ACCC v HealthEngine
Since its inception, medical booking and referral app, HealthEngine has been plagued with compliance challenges relating to the Privacy Act and the National Law.
Back in 2018, we expressed some concerns relating to breaches of the Privacy Act, as well as ongoing investigations relating to the potential breaches of the Australian Consumer Law for editing reviews. You can read our 2018 blog ‘What You Need to Know About HealthEngine’.
On 20 August 2020, those investigations were brought to a close in the Federal Court where HealthEngine was found guilty of misleading and deceptive conduct, making false representations and engaging in conduct that was liable to mislead the public as to the nature of their services.
What was the breach?
The Australian Competition and Consumer Commissioner (ACCC) brought charges against HealthEngine for multiple breaches of the Australian Consumer Law.
The charges related to conduct between March 2015 and March 2018.
HealthEngine was found to have a standard practice of not publishing negative patient reviews and editing negative feedback to make it seem more favourable before it was published. The Court found that this constituted misleading and deceptive conduct and false misrepresentations pursuant to the Consumer Law.
Where a medical practice had less than 80% of patients who would recommend that practice, HealthEngine withheld the rating entirely, informing users that there was insufficient data to calculate patient satisfaction. The Court again found that this was misleading and deceptive conduct and that HealthEngine made false representations as to the quality or value of its service.
HealthEngine collected personal information from Patients who used the platform, as well as from booking widgets on practice websites. Users were asked if they wished to receive a call in relation to health insurance services. The Court held that the conduct was likely to cause patients to believe that HealthEngine themselves provided health insurance-related services, when in fact the information was sold to external health insurance brokers. HealthEngine was found guilty of engaging in conduct that was liable to mislead the public as to the nature of their services. They faced additional separate proceedings in relation to the Privacy Act breaches.
In total, HealthEngine was ordered to pay $2.9million dollars in penalty plus $50,000 in costs of the ACCC. They were also subject to non-financial penalties such as annual external compliance reviews and ordered to contact every patient who was referred to an external insurance broker.
What do we do now?
As a health provider, you have an obligation to comply not only with the Consumer Law and Privacy Act but also with your advertising obligations under the National Law.
The HealthEngine case is also an important and timely reminder that patient information is vulnerable to exploitation.
In light of the ACCC v HealthEngine case, now might be a good time to evaluate your relationships with any review platforms and consider whether your practice meets the standards that would be expected by your patients.
If your practice uses HealthEngine, you should review your patient files for any bookings made through the HealthEngine platform in the period between March 2015 and March 2018. For any HealthEngine bookings, you should seek clarification from HealthEngine as to whether patient details have been disclosed to third party companies and what, if any, actions have been taken to notify patients about the breach.
Questions?
If you have any questions about privacy and third-party apps that you use in your Medical Practice in Australia, you can contact us here.