45 comments

[ 5.6 ms ] story [ 113 ms ] thread
I smell a doozy of a class-action lawsuit.

Seriously, if my local newspaper can hand-approve comments on their website, I'd think somebody working in the medical field should look into that approach.

That's what I don't get. You'd think if you were rolling out a new feature that you'd do a little QA for the first few days/weeks to make sure it's what you intended.
I am blown away by what people will post on the Internet. Sure, the company should have at least made it more clear that these reviews were being posted publicly. At best they probably shouldn't have asked for anything other than a star-rating for the doctor.

But the fact that someone would write "burning exists not only to me but to my lover as his penis contacts my vagina" at all on the Internet in any capacity is just amazing to me.

The feedback request, which headlines: "How was your visit?" and asks "please leave a review for your provider" is in a branded environment from a service that schedules every interaction from your doctor. It's pretty clear patients thought this was the Physician asking for a private review /w comments.

Lots of doctors these days use at-home surveys, medical assessment forms, and other "internet" data entry vehicles -- that it's done over the internet is exactly what makes the service valuable.

Someone was talking about an actual medical problem to someone thought to be employed by the medical doctor who had treated it. I don't share your amazement.
The internet is just another medium of communication. If my doctor insinuated that I could contact her privately and securely via e-mail, I would be willing to do that - sure beats taking the 45 minutes to get to her office, then waiting another 30 minutes to see her.

Now, it would take a lot to convince you and me that it would be private and secure - but we read HN, we're presumably devs. This is probably someone who is not particularly tech-savvy, and missed the warning signs, and just trusted WhateverFusion to deliver the message in a confidential manner.

This is one of the primary features of the company I'm with now, Patients Know Best. (Online communication with your doctor -- though not via email, because that cannot be secured properly). We're not free to hospitals/doctors, which means we don't have a business model pushing us to pull tricks like this.

We encrypt each patient's record separately, and would not be able to make any of this patient/professional communication public even if we wanted to. If the patient makes a mistake, they risk sending a message to the wrong one of their own doctors... but there's no chance of public exposure.

It's disheartening (but I'm afraid not very surprising) to see this kind of casual but disastrous breach of privacy -- this is the Facebook model of privacy handling, with vaguely positive goals papering over decisions that are unexpected and can be disastrous for some of the users.

The painful difference here is that Facebook made its worst missteps around handling mostly trivial communications between college kids. It's always been obvious on Facebook that some things are seen by lots of people, and it's not always clear who sees what. Compare that with Practice Fusion, who builds a website that medical institutions give to their patients -- many of whom will not be web-savvy teenagers by a long shot -- as a way to communicate with them (one would assume, privately). THEN they have one particular place on that website that seems to be for sending feedback to the doctor, where (if you don't read the tiny italicized print) you will unexpectedly be providing content for a completely public database of reviews.

Even if it had a large-print warning, most patients will not know this website is not paid for by their doctor; they will probably assume it was created by the practice itself, and they would assume its motivation for existing was to help them communicate with their doctor... so why even bother to read the fine print?

Communicating with doctors via email is fairly standard. And it involves typing into an internet-connected browser - typically through a proprietary mail interface, not gmail.

To the non-Hacker News reader, what these patients were asked to do by the startup must have looked very much like the communication they were already accustomed to having with their physician.

(The alternative is to go into the doctor's office for a fee of $40-250 every time you have the simplest question.)

    But if they're going to reap the benefit of the free system,
    they need to be transparent about their performance.
    -- Ryan Howard, CEO, Practice Fusion
He just summed up 21th century privacy: if you are not paying for it, you are the product. I wonder what the law thinks about medical data being the product.

(I love how the CEO is trying to say all of this is ok because they included some bullshit disclaimer in a bullshit agreement in a 20px textbox. Stuff simply doesn't apply.)

