npr edvertisers
visitors movie times

Santa Barbara Weather: 54.3°F | Humidity: 59% | Pressure: 30.03in (Rising) | Conditions: Clear | Wind Direction: South | Wind Speed: 0.0mph [see map]

Free Newsletter
  login You create the news! Send items of interest to ed@edhat.com
    17875 Subscribers
      543 Paid (3.0%)
     0 Commenters
     222250 Page Views

Buy Edhat Shirts
Buy Edhat Shirts
Buy Edhat Bags
Buy Edhat Bags
Advertise on Edhat
Advertise on Edhat
Buy Edhat Hats
Buy Edhat Hats
News Events Referrals Deals Classifieds Comments About

more articles like this

Invasion of Privacy
updated: Aug 06, 2014, 2:37 PM

By Edhat Subscriber

Recently I received an email from MedCenter via a New York based marketing company called Phreesia. Return address was something like medcenter.phreesia.com.

This email asked me to give my permission, under HPAA regulations, to release ALL my medical records and contact records to Phreesia for marketing purposes. I have contacted MedCenter headquarters three times via email to ask for an explanation, yet the owner Dr. Mellen (I believe that is his name) has not yet responded to my phone call or emails. What is with MedCenter and what are they trying to accomplish? This invasion or attempted invasion of privacy really ticked me off.

By they way, the only interaction I've had with MedCenter has been for what I believe was a job related TB test many years ago.

Has anybody else received an email like this? It was not "phishing." It was definitely authorized by MedCenter.

Comments in order of when they were received | (reverse order)

 COMMENT 542640P agree helpful negative off topic

2014-08-06 02:51 PM

Oh this is bad bad bad. Shame on you, Dr. Meller!!!

Ignore it of course. But write, maybe by snail mail, to Meller to voice your objections.

Phreesia, from Wikipedia
Phreesia is a patient-intake solution for doctors and patients to electronically store and enter health data. Phreesia, Inc. is a privately held company founded in 2005 by Chaim Indig and Evan Roberts. The company is based in New York City and has less than 100 employees. The company also has a sales office in Ontario, Canada. It is financially backed by HLM Venture Partners[1] and Polaris Partners.
Phreesia replaces a standard doctor's office clipboard with a PhreesiaPad – a colorful touch-screen wireless device reminiscent of an etch-a-sketch. Patients check-in using the PhreesiaPad to fill out the necessary medical records and patient history intake forms. Offices manage their patients' private health data using a back-end web portal. Phreesia offers both ad-sponsored and free educational health content on the PhreesiaPad once a patient has completed an intake form


 COMMENT 542641 agree helpful negative off topic

2014-08-06 02:53 PM

They are an intake form company. When you sign into the Medcenter on the eclip board, that us most likely the new company they are going to use.


 COMMENT 542644 agree helpful negative off topic

2014-08-06 02:58 PM

I'm no expert on HPAA, but there's no way I'd ever agree to release my personal medical records to ANYONE unless it's absolutely necessary for my medical treatment, or perhaps for legal reasons like malpractice or some other dispute with a provider or insurance Co.


 COMMENT 542645P agree helpful negative off topic

2014-08-06 03:04 PM

Be aware that any "prescription discount card" you get in the mail is a data collection/marketing gig (or scam, depending how you view these things.) cut them up! Speak to your pharmacy about available discounts and what card or program they recommend (of course, this won't work with behemoths like CVS or Walgreen's)

Medicine Shoppe uptown has its own kind of discount; they hooked me up with it and never used the card I showed them years ago.

Generally, maybe always, users of those cards waive privacy rights, at least for marketing. Don't know how far they try to undermine HIPAA. Much privacy is gone, regardless of HIPAA.

If you're not familiar with your extensive personal data being mined by every card and website you use, learn about it. All the data from your grocery and other store loyalty cards are just the beginning.
Here's a data brokering primer from 60 Minutes:
(well, probably not Edhat. :-) But I'll never join FB. I bought from Amazon once, and yes, I have an g-mail account.)


 COMMENT 542647 agree helpful negative off topic

2014-08-06 03:14 PM

Don't get too paranoid. Phreesia is the company that MedCenter uses to do all of their check-in and billing. Chances are that some California privacy law requires MedCenter to get your permission to have this contracted company get permission to access your records for billing purposes. But it doesn't hurt to ask them.


 COMMENT 542648 agree helpful negative off topic

2014-08-06 03:14 PM

what then stops phreesia from selling your medical record information to third parties like insurance company or the ACA administrators


 COMMENT 542652P agree helpful negative off topic

2014-08-06 03:22 PM

To whom? A medical professional and or organization? Did the sender tell you exactly who they are, title, etc. and who would be receiving the information?


