Washington, DC - From a patient’s perspective, it was one of those “It seemed like a good idea at the time” innovations: a free online portal that lets people view their billing history with a number of different healthcare providers. But according to the FTC, Atlanta-based PaymentsMD, LLC and former CEO Michael C. Hughes signed consumers up for their service and then went on a medical information scavenger hunt without their permission.

Since 2008, PaymentsMD has offered online billing services for medical professionals. Providers who contract with PaymentsMD can send consumers to PaymentsMD’s site. Once there, consumers can pay the bill they owe to an individual provider by entering an invoice number and credit card information.

In December 2011, PaymentsMD launched a free Patient Portal where people could see their billing histories, check their payments, view their balances, etc., for any provider that used PaymentsMD’s services.

Not long after that, PaymentsMD teamed up with another company to develop a new fee-based service called Patient Health Report, where consumers could supposedly review and manage their consolidated health records through a Patient Portal account. To populate those reports, the companies needed access to a broad variety of highly sensitive health information about individual consumers – data that shouldn’t be collected without the person’s express informed consent.

But according to the FTC, people who tried to sign up for just the free Patient Portal billing service were enrolled in the new Patient Health Report service without their approval. How did that happen? As the complaint alleges, the enrollment page included a maze of four separate boxes to check, disclosures to read, and additional text to scroll down. Some of the boxes related to the free Patient Portal billing service. Others were “authorizations” that purported to let PaymentsMD get confidential health information about individual consumers from third parties as part of the separate Patient Health Report service. The page also let consumers click one box to agree to all four disclosures – including those giving the company permission to go looking for their full health history.

What wasn’t on the page, says the FTC, was a clear disclosure that the respondents intended to contact pharmacies, insurance companies, health plans, etc., to get highly personal data about consumers – medical procedures, prescriptions, diagnoses, lab tests, and the like.

As a result, more than 5,500 requests for consumers’ health information were sent to 31 companies. For example, requests for consumers’ prescription histories were sent to all major pharmacies near a person’s home even if there was no reason to believe he or she had ever used that pharmacy. The good news is that only one company fulfilled the request. The others declined to turn over the information, concerned about the validity of what they were being asked to do.

Were consumers peeved when they found out what was really going on? You bet they were. Once PaymentsMD began telling customers via email that it was collecting their personal health information for the new service, the company got an earful from people who said they had only registered to track their bills and didn’t want their medical data collected.

Under the terms of the proposed orders, PaymentsMD and former CEO Hughes can’t mislead consumers about how they collect and use information. In addition, they’ll need affirmative express consent before collecting health information about a consumer from a third party. They’ll also have to destroy any information gathered via the Patient Health Report service, which is no longer in business.

You can file comments about the proposed settlements with Payments MD and Michael C. Hughes by January 2, 2015.

The message for marketers? Health information is a burgeoning business, but companies in it for the long haul understand the importance of transparency. To avoid a pain in the privacy, carefully explain to prospective customers what you’re doing, get express consent before collecting sensitive data, and live up to your promises.