Find a Doctor Near You? Yes, but Medical Booking Sites Have Downsides, Too.

Not all doctors are listed, and privacy protections may be lacking

Illustration of a person opening up an app on a cell phone with multiple stethoscopes coming out to examine him. Illustration: Jason Schneider

People often ask Ken Duckworth, MD, chief medical officer of the National Alliance on Mental Illness, whether he can recommend a psychiatrist.

“I literally tell them, I have no idea who’s taking patients now,” he says. “Finding a provider is actually a very big hurdle, even if you have insurance, if you speak English, and you have the time to find one, because demand has been crushing supply, particularly in the pandemic.”

Locating a new doctor and booking an appointment, especially on short notice, was never easy in our complex and fragmented healthcare system, and the COVID-19 crisis made matters worse. However, a number of online health scheduling companies say they can make booking a visit—whether for a psychiatrist or any other type of doctor—far more convenient. 

More on Healthcare Data

Several of these services became prominent players in the rollout of COVID-19 vaccines. Cities such as Chicago used the medical appointments company Zocdoc to help people find vaccination openings, and the company assisted with vaccination appointments in 21 U.S. states. Zocdoc says it did not make money from the vaccine bookings but gained visibility and goodwill. 

Broadly, websites like Zocdoc; Solv, operating in 42 states; and Qwell, based in New York City, function much as OpenTable does for restaurants. But instead of looking for a Thai place in your neighborhood, you search for unused doctor appointment slots, filtering by medical specialty or procedure, location, and insurance plan.

The ability to make a doctor’s appointment with a few clicks of a mouse draws millions of Americans to these services every month. Yet medical and privacy experts say it’s wise to approach the sites with some caution. They list only some of the available providers, the reviews and other information may be one-sided, and it’s hard to know just what many sites do with the data they collect about users. 

The potential for intimate medical details to become a commercial product exists with other online medical resources, too, from information provider sites such as WebMD to apps you might use for mental health care. U.S. privacy rules written decades ago did not anticipate the rise of these new conduits to medical care, and the rules governing health data under the Health Insurance Portability and Accountability Act, or HIPAA, don’t always apply. 

To use an analogy: Imagine two desks, one belonging to your doctor’s receptionist, the other located out in the parking lot and run by a tech company asking questions about your health and serving up lists of doctors for you to check out. Privacy rules apply to the first but often not to the second. 

Adding a middleman into the booking process may create an enhanced security risk, too. In late May, Zocdoc said a programming error could have allowed past or present staff in medical and dental offices unauthorized access to information on about 7,600 patients, according to spokeswoman Sandra Glading. The company had disclosed a similar problem five years earlier.

Advertising, Not Referrals

Medical appointment websites can save patients a lot of time and effort if they’re searching for a specialist.

A recent Zocdoc search for a psychiatrist near Miami quickly turned up an appointment the next day in Boca Raton, Fla., 40 miles away; a mental health nurse practitioner available five days later; and several appointments via video within a few days. A search for a cardiologist in Modesto, Calif., found three different doctors that day for video consultations, or an in-office doctor appointment more than 50 miles away the following day. 

These websites generally charge doctors a subscription, or a fee for each booking, or both. For example, Zocdoc charges doctors $40 to $140 per new appointment, according to Zocdoc’s vice president of strategy, Richard Fine. 

Charging doctors per booking is controversial because U.S. laws prohibit doctors from paying other medical professionals for referrals. However, because Zocdoc does not recommend any one physician over another, U.S. and state agencies allow this billing model. “Zocdoc is an advertising platform, not a referral source. Just as a search engine, phone book, or insurance directory does not make referrals, neither does Zocdoc,” Fine says. 

“Zocdoc, to their credit, created a technology that was pretty convenient for the consumer,” says Andrew Brotman, MD, executive vice president and vice dean for clinical affairs and strategy at NYU Langone Health, a New York hospital system. But once Zocdoc started charging doctors by the referral in 2019, NYU Langone became one of a number of healthcare providers to stop using the service and instead set up ways for patients to book on their own sites.