 COMMENT 542654P agree helpful negative off topic

2014-08-06 03:23 PM

This is what really got me about the opening post:
"By they way, the only interaction I've had with MedCenter has been for what I believe was a job related TB test many years ago." Whatever is being done here should be done when and if someone is a patient at the MedCenter, not the new registration and/or medical records company for MedCenter contacting people, who went there years ago, out of the blue.
I respect Meller, but his recent news is troubling. I realize he cannot control the business practices of the technology he has purchased. He's trying to run a business -- and EXPAND that business, into a 3 story multi-use building.


See comment 435, dated 7/7/14 12:09 pm. and the following discussion.


 COMMENT 542657P agree helpful negative off topic

2014-08-06 03:30 PM

I wonder how good MedCenter's and Phreesia's wireless security is.

and today's hacking news:


NY Times:
"A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say."



 COMMENT 542667P agree helpful negative off topic

2014-08-06 03:52 PM

Hahahaha - like anyone has "private" or "personal" information anymore - get over yourselves people. You, me, us, them - someone knows already knows all about it.


 COMMENT 542672P agree helpful negative off topic

2014-08-06 04:12 PM

agreed, 667. Just want to pass that info along.


 COMMENT 542679P agree helpful negative off topic

2014-08-06 04:23 PM

No matter your opinion on Phreesia, it is a bit creepy to think that it is as easy as an email to sign your rights away for your personal information.

I would not respond to the email, OP. I'd send a letter to Dr. Meller explaining how uncomfortable this has made you and that you will not be visiting the MedCenter again. He needs to hear how his clients feel about this, even if you have only been there once.


 COMMENT 542680 agree helpful negative off topic

2014-08-06 04:23 PM

I got the same email, I didn't do anything with it. My parents didn't get the email so I figured it was phishing, I clicked on the link once I got on my laptop and it sent to a third party website which gave me a warning saying it was directing me to it. Didn't proceed since I didn't recognize any of the companies. Ignore it!!!!


 COMMENT 542691P agree helpful negative off topic

2014-08-06 04:41 PM

Meller had quite a bit of legal trouble with the California medical board some years ago. The online search only goes back ten years, though. Be cautious.


 COMMENT 542711 agree helpful negative off topic

2014-08-06 05:50 PM

Sounds like they hacked the email database at the Medcenter and are sending out phishing or malware emails to everyone on the list. Many offices have no internet or intranet security. Firewalls or proxies are rare especially in local yokel businesses with limited IT budgets. The Geek Squad or similar sets them up and after that nada in terms of IT security. Routers are misconfigured all the time, VPN's aren't used or are misconfigured, etc etc. Passwords are probably as old as the hills and simple.

Your data is sold, used and resold everyday if you give any of it to a company with no IT security policies in place and even when they do, hackers are way ahead. As far as Medical records, with the current electronic system, we may as well leave them in boxes on the curb for any Tom to rifle through and hope they're still there in the morning. Billions spent to make sure there is no security so Tom can do just that.


 COMMENT 542721P agree helpful negative off topic

2014-08-06 06:20 PM

Thx - good info, well written,711 and 691P.


 COMMENT 542727P agree helpful negative off topic

2014-08-06 07:07 PM

Personally I would never release medical information via email. This sounds like some type of con job. I think if it was legit, Medcenter would have informed you. I would mark the email as junk mail and let Medcenter know.


 COMMENT 542759 agree helpful negative off topic

2014-08-07 06:15 AM

@691 what kid of legal trouble?


 COMMENT 542772 agree helpful negative off topic

2014-08-07 07:37 AM

People, please try to not be so paranoid. HIPAA laws prohibit the transmission and viewing of personal medical records without authorization (nevermind selling to third-parties... where did that come from?). Health records NEED to be electronically maintained - unless, of course, you prefer trillions of pieces of paper that are easily misfiled, misplaced, difficult to access and easy to damage. This is 2014. Your health information is far more secure than all of the online banking, shopping, bill paying and social media you conduct each day.

To the OP and anyone with a question about these third-party emails or request for authorization: PLEASE contact your caregiver directly to clarify, instead of asking a clearly uninformed, alarmist bunch. Just a suggestion.


 COMMENT 542773 agree helpful negative off topic

2014-08-07 07:39 AM

Dr. Keller has a lot of scum in his profession. $295 for 10 minute USELESS visit to Dr. Corazza last month. Drs are into money, and care not about patients. Like lawyers 10% good! the rest are worst than useless! they're dangerous.


 COMMENT 542776 agree helpful negative off topic

2014-08-07 07:45 AM

Medical care in Santa Barbara seems like a big cattle drive. Go to a small 1-2 doctor office and pay cash. I think we'll be dinged later for having sniffles today. Your next bout with sniffles will be considered "pre-existing" but thanks for your premium!


