When John Heafield opened his electronic health record (EHR) portal in November to check for reports from his doctors, he was shocked and offended.
There at the top of his inbox was a suggesting he should enroll in a Medicare Advantage plan. "Review your 2023 Medicare Advantage coverage options," it said. The annual enrollment period began Oct. 15.
For a second, he thought his doctors might be suggesting he enroll, which he felt would be highly inappropriate. But as he read through, he realized the message came from FollowMyHealth (FMH), the company that operates the EHR portal for his North Carolina-based health system. It said he should click on a link to get his "personal code, powered by our partner, eHealth, a licensed independent insurance agency."
Automatically, the code would "securely share your prescriptions and doctors with our partner, eHealth." It would also allow him to see "Medicare Advantage plans that may have your doctors in their network and may cover your prescriptions at the most affordable price."
Heafield, 74, who deliberately rejected Medicare Advantage out of concerns about its significant downsides, opting instead for traditional Medicare and a supplement plan, suspected something was very wrong. If not flatly illegal, he said, it was morally wrong to solicit MA enrollment through his health portal.
"I felt they were using the trusted platform of my healthcare provider without, I suspect, the consent or knowledge of my provider," the Asheville retiree told ľֱ. After asking some of his doctors in the Mountain Area Health Education Center () network whether they knew or approved of this solicitation, his suspicions were confirmed. They knew nothing about it, they told him, and were dismayed by the practice.
"Being a paid supplier of patient portal services places FMH in a quasi-fiduciary relationship," Heafield said. "It should not take advantage of the trust ... to promote its own independent interests."
Medicare Disapproves
ľֱ sent the Centers for Medicare & Medicaid Services screen shots of the communications Heafield received, and asked about the appropriateness of FollowMyHealth's use of such messages to solicit Medicare Advantage enrollees.
"An organization/company should not engage a patient through their health care plan patient communication portal with a purpose to market to or solicit enrollment into a Medicare Advantage (MA) plan," an agency spokesperson . She referenced an on best practices sent to MA and Part D plan sponsors, including third-party marketing organizations.
The agency did not answer questions about what actions it has taken or plans to take to prevent FollowMyHealth, eHealth, or any other entity from using an EHR patient portal to recruit Medicare Advantage enrollees.
Kathi Petersen, a spokeswoman for MAHEC, said in a to ľֱ that although her rural, non-profit medical center "did not send the messages in question nor did we know these particular messages were being sent by FMH, we regret the negative experience this gentleman had and appreciate that he brought his concerns to our attention. By no means does MAHEC wish to imply that these third-party messages are an endorsement of such products."
Petersen said that when a patient enrolls in the FMH platform, the patient has the option to agree to receive or to opt-out of receiving these third-party messages and can do so at any time.
But that's easier said than done, Heafield said, adding that viewing these kinds of ads is "opt-in by default." And, he said, "providing the ability to opt-out does not excuse FMH's misleading presentation. The issue is FMH giving the impression that MA plans are endorsed by my provider."
Heafield emphasized he wasn't criticizing MAHEC, which he sees as more of a victim in the situation than a perpetrator.
FMH Responds
FMH is a significant player in the patient portal market. One posted that its EHR portal programs are used by "more than 300 companies" while another estimates the number at 145.
Asked why FMH was sending messages recruiting enrollment in MA plans through patients' health information portals, Angela Whitehead Smith, associate general counsel for Veradigm (formerly Allscripts), which operates FollowMyHealth, sent a . She said the portal's messages "clearly indicate that FollowMyHealth PHR [personal health record] is not communicating on behalf of the individual's provider or the federal government."
But such a disclaimer was not mentioned either in the portal message Heafield received or in a separate eHealth and FollowMyHealth sent to eligible beneficiaries, including Heafield, by mail.
The message sent to portal recipients, in particular, said only that "FollowMyHealth is not directly affiliated with your doctor," perhaps leaving some portal users with the impression that doctors could be indirectly affiliated.
Smith also said the FMH PHR is regulated by the Federal Trade Commission and is not a PHR offered by an entity covered by the Health Insurance Portability and Accountability Act (HIPAA), in part, because "it is not a 'view' into a provider's electronic health record."
When ľֱ sent Smith a link to its own , which boasts FMH is HIPAA-compliant, Smith differently.
"The description we provided initially was specific to our FollowMyHealth PHR since you'd asked about eHealth. As mentioned, the PHR is an account which is managed by the consumer and thus regulated by the Federal Trade Commission."
"We also have a FollowMyHealth portal licensed to health care organizations. The data for the portal is owned by the health care organization and is 100% separate from FMH PHR data. Portal data is covered under the BAA agreement we have with the health care organization and is subject to HIPAA." (BAA refers to a .)
