutes a public health emergency or that there is a credible risk that the disease, condition, or threat may in the future constitute such an emergency. This determination is separate and apart from a declaration issued by the Secretary under section 319 of the PHS Act that a disease or disorder presents a public health emergency or that a public health emergency, including significant outbreaks of infectious diseases or bioterrorist attacks, otherwise exists, or other declarations or determinations made under other authorities of the Secretary. Accordingly, in Section I, the Secretary determines that there is a credible risk that the spread of Ebola virus and the resulting disease may in the future constitute a public health emergency. Section II, Factors Considered In deciding whether and under what circumstances to issue a declaration with respect to a Covered Countermeasure, the Secretary must consider the desirability of encouraging the design, development, clinical testing or investigation, manufacture, labeling, distribution, formulation, packaging, marketing, promotion, sale, purchase, donation, dispensing, prescribing, administration, licensing, and use of the countermeasure. In Section II, the Secretary states that she has considered these factors. Section III, Recommended Activities The Secretary must recommend the activities for which the PREP Act’s liability immunity is in effect. These activities may include, under conditions as the Secretary may specify, the manufacture, testing, development, distribution, administration, or use of one or more Covered Countermeasures (‘‘Recommended Activities’’). In Section III, the Secretary recommends activities for which the immunity is in effect. Section IV, Liability Immunity The Secretary must also state that liability protections available under the PREP Act are in effect with respect to the Recommended Activities. These E:\FR\FM\10DEN1.SGM 10DEN1

Agencies

[Federal Register Volume 79, Number 237 (Wednesday, December 10, 2014)]
[Notices]
[Pages 73312-73314]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-28969]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3088]


PaymentsMD, LLC; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting deceptive acts or practices. The 
attached Analysis to Aid Public Comment describes both the allegations 
in the draft complaint and the terms of the consent order--embodied in 
the consent agreement--that would settle these allegations.

DATES: Comments must be received on or before January 2, 2015.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent online or on paper, 
by following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``PaymentsMD, LLC--
Consent Agreement; File No. 132 3088'' on your comment and file your 
comment online at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent by following the instructions on the web-based 
form. If you prefer to file your comment on paper, write ``PaymentsMD, 
LLC--Consent Agreement; File No. 132 3088'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Jacqueline Connor, Bureau of Consumer 
Protection, (202-326-2844), 600 Pennsylvania Avenue NW., Washington, DC 
20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR Sec.  
2.34, notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for December 3, 2014), on the World Wide Web, 
at http://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 2, 2015. 
Write ``PaymentsMD, LLC--Consent Agreement; File No. 132 3088'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.

[[Page 73313]]

    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/paymentsmdllcconsent by following the instructions on the web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you file your comment on paper, write ``PaymentsMD, LLC--Consent 
Agreement; File No. 132 3088'' on your comment and on the envelope, and 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue, NW., Suite CC-5610 
(Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street, SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before January 2, 2015. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, a consent order applicable to PaymentsMD, LLC 
(``PaymentsMD'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    PaymentsMD's principal line of business is the delivery of 
electronic billing records and the collection of accounts receivable 
for medical providers. In December 2011, PaymentsMD launched a free 
``Patient Portal'' product that enabled consumers to pay their bills 
and to view their balance, payments made, adjustments taken, and 
information for other service dates.
    The Commission's complaint alleges that PaymentsMD deceived 
consumers regarding the collection of consumers' sensitive health 
information from third parties. In June 2012, PaymentsMD entered into 
an agreement with Metis Health LLC (``Metis Health'') to develop an 
entirely new service called Patient Health Report, a fee-based service 
that would enable consumers to access, review, and manage their 
consolidated health records through a Patient Portal account. In order 
to populate the Patient Health Report, PaymentsMD obtained consumers' 
authorization to collect sensitive health information for one purpose--
to track their medical bills--and then used that authority to attempt 
to collect a massive amount of sensitive health information, including 
treatment information, from third parties without consumers' knowledge 
or consent. Based on such authorization, sensitive health information 
about everyone who registered for the Patient Portal was then requested 
from a large number of health plans, pharmacies, and a medical lab.
    The first count of the Commission's complaint alleges that 
PaymentsMD represented that consumers registering for their free 
Patient Portal billing service could access and review their medical 
payment history, but failed to disclose adequately that PaymentsMD 
would also engage in a comprehensive collection of consumers' sensitive 
health information for a Patient Health Report. The second count 
alleges that PaymentsMD deceptively represented that the consumers' 
authorizations were to be used exclusively to provide the billing 
service.
    The proposed order contains provisions designed to prevent 
PaymentsMD from engaging in the future in practices similar to those 
alleged in the complaint. Part I prohibits PaymentsMD from making any 
future misrepresentation regarding the extent to which it uses, 
maintains, and protects the privacy, confidentiality, and security of 
covered information collected from or about consumers, including but 
not limited to: (1) The services for which consumers are being enrolled 
as part of any sign-up process; (2) the extent to which PaymentsMD will 
share covered information with, or seek covered information from, third 
parties; and (3) the purpose(s) for which covered information collected 
from third parties will be used. Part II requires PaymentsMD to clearly 
and prominently disclose its practices regarding the collection, use, 
storage, disclosure or sharing of health information prior to seeking 
authorization to collect health information from a third party. 
PaymentsMD must also obtain affirmative express consent from consumers 
prior to collecting health information from a third party.
    Part III prohibits PaymentsMD from using, collecting, or permitting 
any third party to use or collect any covered information pursuant to 
any authorization obtained prior to the date of the order from 
consumers registering for the Patient Portal, except for the purpose of 
offering health-related bill-payment or bill history services. 
PaymentsMD also must, within sixty days, delete all covered information 
that was collected in relation to the Patient Health Report service. 
(PaymentsMD need not destroy the information related

[[Page 73314]]

to the bill-payment or bill history services that consumers actually 
signed up for.)
    Parts IV through VIII of the proposed order are reporting and 
compliance provisions. Part IV requires PaymentsMD to retain documents 
relating to its compliance with the order. The order requires that 
PaymentsMD retain all of the documents for a five-year period. Part V 
requires dissemination of the order now and in the future to all 
current and future subsidiaries, principals, officers, directors, and 
managers, and to persons with responsibilities relating to the subject 
matter of the order. Part VI ensures notification to the FTC of changes 
in corporate status. Part VII mandates that PaymentsMD submit a 
compliance report to the FTC within 60 days, and periodically 
thereafter as requested. Part VIII is a provision ``sunsetting'' the 
order after twenty (20) years, with certain exceptions.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2014-28969 Filed 12-9-14; 8:45 am]
BILLING CODE 6750-01-P