 ARCHIE agree helpful negative off topic

2014-08-07 07:45 AM

I would, in writing and phone, request that if anyone asks his office for your medical information that they contact you themselves so you can decide yes or no.


 COMMENT 542809 agree helpful negative off topic

2014-08-07 09:03 AM

The biggest danger in a program like this is that insurance companies and employers who could not (because of HPPA laws) obtain health records from a health care provider, may be able to get it from a third party information archive who has recieved your permission to release it. Obviously any such insurance company or employer could be charged a significant service charge for providing this information service because it may be very valuable in assessing an insured for providing a policy of life or health insurance or for retaining or hiring an employee.


 COMMENT 542836 agree helpful negative off topic

2014-08-07 10:26 AM

Sort of off topic, but reminds me of something I was wondering about. Both of my kids (young adults) got mail from their bank requesting there annual income for their records. They do not have credit with these banks, just checking accounts...does anyone have an idea what right the bank has to know this information? I don't think it's any of their business but wondering if any other bank is requiring this information. My kids just ignored the request for information. Any insight would be much appreciated.


 COMMENT 542838 agree helpful negative off topic

2014-08-07 10:45 AM

I want to thank all the edhatters who have commented on this thread for their interest. First I would like to clear up that the MEDCENTERS have never and will never release any medical or personal information about any patient without their explicit consent. Never. Ever. We will NEVER sell anyone’s information. Also, we have not been hacked.
About 5 years ago we began to use the Phreesia check in service to streamline the registration process at the MedCenters. We are always looking for ways to make it easier for patients to be seen at our offices. Check in and verification of insurance coverage had long been one of the slowest parts of the process. What Phreesia does is make this a whole lot easier and quicker both for patients and our staff. This service provides a touchpad that allows patients to enter their name and address and asks them the reason for their visit. It also gives patients the opportunity to BUT DOES NOT REQUIRE them to enter other details such as what medicines they are taking, other medical problems they want us to know about and an email address, should they wish to share it. We let patients know that the only parts we really need are the name, address, phone etc. The service then checks that the patients insurance is up to date and tells us their copay and deductible in seconds. This saves a phone call or internet check which can take a lot of time.
On June 30th this year, Phreesia began to send out follow up emails to patients who had added their emails. As far as we know, there was NEVER any request that the patient’s medical information be released to third parties.the REQUEST that the patient’s contact information be shared could either be denied or simply ignored and NO INFORMATION will ever be released. This was supposed to be only a post visit reminder so it is unclear why a patient who had not been to the MedCenter for 3 years would receive one. We are looking into this.
As to the “legal problems” mentioned in one comment…
about 15 years ago I had a patient who I suspected had a rare genetic medical condition. At that time there was no DNA test for this condition as there is now. A liver biopsy was the only way to confirm the diagnosis. The patient was in a lot of personal distress for other reasons at the time and she reasonably declined to have the test. Fortunately the condition does not present problems to patients when they are young. The medical board questioned why I hadn't sent the patient to a gastroenterologist for a biopsy. I explained the circumstances to them but they saw fit to reprimand me for “poor record keeping” in that I hadn’t adequately recorded my conversation with the patient about the need for the biopsy. Several years later the genetic test became available decreasing the need for biopsies in young patients.
We tried to respond to the edhatter who started this thread but the phone number left on our voice mail was unclear. Email is not secure enough yet for medical communicati... [ more ]


 COMMENT 542863 agree helpful negative off topic

2014-08-07 11:52 AM


Email is not secure enough yet for medical communications.
The MedCenters have provided Urgent Care and Family Medicine to our community for the past 31 years. We see 25,000 patient visits a year. We do get complaints, although infrequently, and we try to respond as quickly as possible in all cases. We are grateful to all our patients for the opportunity to be of service.


 COMMENT 542866 agree helpful negative off topic

2014-08-07 12:07 PM

I am the person who posted the original message to edhat

Weller said: "As far as we know, there was NEVER any request that the patient’s medical information be released to third parties."

Here is an excerpt of the email that I got from Phreesia/MedCenter.

I hereby authorize my clinician to release to Phreesia my medical record information (i.e., name, age, and other demographic information, e-mail address and other contact information, health information including medical history and clinical data on file with my clinician), to help determine the health-related materials I will receive as part of my participation in Phreesia's Patient Communication Services. The health-related materials may include educational information and advertisements related to treatments and therapies specific to my health status or those generally used by my clinician, appointment reminders, office location and hours information, and the like. "


 COMMENT 542896 agree helpful negative off topic

2014-08-07 01:41 PM

I started this discussion. More language from MedCenter/Phreesia. (Third party release IS authorized.)

"Phreesia is a business associate of my clinician and is bound by federal law to protect and safeguard my privacy. Phreesia will safeguard my personal information and will not use it for any purpose, other than to: provide these health-related materials to me; and anonymously analyze health outcomes in support of that content, as well as to measure the effect of the health-related materials furnished to me on my communications with my or my family member's clinician (this analysis is computer-automated and involves no human review of my protected health information).