HIPAA is no joke. Even if this company is technically in the clear, being associated with a controversy like this is enough to keep doctors from using the service. Makes me wonder if they had any domain knowledge at all or just a "Yelp for doctors" pitch and some mumbo-jumbo about big data revolutionizing healthcare.
(I'm not a lawyer, but) I doubt they are in the clear. Sounds like they injected a public survey in a communication channel previously reserved for private interaction with their doctor. Perhaps the patient (state privacy law), doctor (business associates agreement), and the government (via HIPPA) have standing.

Under 42 USC § 1320d-5, penalties for wilful neglect are $10k per occurrence, up to 1.5M. There are also criminal penalties for up-to ten years for those who "knowingly" disclose individually identifiable health information for commercial advantage.

Ah, it's not willful, though. They apparently assumed that every single patient would read and understand the tiny, italicized grey print warning to not include personal information.
When companies advertise on TV that they automatically (patient need not request or accept each order) ship replenishment supplies for C-PAP based on eligibility... yeah... HIPPA is a joke.
How is that in any way related to HIPAA? The patient has to contact the company and give them their information. The company then bills their insurance. No one is exposing their private health information.
I'm pretty sure HIPAA made the rule that patients must accept everything billed to insurance (or something to that effect), so I think it makes sense that they would be responsible to making sure it's enforced.

Point being, HIPAA isn't taken very seriously.

HIPAA isn't taken seriously until shit hits the fan, much like FINRA or any other piece of alphabet soup.

I've seen companies closed over HIPAA violations, and I've seen folks go to jail. It's totally ok to ignore HIPAA until it isn't and by then it's too late.

Some people play chicken with the federal government and some don't. As always, it is up to your particular risk profile.

This looks bad. You really want to keep people's health data private for many reasons. I can see bad PR, anger, and even legal issues from this.
Seems company once it realizes it's in PR crisis mode should immediately:

- take down all problematic reviews, including any with an email or contact info, or other embarassing/private details. (Yes, someone will have to read them all.)

- reach out to all doctors and patients with a more formal opt-in to the review program (or suspend it until further notice)

- fix UI which implies patients are making a private doctor communication

- launch a HIPAA review of the whole program

At this point, they should be taking down all of the reviews, until they can go back and verify that the patients writing those reviews clearly understood that they were not meant to stay private.
I agree that they should just remove all the reviews at this point -- it's what a professional crisis management team would recommend, particularly since it's not even their core business. It's always stunning to me how otherwise smart CEOs like this fail to recognize when they're in very deep shit. I mean, these guys are facing not only major civil penalties but also possibly criminal charges as well.

This is an existential crisis for the company, and the attitude seems to be, "yeah, yeah, we'll take care of it".

Is it just that he's surrounded by all "yes" men, and no one is telling him how bad this all is? And clearly they've not hired a crisis management team, since the first thing one would do is make sure the CEO doesn't stupid blab things to the press, such as: "But if they're going to reap the benefit of the free system, they need to be transparent about their performance."

> The start-up also gets data on 75 million patients’ health conditions and prescriptions, which it de-identifies and then makes available to analysts, pharma companies, and market research types, who also pay.

How the hell is this allowed?

Has anyone tried to de-de-identify the data?

Proper anonymization of that kind of detailed data is a hard problem. There are PhDs and Post-docs and Professors working in that field, and it's non-trivial. Just removing PII won't get you very far, as is obvious by the contents of the reviews.

I don't know how concerned PF really is by all of this, but if they did care about patient privacy, then one would think that they should've done this all from the start with privacy in mind -- or, now, that they would start hiring a privacy red team to shake things up.

Unfortunately, given how non-existent privacy laws and norms are here in the states, I would be surprised if much changed.

