So, here's the scoop.
In calling into the doctor's office, I got their voice system which has always required lots of number punching to finally get through to someone to make an appointment. It's better than 10 years ago where you could literally never talk to anyone in their offices and would just punch numbers endlessly until leaving them a message. That would be followed by a return call that you would invariably miss, having to start the process over, to get another call back.. all to just make an appointment.
Anyway, calling in today only requires two selections, before being told my call was in line to be picked up after approximately 6 minutes of estimated wait, OR I could use their online system. Whooppee! I could make an appointment using what I imagined was a calendar with available timeslots to book appointments? So here is Golden Gate Obstetrics (GGObgyn) big chance to show how they are using information technology to help people organize this process of getting an appointment better and faster!
Er... NOT. So. Fast.
The branding all over the site is "Golden Gate Obstetrics" so I'm thinking: okay, this is their site, even though it's got some other root domain name (mymedfusion.com).. in other words, Golden Gate Obstetrics is responsible for my health info, and I just need to get in to see their calendar and choose a time or something. So I go to "create an account" (Note below I've made screen shots of the *second* account I made, called 'testacct' to see what was going on a second time.. since the first time when I made an account for myself, it went by quickly and I wasn't suspicious until the end of the very end of the process):
As you can see, there's enough data request there for someone to do some damage if they wanted to. At this point I was getting a little concerned about where this data was going, but keeping in mind GGObgyn's history where getting staff on the phone to make appointments is so difficult, I went ahead and submitted my data.
The screen instantly took me to a logged in state, saying "we are now your Health Record provider" which I found totally freaky. I don't want them to be my Health Record provider. I just want to schedule an appointment. All this, without requesting any sort of email verification or other checking... just gave me an account. At that point, I could go make an appointment:
To say the least, I was shocked. So I just put in all this personal information, dinked around with forms etc, to be given a glorified email form to request an appointment? With structured data about which day of the week I want the appointment? How about a calendar with available time slots? So I could just pick based upon my availability? No... it appears they are going to email me back or call me with times so we could go back and forth over schedules again, in email? Really? This is the promise of information technology for scheduling? I mean aside from the privacy issues, I really felt like I'd been had in terms of my time sink for their silly email form.
I notice there is no help or privacy statement on any of the pages in their system (and I clicked on all of them), and the "ask a question" page is all about medical stuff, not using the website. But I figure GGObgyn is responsible for this site. So I call them, and after a lengthy wait, get the appointment receptionist. And I ask, where did my data go? And she says she doesn't know, but they own the site, so therefore my data is safe.
ME: "Really? because my account approval seemed instantaneously to happen on my screen."
Olivia: "Oh yes.. I did that."
ME: "Wow.. you're fast."
After that, she could only talk about how to use the system from her perspective, not mine. In other words, Olivia had no idea what regular users face (ie, There is no privacy information, as I typed in my personal data, and no real idea other than from reading the URL in the address bar that maybe a third party was collecting my data, etc. Reading address bar URLs is something most users don't do.)
I told Olivia she literally wasn't getting the problem, because she just kept repeating to me how she uses the system (as an administrator over user accounts and for appointments where, I'm guessing, she has to be seeing an administrator version of the Medfusion system or some kind of much more powerful interface than the one regular users see when they log into the system). So she said she wanted to pass me to their office manager, Laura, who said, as she picked up the call:
"Mary, i've been listening to your call with Olivia" ... er.. okay.. no one disclosed to me that my call with Olivia was going to be monitored by others listening in. Unsettling. And possibly illegal. But whatever, that's really the least of my concerns here.
I told Laura there was no disclosure to me in advance of having a third party get my personal data.. and after Medfusion had it, I had no way of finding out what they are going to do with it.
Laura replied, "Well I can't help you anymore, because this is a waste of our time.. if you didn't want to put your information into MedFusion then you shouldn't have."
ME: "But your voice system told me to. And your name is on the website, and you aren't really disclosing that you are giving my data to a third party, MedFusion or telling me what they or you are going to do with it."
ME: "But I don't have a fax machine. Can't you email it?"
Laura: "No.. maybe i could scan it and send it in email, but I'm not sure... and there isn't anything else I can do anyway." (It was clear she was trying to end the call.)
ME: "Er... Okay." (And then I hung up.)
No help or contact pages appeared afterward.
By law, we must abide by the terms of this Notice of Privacy Practices. We reserve the right to change this notice at any time as allowed by law. If we change this Notice, the new privacy practices will apply to your health information that we already have as well as to such information that we may generate in the future. If we change our Notice of Privacy Practices, we will post the new notice in our Center, have copies available in our office and post it on our website.
And then, under COMPLAINTS:
If you think that we have not properly respected the privacy of your health information, you are free to complain to us or to the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you if you make a complaint. If you want to complain to us, send a written complaint to the contact person at the address shown at the beginning of this Notice. If you prefer, you can discuss your complaint in person or by phone.
I would also recommend that businesses like Golden Gate Obstetrics use the FTC page on Protecting their user's data and privacy which is very helpful when trying to figure out how to present privacy info on a website.
Frankly, I have no way to alert anyone at GGObgyn to this blog post, or to my thoughts on the subject, other than to call back, sit on hold, and talk with the three people I already discussed this with, who were ranged from unhelpful to hostile. Since GGObgyn doesn't seem open to discussing their websites problems and the fact that the cat is kind of out of the bag now with my data going God knows where into various company's hands, I'm posting this example of how companies, particularly *medical* entities, with no experience or understanding of information technology systems and websites need to use extreme care, and not assume that office staff trained to run a medical office has any idea what users need or will face with a website collecting personal or medical data.
I hope people at medical or other data collection companies will realize the importance of protecting user data and being straight with us about what's happening to personal and medical information. My experience is just one, but if this becomes representative of people's experience with their medical providers, we ought to be very worried.
Note: I took a look, when writing this post, at ratings for Dr. Wiggins, whom I really like and have enjoyed having as my doctor. You can see from the ratings at Health Grades that Dr. Wiggins is well liked by patients but the appointment system and her office staff.. not so much. I hope GGObrgn does an overhaul on all their office administration and website that interacts with patients before they venture further with information technology as tool for communications.