Although there is the potential for information disclosed pursuant to this Authorization to be subject to redisclosure by the recipient and no longer be protected by federal privacy rules, Phreesia maintains administrative, technical, and physical safeguards as required by... etc etc. "


 COMMENT 542915P agree helpful negative off topic

2014-08-07 02:30 PM

Thank you for response, Dr. Meller. Thank you for the follow-up, OP. Be careful out there, everybody!


 COMMENT 542941 agree helpful negative off topic

2014-08-07 03:40 PM

Of course it is a scam. Never give out your private info to anyone unless you have a really good reason. I am amazed by the Edhatter who used their own "sour grapes" to drag a physician basically through the mud. Wow...ugly!! I am not anyone associated with Med Center by the way.


 COMMENT 542961 agree helpful negative off topic

2014-08-07 04:36 PM

It is not clear at all that Phreesia is so close a "business associate" of the medical care providers that it is not a third party themselves, bound by federal non-disclosure laws controlling patient information. More importantly, if they sign the comprehensive release authorization quoted by the reporting party here, it would most likely constitute a waiver of HIPPA privacy provisions. The release authorization is unecessary if Phreesia is doing nothing more than archiving patient health care records at the instance of the patient's doctor. Assuming a need arises to forward medical information to another provider at the instance of the patient, that situation can easily be covered by language of the release authorization limiting release to those specificaly authorized, designated providers. If the release information quoted is being used, IT DOES NOT limit release to those specifically authorized by the patient or through their current doctor or provider.


 COMMENT 543012 agree helpful negative off topic

2014-08-07 08:42 PM

Everyone needs to understand HIPAA and how it protects us. We are all so quick decide that someone is "selling our private information" or trying to "scam" us before we know the facts. How many times have you gone to the doctor and signed a HIPAA acknowledgement form? Did you read it? Do you know how your person medical information is kept, stored and shared by the medical community? Based on most of the comments on this thread I'd say NO. The letter was not a scam....it was following a process put in place by HIPAA. I don't know Dr. Meller. I work in HR for a large company. I am always amazed by how little time and effort people put into learning and understanding how their insurance/ medical plans work. Get educated people. HIPAA puts a lot of policy around your medical information and who has access to it but your private medical information isn't as private as you all seem to think it is.


 COMMENT 543028 agree helpful negative off topic

2014-08-08 06:38 AM

012 here .....quick example of how our "private" records are not so private. Recently I went to Chiropractor for the first time. He is not affiliated with Sansum or the hospital yet he was able to access ALL of my medical records online with only my verbal approval. He did not need a signed release from me, he did not need to send, fax, email or call any of my doctors or labs. just a click of a button and he had it ALL at his fingertips. BUT if he had hired a temp to work in his office that day and wanted her to pull up my records HIPAA requires that I sign a form....like the one that the OP received.......giving my consent for the temp to access my records. If I don't sign that form, by LAW she may not have any access to my records.....


 COMMENT 543997 agree helpful negative off topic

2014-08-12 06:38 PM

We brought this to the attention of Phreesia and they were very helpful and provided this response.

"Phreesia takes security very seriously, and has built its systems to meet and exceed the strict security requirements of the healthcare and financial services industries to guarantee our patients' protection. A combination of federal guidelines and corporate policies ensures that all patient-related health and financial information is protected by the most stringent administrative, technical and physical safeguards.

Data collection is done solely to support our practice's workflow and clinical needs, and patient information is never shared with third parties. Phreesia's data-use policy is in strict accordance with federal laws and HIPAA Regulations.
If you have specific questions about your experience with Phreesia, or if you’d like some additional information about its privacy policies, please reach out to our practice, or call Phreesia directly at 888-654-7473."


38% of comments on this page were made by Edhat Community Members.



Add Your Comments

Edhat Username



Don't have an Account?

Don't know if you have an account?

Don't remember your account info?


ENJOY HAPPY HOUR! ... Between 4:00pm & 5:00pm only happy comment are allowed on the Edhat Comments Board.

If you can't say something nice, don't say nothing at all.

Hide Your Handle, but show paid status (paid subscribers only)
NEW - use verified name and picture (contact ed@edhat.com to be verified)
Find out About Becoming A Paid Subscriber
NOTE: We are testing a new Comment Preview Page. You must hit OK on the next page to have your comment go live. Send Feedback to ed@edhat.com.

get a handle   |  lost handle




  See more articles like this

# # # #


Send To a Friend
Your Email
Friend's Email

Top of Page | Old News Archives | Printer-Friendly Page

  Home Subscribe FAQ Jobs Contact copyright © 2003-2015  
Edhat, Inc.