(CN) - PaymentsMD, an Atlanta-based medical billing company, and its former CEO have settled claims they misled consumers in order to collect their personal health data, the Federal Trade Commission announced.
In a pair of complaints, the agency said PaymentsMD failed to adequately tell consumers who signed up for an online billing portal that it would seek highly detailed medical information on them from pharmacies, medical labs and insurance companies.
According to the filings, PaymentsMD operated a website where consumers could pay their medical bills. In 2012, the company and a third party began developing a separate service known as "Patient Health Report," designed to provide consumers with comprehensive online medical records.
In order to populate the medical records, though, the company first needed to acquire consumers' medical information. The complaints against PaymentsMD and former CEO Michael C. Hughes allege that the company altered the registration process for the billing portal to include permission for the company and its partners to contact healthcare providers to obtain their medical information.
The agency says the consumers consented to this collection by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once.
Consumers registering for the medical bill pay service would have reasonably believed that the authorizations were to be used for just that, the complaints say.
The information requested included the prescriptions, procedures, medical diagnoses, lab tests performed and the results of the tests, the agency says.
Under the terms of the settlements, PaymentsMD and Hughes, must destroy any information collected related to the "Patient Health Report" service. In addition, the defendants are banned from deceiving consumers about the way they collect and use information, including how information they collect might be shared with or collected from a third party, and they must obtain consumers' affirmative express consent before collecting health information about a consumer from a third party.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.