This spring, a number of websites were pledging to help people find elusive COVID-19 immunization appointments. Rebecca Gluskin, PhD, a statistician who worked on a recent report on potential misuse of health data during the COVID-19 pandemic, says some of them deserve close scrutiny as to how they use patient data.
One site, Dr B, did not book an appointment, but collected all the appointment site information needed to determine eligibility, such as the user’s date of birth, their cell phone number, occupation and a list of health issues. The site is still active and still asking the same questions, even now that age and occupation requirements have largely been eliminated from the vaccination process and it is easy for most people in the United States to do so. vaccinate.
A recent MIT Technology Review The investigation raised questions about how many people Dr. B helped find a date. âAfter weeks of research, I couldn’t identify a single person who managed to get vaccinated through the service,â said the author of the article.
Company founder Cyrus Massoumi, who was also co-founder and CEO of Zocdoc until 2015, declined to answer detailed questions but provided a brief statement: âDr. B only requests data directly. necessary to provide the service and protects this data in accordance with HIPAA standards, âhe said. âWe don’t sell patient data.
However, Dr. B’s privacy policy permits the sale of anonymized patient data: âWe may disclose aggregate information about our users and information that does not identify any individual, without restriction. ”
When asked about their data practices, several medical booking sites assured Consumer Reports that they behave responsibly, even though their privacy policies allow them to sell patient data. But there is at least one edifying account in recent industry history where a medical intermediary has crossed serious ethical and legal lines.
In 2013, a company called Practice Fusion unveiled what he called the largest doctor’s appointment site in the United States, Patient merger. But in 2016, the Federal Trade Commission alleged that the company deceptively solicited doctors’ opinions by emailing patients and asking for feedback on the quality of care they received, and then posting the responses on the website. Many patients believed the information was going to their healthcare providers and therefore included very personal information about their medications or conditions which was then released publicly by Fusion, according to the FTC. Patient Fusion has settled with the agency without admitting or denying the allegations, and has agreed to avoid such deceptive conduct in the future.
Worse, in 2020, Practice Fusion agreed to pay a $ 145 million settlement after U.S. officials alleged the company researched and received bribes from a pharmaceutical company to promote opioid use through a health records system it managed with the dating site medical. By that time, Practice Fusion had been acquired by another healthcare technology company, Allscripts. The new company’s settlement with the US government and states was well in excess of the $ 100 million the acquisition cost.
I spoke to Ryan Howard, co-founder and then CEO of Practice Fusion, in 2015 for a book I was writing on the patient data business. But when I contacted him recently for this article, he responded with a three-word email with my name and a two-word curse.
âIt’s a good illustration of the potential danger,â says Wynia of the University of Colorado, referring to both the terse email and the company’s history. When online entrepreneurs see a way to generate big profits in healthcare, the results can often be good for consumers, he admits, but you can also end up with a “toxic mix” that puts patients in the spotlight. danger.