“Preregistering” for a medical appointment started by clicking a link in an email to reach a website with no obvious relation to the medical office, filling in a selection of my private bits, then being confronted by this wall of text:
———- Wall of text begins ———-
Review Phreesia Authorization
Please review the authorization below. A copy of this authorization form will be available at the front desk.
Authorization for Uses and Disclosures of Protected Health Information
Health-Related Materials
I hereby authorize my healthcare provider to release to Phreesia’s Check-in system my health information entered during the automated Check-in process, or on file with my healthcare provider, to help determine the health-related materials I will receive as part of my use of Phreesia. The health-related materials may include information and advertisements related to treatments and therapies specific to my health status. The materials may be provided by my health insurance plan, a pharmaceutical manufacturer or another healthcare entity. Phreesia may receive a payment for making such information available to me through the Check-in System or Phreesia’s Patient Communication Services including items such as newsletters, patient reminders for visits, medication/treatment adherence and other practice-related services.
If I am presented with an advertisement pursuant to this Authorization and I choose to request certain information and/or samples as described in the advertisement, then I further authorize Phreesia to disclose my protected health information to the advertiser as designated in the advertisement, such as my name, email address, mailing address, or phone number in order to receive such information and/or samples. Phreesia may receive a payment for releasing my personal information. The use and disclosure of my protected health information solely as set forth in this paragraph is valid only for purposes of when I choose to receive the information and/or samples, as described in the advertisement and until I receive such information and/or samples.
My healthcare provider is using Phreesia’s secure platform to enhance the patient-provider experience and eliminate inefficiencies associated with Check-in.
The following is the Authorization to provide me personalized educational health content and to allow Phreesia, on behalf of my healthcare provider, to conduct analytics using some of the information that I provide to gain insight into and support the effectiveness of this educational health content.
Utilizing Federal guidelines and its corporate policy, Phreesia, on behalf of my healthcare provider, ensures that all patient-related health information is protected by administrative, technical, and physical safeguards.
Phreesia will safeguard my personal information and will not use it for any purpose, other than to: provide health-related materials to me; anonymously analyze health outcomes in support of that educational health content, as well as to measure the effect of the health-related materials furnished to me on my communications with me or my family member’s healthcare provider (this analysis is computer-automated and involves no human review of my protected health information); and carry out any use or disclosure otherwise permitted by this Authorization.
Although there is the potential for information disclosed pursuant to this Authorization to be subject to redisclosure by the recipient and no longer be protected by federal privacy rules, Phreesia maintains administrative, technical, and physical safeguards as required by the Federal Government’s Health Information Privacy Rule, or “HIPAA,” to protect each patient’s confidential information. Phreesia does not disclose personally identifiable information to anyone other than each patient’s healthcare provider without this Authorization or as governed, permitted or required by law.
I do not have to grant this Authorization but, if I do not, I will not receive personalized health-related material or, as applicable, receive the materials as described in the advertisement. I understand that my healthcare provider will treat me regardless of whether I grant this Authorization.
I have a right to receive a copy of this Authorization. I may change my mind and revoke (take back) this Authorization at any time, except to the extent that my healthcare provider or Phreesia has already acted based on this Authorization. To revoke this Authorization, I must contact my healthcare provider c/o Phreesia in writing (including my name, date of birth, gender, home address and healthcare provider’s name) at: Privacy Officer, Phreesia, Inc., 434 Fayetteville Street, Suite 1400, Raleigh, NC 27601; or PrivacyOfficer@Phreesia.com. This information will not be used for any purposes other than to verify my identity in order to revoke this Authorization.
This Authorization is valid for the following time periods:
- One year from the date on which I grant this Authorization – for use in delivering personalized health-related materials from my healthcare provider on the Phreesia platform;
- When the Patient Communication Services Program concludes – for use in delivering Phreesia’s Patient Communication Services on behalf of my healthcare provider; and
- When the Analytics conclude – for use in Phreesia’s analytics programs
Phreesia is a business associate of my healthcare provider and is bound by federal law to protect and safeguard my privacy.
