Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC: Online Billing Service Deceptively Collected Medical Records

Posted by samzenpus on from the tell-us-everything dept.

itwbennett writes The FTC has reached a proposed settlement with PaymentsMD, an Atlanta health billing company that used the sign-up process for its billing service to surreptitiously seek customers' consent to obtain detailed medical information. The medical information PaymentsMD requested included customers' prescriptions, procedures, medical diagnoses, lab tests performed and their results, and other information, the FTC said. The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

14 of 25 comments (clear)

  1. I take it by msobkow · · Score: 2

    I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:I take it by dbc · · Score: 1

      Eh, I think HIPPA (or whatever the acronym is..) only threatens you with draconian fines.

    2. Re:I take it by Njorthbiatr · · Score: 1

      So let's give them draconian fines.

    3. Re:I take it by Anonymous Coward · · Score: 1

      Criminal Penalties
      In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

    4. Re:I take it by cdrudge · · Score: 1

      But it sounds like the service did tell customers they were collecting the information, and required for the consent to do so. It was just buried in a kajilion screens of 6 lines of text each. Shady? Yes. Should be fined? Definitely. Criminally culpable to the point that the guilty need to serve a prison sentence? eh...no so sure.

    5. Re:I take it by sribe · · Score: 3, Insightful

      I take it the one medical provider who had the major screwup of providing such personal and private data has had their license revoked and is now out of business?

      Why? If someone comes to your doctor with a release approved by you for your medical information, do you really expect your doctor to give them the third degree over exactly how they obtained that release from you?

      Personally, I think it's remarkable that so many providers were apparently paying enough attention to notice some irregularity and question the requests.

  2. "refused to comply" by whoever57 · · Score: 1

    The bright spot in all this: In all but one case, the health care providers contacted for data refused to comply with PaymentsMD's requests.

    Naturally. Those health care providers did not want any competition in selling their customers' data.

    --
    The real "Libtards" are the Libertarians!
  3. Seems logical by EzInKy · · Score: 1

    It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Seems logical by mean+pun · · Score: 1

      Grow up.

      And give us a report of at least 20 pages about the legal and societal differences between these two cases before Monday, or you'll go to bed without desert for two weeks.

  4. BILLER, not PAYER by jtara · · Score: 2

    It just seems to make sense to me that a payer of medical bills would collect information that would confirm the validity of the bills that they were paying. Sharing that aforesaid information is a totally different ball of wax though.

    No. did you bother to read the very first paragraph?

    An online service allowing consumers to pay their medical bills failed to adequately inform them that it would also try to collect highly detailed medical information |from their pharmacies, medical labs and insurance companies, the U.S. Federal Trade Commission said.

    They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

    They don't need to know detailed medical information. They are acting as a billing agent for the doctor. They don't need to verify what the doctor did or what the patient had.

    1. Re:BILLER, not PAYER by cdrudge · · Score: 2

      They send out bills. Patients send them money. They send money to the doctor or hospital. They keep ledgers.

      They don't need to know detailed medical information.

      Almost every bill that I've received has a diagnostic code on it, or a semi-detailed description of what the charge was for. My chiropractor bill showed which specific vertebrae was the focus of the adjustment. My dentist bill had that I had a cavity filled on a particular tooth. The supplier for my CPAP machine listed all the accessories I purchased for my sleep apnea. In all 3 cases, I paid my bill with my flexible spending account debit card, and my insurance company wanted a copy of the detailed bill to insure compliance required by the IRS. If any of those 3 providers used a 3rd party billing company, that company would need to know what the charges were for to include in the invoice. They wouldn't need to know specific results of a lab, or what a prescription was written for (unless they were billing on behalf of say a mail-order pharmacy), but saying they don't need to know detailed medical information isn't completely true. They need to know more than just you owe $X to Dr. Smith.

  5. Culture of lawlessness by Anonymous Coward · · Score: 1

    If PaymentMD is grabbing medical records, and telecoms are spying on their customers, and Uber is grabbing their location, apps they use, emails, SMSs and everything else in their mobile, its done for money.

    On the one hand they know they can sell this data and make a healthy profit, on the other hand, they know the government is breaking all laws, lying in legal documents (parallel construction is perjury, the name tries to make it sound otherwise), so they really won't get punished.

    So there is a market for your private data, and a government that is probably the biggest buyer in that market, and law makers are ineffective, because every time someone suggest privacy laws, the spooks scream "terrorists" to cover their asses.

    It's like the wild-west all over again, only the Sheriff is the bad guy.

  6. Who thought that's a good idea? by gnasher719 · · Score: 1

    Someone in that company must have thought this is a good idea. Being in that line of business, they should have known that even with a user clicking on "consent", a health care provider giving them the information would be acting illegally. And then I wonder why did they want this information in the first place? You can't use it for anything that isn't again highly illegal.

  7. Welcome to modern medicine by Virtucon · · Score: 1

    I can't believe that there was any legitimate reason to ever ask for this in the first place, meaning a few felonies have been committed. Hopefully the scumbags will be thrown in prison.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"