Most Australians are familiar with HealthEngine, the online platform which allows patients to make a booking with a health practitioner or practice and leave reviews following their consultation.
But what actually happens to the personal information which is submitted to HealthEngine? And how accurate are the reviews which are submitted by patients? Following initial concerns raised in 2018 relating to HealthEngine’s unauthorised disclosure of patient’s personal information to third parties, HealthEngine now finds itself the subject of legal proceedings in the Federal Court of Australia.
In August 2019, the Australian Competition and Consumer Commission (ACCC) commenced proceedings against HealthEngine alleging that HealthEngine engaged in misleading and deceptive conduct by:
- Manipulating the patient reviews it published;
- Misrepresenting to individuals why HealthEngine did not publish a rating for some health practices; and
- Giving the personal information of over 135,000 patients to private health insurance brokers (Insurance Brokers) for a fee without adequately disclosing to individuals that it would do so.
What is HealthEngine?
HealthEngine claims to be Australia’s largest online health marketplace which hosts an online directory listing over 70,000 health practitioners and practices across Australia.
Patients can log on to HealthEngine and make bookings for services provided by those health practitioners and practices and can publish reviews and ratings once they have received the health service.
Between March 2015 and March 2018, the ACCC alleges that HealthEngine refused to publish around 17,000 negative reviews and altered around 3,000 reviews to remove negative aspects, or embellish the reviews, before publishing them.
The ACCC has provided a number of examples of reviews which have been significantly altered by HealthEngine. By way of example, the ACCC says the following feedback was provided to HealthEngine by a patient on 21 June 2015:
‘Happy with experience although reception needs thorough cleaning. Old chairs need thorough cleaning / scrubbing. I keep thinking how unsanitary they looked.’
Instead of publishing the original feedback received, it is alleged that HealthEngine published ‘Happy with experience’.
Disclosing Patient Information
It is also alleged that HealthEngine had arrangements with nine different Insurance Brokers where HealthEngine received a fee from the Insurance Brokers for referring patients to them.
The ACCC alleges that during the online booking process, HealthEngine had a practice of asking patients whether they had private health insurance. Regardless of whether the patient answered ‘yes’ or ‘no’, they were asked whether they wished to receive a call about health insurance comparison services. If the patient answered ‘yes’ and then booked an appointment with a health practice, HealthEngine provided the patient’s information to the Insurance Brokers.
The personal information which was provided to the Insurance Brokers included the patient’s name, phone number, email address, date or year of birth, appointment type, type of health care practice the patient had made a booking with, and whether or not the patient had private health insurance.
It is alleged HealthEngine used language whish suggested that HealthEngine itself provided the health insurance services and did not adequately disclose that the patient’s personal information would be sent to one of the Insurance Brokers or that HealthEngine would receive a payment for doing so.
The ACCC is seeking penalties, declarations, corrective notices, an order for HealthEngine to review its compliance program, and an order requiring HealthEngine to contact affected individuals and provide details of how they can recover control of their personal information.
This understandably has a significant impact on HealthEngine’s reputation. HealthEngine’s public position with respect to the ACCC’s allegations is that its fast business growth has not been able to keep up with its systems and it has pledged to rebuild trust with those who use HealthEngine.
Interaction with Privacy laws
Whether or not the ACCC is successful in proving the allegations of misleading and deceptive conduct will be interesting for the health sector especially in the wider context of a number of other developments in the privacy space with regard to the disclosure of personal information and individuals’ ongoing concerns about privacy.
The ACCC’s Digital Platforms Inquiry released in July 2019 looked closely at the relationship between consumers and digital platforms (such as those using HealthEngine). It has made a number of recommendations relating to privacy regulation. The Inquiry stressed the importance of ensuring that consumers receive transparent, accurate and comprehensible information regarding data practices especially in the consumer space.
Further, it comes at a time when the Privacy Act 1988 (Cth) is likely to be significantly amended to strengthen consent and notification requirements as well as penalties. It is likely the requirements will impose stricter obligations on organisations to inform individuals about how their personal information will be used and disclosed, and that appropriate consent is obtained prior to any personal information being collected.
How Could This Affect You?
These proceedings have the potential to impact health practitioners and practices who appear on HealthEngine as well as patients who have used HealthEngine in the past.
It is also an important reminder for all health practitioners and practices to ensure they are completely open and transparent with patients, do not engage in misleading or deceptive conduct and are aware of their privacy obligations when it comes to disclosing patient information. This includes ensuring that Privacy Policies, Consent Forms and Data Breach Response Plans are up to date to comply with legislative requirements.
This article was written by Karen Keogh, Partner and Patricia Marinovic, Associate.