Authorization signed by: The patient, [me]
———- Wall of text ends ———-
I assume your eyes glazed over immediately upon seeing the text and it’s entirely reasonable to assume most folks simply select the “Agree” button (which doesn’t appear here), sign the form, and move on.
Having actually read the damn thing, it turns out to be an agreement to let Phreesia (apparently, all the good names were used up) spam me with medical advertising vaguely related to my current malady.
Look at that first paragraph again:
I hereby authorize my healthcare provider to release to Phreesia’s Check-in system my health information entered during the automated Check-in process, or on file with my healthcare provider, to help determine the health-related materials I will receive as part of my use of Phreesia. The health-related materials may include information and advertisements related to treatments and therapies specific to my health status. The materials may be provided by my health insurance plan, a pharmaceutical manufacturer or another healthcare entity. Phreesia may receive a payment for making such information available to me through the Check-in System or Phreesia’s Patient Communication Services including items such as newsletters, patient reminders for visits, medication/treatment adherence and other practice-related services.
“May receive a payment” indeed. I declined and haven’t died yet.
This could happen:
… there is the potential for information disclosed pursuant to this Authorization to be subject to redisclosure by the recipient and no longer be protected by federal privacy rules …
Scum, the lot of them.
The Smell of Molten Projects in the Morning 
The operation of Moore’s Law has made computers so small, ubiquitous, and cheap, that all computing is now done in huge remote data centers owned by giant corporations.
Back in the ’70s/’80s we imagined doctors having their own appointment systems.
Exactly zero people in a typical medical office have IT-fu, which makes perfect sense: IT isn’t a core medical competency. Conversely, the ongoing SolarWinds debacle shows you can’t outsource your IT security, either, without introducing a nation-scale vulnerability.
IT is hard, even without blending advertising dollars into the mix. There may be no good solution.
“Having actually read the damn thing…”
The real message is encrypted between the lines and can be interpreted from different angles.
Something along the lines of “You have no privacy. Get over it.”
And they claim that they can’t communicate over email for privacy/HIPPA compliance reasons. As if their rinky-dink portal is anything near as secure and well-tested as gmail (which is HIPPA compliant if you pay for it.) Based on this, it appears that the real reason is they are getting kick-backs for ads.
They’re surely working both ends of the deal: charge the medical office for running their appointments and charge the manufacturers for ad placement.
With, as always, my attention as the currency.
I guess I’m lucky. Two of the medical practices I use have on-line appointment systems, and neither forces advertising. The big clinic/hospital complex uses Epic’s MyChart, with the appointments a small part of a huge system. When it works (which is usually) it’s great. OTOH, they had a ransomware attack last year and had to go via paper. Bloody mess, that was. Looks like they have a largish staff keeping it more-or-less under control.
Another doctor uses a much simpler system for appointments that actually shows when he’s available. One doc and one receptionist/assistant, so it’s pretty clearly outsourced. It Just Works, mercifully.
I should kvetch at them, but I’m unwilling to poke that problem.
They have a Wikipedia page at https://en.wikipedia.org/wiki/Phreesia
If you go to the preheesia.com web site and do a bit of exploring you find:
“Phreesia makes it easy to respectfully and consistently collect from patients at the time of service by prompting them to pay during registration. It also gives patients flexible and convenient payment options that improve their overall financial experience.”
“Phreesia’s privacy and security procedures include the following safeguards: Phreesia does not sell, rent, disclose or use PHI without patient authorization or unless permitted or required by law. PHI is secured through password protection and can only be accessed by authorized users within the healthcare practice.”
“Phreesia, the patient check-in company, helps medical practices increase cash flow and save staff time… Phreesia electronically collects and updates critical patient information, verifies insurance, and collects co-payments and balances during check-in.”
I can see why medical offices would like something like this… It’s all about the money.
So they’re working three sides of the game!