Many of these web portals rely on the services of big electronic records companies such as Cerner and Epic, whose MyChart portal has relationships with medical practices that include 415,000 physicians, or about half of all the doctors licensed in the U.S.

Those portals have some advantages, especially when it comes to protecting your privacy (more on that below). Yet some of the upstart, lesser-known websites offer their own advantages. An example is MDSave, a company that advertises a guaranteed, no-surprises total price for medical procedures in 36 states. The company’s site says that, nationally, the average cost of a colonoscopy is $4,615, but that MDSave’s users pay much less on average. And the site lists the prices for specific providers, such as one charging $2,096 in Chicago and another charging $1,263 in Oklahoma City.

MDSave builds in a 10 percent patient transaction fee, which covers credit card processing and other costs, and a licensing fee for doctors and hospitals, says Paul Ketchel, the company’s co-founder and CEO. About 75 percent of MDSave customers have insurance policies with high deductibles and 20 percent are uninsured, he says. Other patients using the site are seeking procedures not covered by their insurance plans, such as weight-loss surgery.

Confusing Rules on Privacy

When you provide information to a website to book a doctor’s appointment, your information is generally covered by HIPAA. But the same protections may not apply to information collected when you’re simply searching through listings of doctors or reading reviews by patients—even on the same website. 

“These companies are not necessarily covered under regular privacy regulations that govern most of medical care,” says Matthew Wynia, MD, director of the University of Colorado Medicine’s Center for Bioethics and Humanities. “They’re having to make this up because they don’t have HIPAA to regulate them. So they choose what their self-regulatory regime is going to be.”

MDSave follows HIPAA rules, according to company CEO Ketchel—but he acknowledges that the company doesn’t commit to that in its privacy policy. “All interactions that may involve HIPAA data follow the company’s strict HIPAA procedures and guidelines,” he says. “However, I think you may be right that we should let our patient consumers know that the company follows HIPAA. It could be a good market differentiator.” 

It can be tricky to figure out what’s going on with your data, even if you are among the few people who actually read company privacy policies. As an example, Zocdoc’s privacy policy says that data the site collects when you make an appointment is protected by HIPAA, but not searches for doctors, surveys, or medical history forms not associated with a particular medical provider. Such language could, at least in theory, allow a company to sell a list of named patients likely to suffer from cancer, sexual or mental health issues, or other problems based on what you searched for, though company spokeswoman Glading says Zocdoc does not sell or share identifiable customer information.

Some companies that are careful not to share personally identifiable patient information may still make money by selling anonymized data to other companies, a practice that’s allowed under HIPAA. And data sold about you without your name but with your medical issues carries risks. Just three pieces of information—date of birth, ZIP code, and gender—are enough to identify the overwhelming majority of Americans, according to a study by Latanya Sweeney, PhD, Harvard data scientist and former Consumer Reports board member who published the research when she was a researcher at Carnegie Mellon. 

Your data is especially likely to be for sale from sites that don’t collect fees from either patients or doctors, experts say. “If there is no business model and yet they’re in business, there’s a good chance that they’re selling data to somebody,” says NYU Langone’s Brotman. “And there are a lot of willing buyers.”

Which Sites to Trust? It's Hard to Know

This spring, a number of websites were promising to help people find elusive appointments for COVID-19 vaccinations. Rebecca Gluskin, PhD, a statistician who worked on a recent report on potential misuse of health data during the COVID-19 pandemic, says that some of these deserve scrutiny for how they use patient data. 

One site, Dr. B, didn’t actually book appointments, but it collected all the information appointment sites required to determine eligibility, such as the user’s birthdate, cell phone number, occupation, and a list of health problems. The site is still in operation, and still asking the same questions, even now that age and occupation requirements have largely been eliminated from the vaccine process and it’s easy for most people in the U.S. to get vaccinated. 

A recent MIT Technology Review investigation raised questions about how many people Dr. B actually helped find an appointment. “After weeks of looking, I was unable to identify a single individual who successfully got a shot through the service,” the article’s author said.

The company founder, Cyrus Massoumi, who was also a co-founder and CEO of Zocdoc until 2015, declined to answer detailed questions but provided a short statement: “Dr. B only asks for data directly needed for providing the service and protects that data up to HIPAA standards,” he said. “We don’t sell patient data.”