Smith did not answer the question about why FMH used its EHR patient portal -- which patients think is supposed to contain information from their doctors -- to sell Medicare Advantage plans to seniors who may not understand that clicking on the provided code would electronically transfer personal health information such as their prescription drugs to an unknown insurance agent.
Must Patient Portals Be HIPAA Compliant?
Deven McGraw, who was the deputy director for health information privacy in the Department of Health and Human Services' Office of Civil Rights during the Obama administration and is currently an attorney who specializes in HIPAA, said whether the patient portal is a HIPAA-covered entity and a "business associate" depends on the details.
The fact that the health system paid for it and offered it to patients as a way to communicate with their providers is only one factor. Other , such as how much control the patient has in selecting what health data he wishes to see or transmit within it, also need to be considered, she said.
It's an extremely complicated issue that's hard to parse without knowing "deeper details" of how the platform functions and who controls it, she said.
McGraw added that MAHEC's claim that it didn't know about the Medicare Advantage ads suggests "that the health system doesn't control what goes into the portal. Rather, the company (FollowMyHealth) controls it, and may have more of an independent relationship with the patient."
Heafield searched the internet and found health portal websites saying that PHRs to be HIPAA compliant.
But even if it's true that FMH does not have to comply with HIPAA, Heafield said, "CMS or the FTC should require PHR portal providers to disclose to patients that, upon enrolling, their health data is no longer covered by HIPAA. They should also warn when I 'Compose a Secure Message,' that messages to and from providers are not covered by HIPAA. I wonder if providers know this? Perhaps providers could contractually require a PHR portal to adhere to HIPAA rules?"
McGraw said that disclosure might have been in the portal's terms of service, which users seldom read. "That's not surprising because they were probably hidden and lengthy."
As a partner of FMH, eHealth spokesman Doug Dalrymple also to a request for a response.
"For more than 25 years, eHealth's mission has been to make it easier for health insurance shoppers to find, compare, and enroll in affordable plans that provide the right coverage for them, based on the beneficiary's stated needs, access to their prescription drugs, and their preferred medical care providers," he wrote.
He added that the 'Personal Code' reference "is a commonly used technology that allows eHealth to extend its free-of-cost services to customers through a de-identified process that preserves the anonymity and security of their personal information until, and unless, the consumer actively takes steps to enroll in a Medicare plan offered through eHealth."
"If the beneficiary does not proceed with the application, eHealth never learns the identity of the individual associated with the code, and the de-identified consumer information is not retained or shared in any way. Processes like this, designed to protect the privacy of beneficiaries, are commonly used in telephonic and in-person enrollments in the market at large."
CMS Cracks Down on MA Advertising
CMS leaders have become increasingly concerned with deceptive, dishonest, and confusing Medicare Advantage advertisements and other marketing tactics. The agency acknowledged receiving more than 39,000 complaints about such tactics in 2021 alone, more than double what it received the prior year.
In its October 19 memo, CMS said secret shoppers "have discovered that some agents were not complying with current regulation and unduly pressuring beneficiaries, as well as failing to provide accurate or enough information to assist a beneficiary in making an informed enrollment decision."
CMS is now monitoring phone conversations between beneficiaries and insurance brokers or other marketing organizations and reviewing marketing materials in an effort to prevent beneficiaries from enrolling in plans that they don't understand, don't include their doctors, or don't meet their needs.
Last year, CMS published a of marketing guidelines for these plans. In addition, a lengthy from December 27 will, if finalized, prohibit marketing materials from mentioning extra benefits, such as dental, vision, or hearing services or "low or zero dollar premiums" without mentioning the name of the specific plan that offers them.
All too often, the rule reads, "these advertisements do not identify which product(s), plan(s), or specific plan(s) benefits are being advertised, but rather act as a lead generator to obtain beneficiary contact information. When a beneficiary calls, returns a flyer, or clicks on a link on a web page, the advertising entity ... may be able to obtain a beneficiary's contact information, which is then used by that entity for unlimited future calls or for providing that information to other entities."
The message Heafield received included no reference to a specific plan.
Heafield sees marketing efforts like FMH's problematic because they fail to require Medicare Advantage plans to disclose potential downsides, "such as limited provider choices, limited geographic coverage, a gatekeeper who may delay or deny treatment, higher co-pays or co-insurance, and the possible inability to leave the provider and return to traditional Medicare with a supplement."
He said he wishes CMS would require such disclosures in plan marketing materials.
"There's precedent, after all," he said. "TV drug ads often mention that their drug might cause death or other enumerated negative outcomes. Why shouldn't Medicare Advantage plans be required to do the same?"