The FTC has announced that it has voted to approve the final orders to settle charges against PaymentsMD and its former CEO, Michael C. Hughes. Under the terms of the settlement, PaymentsMD and Hughes have agreed to destroy any collected patient data and to obtain affirmative express consent from patients before collecting their data from third parties. The FTC has chosen not impose a monetary fine on the company or Mr. Hughes. The Commission voted to approve the final orders 5-0.
The case raises important questions about the boundaries of consent when companies collect personal information from consumers. The FTC’s complaint alleges that the company violated consumers’ privacy by collecting personal medical information without their consent. It was not enough for the FTC that further consents were buried deep in the fine print, which many consumers unwittingly signed off on by clicking a check box. The FTC alleged this was insufficient disclosure, and that many consumers were under the false impression that their information would be used for billing purposes only. Requiring PaymentsMD to obtain express consent as it relates to obtaining patient information from third parties should go along way to ease the FTC’s concerns.