Updated 12/3 at 3:40PM PST with clarification on penalties from the FTC.

The Federal Trade Commission (FTC) has come to terms with an Atlanta-based medical billing company that misled consumers by using their billing information to deceptively access their clinical information, too.

The company, PaymentsMD, LLC, and its former CEO, Michael C. Hughes, built a “Patient Portal” where customers could sign up to see their billing information and pay their bills. But the company included in the small print at signup that it could then access the consumers’ clinical information from pharmacies, medical labs, and insurance companies.

“Consumers’ health information is as sensitive as it gets,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.”

In the settlement, announced today, the company is required to destroy all the clinical data it collected. But that’s it.

VB TRansform 2020: The AI event for business leaders. San Francisco July 15 - 16

Update: FTC spokesman Jay Mayfield explained that under the FTC Law, the commission can’t immediately levee fines against PaymentsMD. Instead, PaymentsMD is “under order” and will be monitored by the FTC’s enforcement arm to make sure that it complies with the details of the order. If the company does not, it could be on the hook for fines of up to $16,000 per day, per person harmed.

PaymentsMD was collecting the health information because (in 2012) it began developing a separate service known as Patient Health Report, which was designed to provide consumers with comprehensive online medical records.

According to the complaints, consumers consented to the collection of their health information by signing off on four authorizations that were presented in small windows on the webpage, displaying only six lines of the extensive text at a time, and could be accepted by clicking one box to agree to all four authorizations at once, the FTC says.

The good news is that almost all of the health care companies PaymentsMD contacted for clinical data refused to comply with the requests, because they included requests for information about minors, as well for individuals who were not customers of the health care company contacted.

Once PaymentsMD began informing customers that it was attempting to collect consumers’ health information, the company received numerous complaints from consumers angered because they believed they had signed up only for a billing portal and not an online health record.