HIPAA exists in the States.
While not well-known, this is quite common and legal practice. Insurance and pharma companies have been buying deidentified data for years now. It is usually only for the purposes of research. HIPAA itself has deidentification guidelines which must be followed. They aren't fool-proof though, there have been some successful attempts at reidentification. Ironically many of the contracts specify that you cannot try to reidentify the data you buy.
Too many companies are taking "do first, ask for permission later" to an extreme. (E.g. both Google and Facebook's privacy/sharing experiments.) And they're getting away with it. And to compete, others feel they have to do the same.
(comment deleted)
The reviews may be a bit embarrassing, if at all. Yet if you're doing nothing wrong, you've got nothing to hide. Besides, nobody's going to slog through the net to find out information about you.
I may have "done nothing wrong" and yet not want my medical records to be public, tagged by my name and/or email address.
Nobody slogs through the net right now about you (or me) because we're not worth the effort. In ten years time? Twenty years? What if one of us ends up under any kind of media spotlight?

Years ago I ran a website that made me notable enough to sustain the focused attention of a single dedicated person. They had no problem figuring out my address simply from bits of information I had (naively) published years before that. Don't underestimate the longevity of data.

- If health insurance companies know you're sick, they won't insure you.

- If airline companies know you have a good reason to travel, they're going to rise the price.

...

So yes, privacy is an issue.

1. Doesn't Obamacare help this problem?

2. An airline is going to single you out? I will believe it when I see it.

> 2. An airline is going to single you out [if they know you have a good reason to travel]? I will believe it when I see it.

That's what first-class seats are.

Obamacare hasn't kicked in yet.

The Republican party is already fighting to repeal it with everything they've got.

So, yeah, this could cause real problems for some people.

> if you're doing nothing wrong, you've got nothing to hide.

How is this a mentality that people sincerely still hold? It has been so thoroughly refuted and mocked so many times, I honestly though that was sarcasm and had to reread your comment to figure out why you were downvoted.

This is why doctors should get a liberal arts education instead of going "pre-med". So they learn classic humanities such as the "Trojan Horse"
Opt-out 'consent' is not consent in any meaningful way, so simply treat all of this data as obtained without consent and, well, it's clear from existing healthcare legislation on how to handle such distribution of data without explicit consent by an informed patient.

IMHO the startup should be happy if this ends up with just a bankruptcy of their company, instead of criminal charges for the individual people involved.

I agree. It's amazing that Practice Fusion stands by their claim that both doctors and patients have provided genuine consent.

If this, as the article suggests, is the interface where doctors go to opt-out of sending surveys, how can Practice Fusion claim that doctors knew what was happening? The interface seems intentionally designed to obscure what's happening. Note the text reads "[x] Enable follow-up messages" http://b-i.forbesimg.com/kashmirhill/files/2013/10/in-produc...

The patient-facing survey is hardly better. http://b-i.forbesimg.com/kashmirhill/files/2013/10/patient-r...

If I were a lawyer I'd go into full ambulance-chasing mode ASAP. I just feel bad for the unknowing doctors who were deceived, and will need to take time (and therefore take fewer appointments) in order to defend themselves formally.
How could all this stuff could go unnoticed for so many months or even a year some of them? I did a search and it is littered with private info that a hacker can figure out the identity of the writer fairly easily. Clearly nobody was reading the reviews or they would have been flagged and deleted. The PR person said they had never had a review flagged. Could it be the reason is because they fast tracked a way to produce user content that nobody was actually using to sell a ponzi scheme to KP for 70 Million? We all know on yelp that stuff would be taken down immediately. So how here is it all over the place and nobody knows about it? It can only be explained that nobody is reading it. Users can't login and delete posts? Did they even create logins? 2 Million reviews generated and a 70 Million dollar round in the valley just raised. The investors have got to look at the due diligence they did on this whole thing to give them that much money for what turns out to be a PR disaster.
I highly suggest adding Kashmir Hill's blog to your weekly reading. She does great coverage of privacy issues.
Hard to see how this doesn't end poorly. In addition to being a likely HIPAA violation, its hard to see how the patients won't view their privacy as having been violated, and the doctors won't see their trust/business relationship as having been violated. In both cases (of doctors and of patients) there's plenty of potential litigatory fuel, which, even if Practice Fusion wins, is a really poor use of ~140m in venture funding.