Taking appropriate action against false or defamatory statements has long been an Internet policy challenge. Too often, the responses of government agencies and private entities are overbroad and damage online free expression. Recently, examples of inappropriate reaction to critical Internet speech have arisen in the context of online reviews for physicians. A company called Medical Justice is selling contracts through which physicians can silence patients who might be unhappy with the treatment they’ve received. The contracts exploit patients’ fears about use of their health data for marketing purposes. A new website – called Doctored Reviews – exposes Medical Justice’s contracts as being of questionable legality and, as a practice, terrible for doctors, patients and online review sites. The website was created as a joint effort of the Santa Clara University High Tech Law Institute and The Samuelson Law, Technology & Public Policy Clinic at the University of California Berkeley School of Law.
Under a typical Medical Justice contract, a patient typically assigns a treating physician the copyright of any commentary about the physician’s practice over a five-year period. (Earlier forms of the contract forbade patients from publishing any commentary at all on the physician’s practice.) This way, if the physician discovers a negative comment on an online review site, the physician can approach the website, assert copyright ownership over the review, and demand that the review be removed under the Digital Millennium Copyright Act (DMCA).
And what do patients get in return? The Medical Justice contract’s wording is not clear on what the physician is actually promising. Language from one of the contracts is worth noting here:
Federal and State privacy laws are complex. Unfortunately, some medical offices try to find loopholes around these laws. For example, physicians are forbidden by law from receiving money for selling lists of patients or medical information to companies to market their products or services directly to patients without authorization. Some medical practices, though, can lawfully circumvent this limitation by having a third party perform the marketing. While personal data is never technically in the possession of the company selling its products or services, the patient can still be targeted with unwanted marketing information. Physician believes this is improper and may not be in the patients’ best interest. Accordingly, Physician agrees not to provide medical information for the purpose of marketing directly to Patient. Regardless of legal privacy loopholes, Physician will never attempt to leverage its relationship with Patient by seeking Patient’s consent for marketing products for others.
While at first glance it seems that the physician is agreeing not to disclose the patient’s information for marketing purposes, this would be an invalid promise. Under HIPAA, physicians already have a general legal duty not to disclose a patient’s protected health information for marketing without the patient’s authorization. The "loophole" the contract describes does not seem to be a loophole at all, as it appears to fall within the HIPAA definition of marketing – although the contract does not make the arrangement between the physician, the company providing products/services, and the marketer entirely clear. It still counts as marketing if the physician discloses a patient’s PHI to a third party, and that third party issues a communication encouraging the patient to purchase the products or services of a fourth party. Under that scenario, the physician is still legally obligated to obtain the patient’s permission to disclose the PHI.
Instead, it seems that the physician is merely promising in the Medical Justice contract not to ask the patient for consent to market directly to him or her. The patient can refuse permission if the physician asks for it, so – under this interpretation – it would seem the only "benefit" to the patient is that the physician will simply not ask in the first place. It is unclear whether a court would take issue with such nominal consideration in light of the free speech rights the patient must give up in return.
What is clear is that Medical Justice is an abuse of the DMCA and an unethical attempt to capitalize on patients’ fears of using medical data for marketing and their lack of understanding of their health privacy rights. While physicians have legitimate concerns stemming from the professional impact of negative or false online reviews, the response offered by Medical justice is highly unprofessional.
Doctored Reviews exposes the unfairness and limits of Medical Justice’s tactics and is a great resource for patients, owners of online review sites, and doctors. As Doctored Reviews points out, physicians do not need to become censors to respond adequately and appropriately to online reviews. Physicians can (and do) address negative reviews in ways that don't violate health privacy laws. Rather than expose themselves to the legal and ethical risks by using Medical Justice contracts, physicians should maintain open communication with patients about their experiences. And finally, if – as the contract says – the doctor believes it is improper and against the patient’s best interests to provide his or her medical information for marketing purposes, why would a doctor need a contractual commitment to refrain from doing so?