However, Dr. B’s privacy policy does allow the sale of anonymized patient data: “We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.” 

When asked about their data practices, several medical booking sites assured Consumer Reports that they behave responsibly, even if their privacy policies allow them to sell patient data. But there’s at least one cautionary tale from the recent history of the industry where a medical middleman crossed serious ethical and legal lines.

In 2013, a company called Practice Fusion unveiled what it called the largest U.S. doctor appointment booking site, Patient Fusion. But in 2016, the Federal Trade Commission alleged that the company had deceptively solicited reviews of doctors by emailing patients and asking for feedback on the quality of the care they had received, then publishing the responses on the website. Many patients thought the information was going to their healthcare providers, and therefore included very personal information about their medications or conditions that was then posted publicly by Fusion, according to the FTC. Patient Fusion settled with the agency without admitting or denying the allegations, and agreed to avoid such deceptive conduct in the future.

Even worse, in 2020, Practice Fusion agreed to pay a settlement of $145 million after U.S. officials alleged the company had sought out and took kickbacks from a drug company to promote opioid use through a health records system that it ran along with the medical appointments site. By then Practice Fusion had been bought by another health-tech company, Allscripts. The new company’s settlement to the U.S. government and states was much more than the $100 million the acquisition had cost.

I spoke to Ryan Howard, Practice Fusion’s co-founder and then-CEO, back in 2015 for a book I was writing on the business of patient data. But when I reached out to him recently for this article, he responded with a three-word email that contained my name and a two-word expletive. 

“That’s a good illustration of the potential peril,” Wynia of the University of Colorado says, referring to both the terse email and the company’s history. When online entrepreneurs see a way to turn big profits in healthcare, the results may often be good for consumers, he acknowledges, but you can also end up with a “toxic mixture” that puts patients at risk. 

Best Ways to Book a Doctor

If you’re using a doctor booking site, experts say, it’s important to understand the trade-offs.

First, it’s smart to share personal information with as few websites as possible. If you already have a healthcare provider, make an appointment with the office directly, either by telephone or through its own website, which will typically have stronger privacy protections. You can also find a new doctor and book an appointment with them on many hospitals’ websites.

And if you are thinking about using a doctor booking site, it can be worthwhile to take a look at its privacy policy. Yes, such documents are typically long and boring, but it can be illuminating to at least read the “How We Share Data” section. You can search for the word HIPAA in a privacy policy to learn whether and when those federal data rules apply.

The fact that doctors pay for their listings on many sites means that a lot of great practitioners in your area may not appear. If you’re looking for a new doctor, a straightforward Google search might yield the most complete results. You can also consult the American Medical Association’s DoctorFinder website.

In addition, Brotman, who is chief clinical officer at NYU Langone Health along with his other roles, advises skepticism when researching doctors through these sites, especially if you’re trying to see what kinds of services a practice provides. “I wouldn’t take seriously any issue about quality, or scope of practice that the [practitioners] have, because they all come from the doctor themselves, not from any third party,” he says. “They’re advertising.”

Jane Sarasohn-Kahn, a health economist who maintains a blog called HealthPopuli, advises consumers to try to research any doctor before making an appointment. “It’s good to know, for example, that a physician is Board certified in a particular specialty, attended a particular medical school, or even lawsuit/liability history,” she says.

Also, look up state doctor certification sites, says Duckworth, of the National Alliance on Mental Illness. “These things all have different names,” he says. “But it’s all state by state.” Names of such agencies include the Medical Board of California and the Texas Medical Board. Or you can start your research with these nationally focused websites: Certification Matters and DocInfo.

“Mostly, it’ll be pretty boring. Bob Smith has a license. But that’s the start. Because that’s better than Bob Smith is under probation. Bob Smith was, you know, his license terminated four years ago, and now reinstated.”

Headshot of CRO freelance writer Adam Tanner

Adam Tanner

Adam Tanner is a Consumer Reports contributing editor. He is the author of “Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records.” He is an associate at Harvard’s Institute for Quantitative Social Science.