Personal health info is up for grabs

Serious flaws with health care Web site privacy

Visitors to health Web sites are concerned about the privacy of on-line health information, and they have a right to be, according to a recent report released by the California HealthCare Foundation in Oakland. The report found discrepancies between what some health Web sites say they offer in terms of privacy and what they actually offer.

The information was collected for the foundation by Janlori Goldman and Zoe Hudson of the Health Privacy Project at Georgetown University in Washington, DC, and Richard Smith, an Internet security expert.

During their research, they reviewed the stated privacy policies of the Web sites and compared them to a set of "fair information practice principles" and behaved as typical consumers on each site so they could observe and capture what happened to the data that were submitted. The researchers studied privacy policies in place during January 2000. (For a list of the Web sites in the report, see p. 53.)

The report revealed these five key findings:

1. Visitors to health care Web sites aren’t anonymous, even if they think they are. The sites are collecting information about them through mechanisms such as cookies, profiling, and banner ads.

2. Most health care Web sites do not meet minimum fair information practices such as providing adequate notice, giving users some control over their information, and holding business partners to the same privacy standards.

3. On a number of sites, personally identified information is collected through the use of cookies and banner advertisements by third parties without the host sites disclosing this practice. There also are instances where personally identified data are transferred to third parties in direct violation of stated privacy policies.

4. Consumers are using health care Web sites to better manage their health, but their personal information may not be adequately protected.

5. Few health care Web sites with privacy policies maintain a "chain of trust" with third parties on their sites because they do not hold those parties to the same privacy standards they espouse.

The report found that the worst danger to health Web site visitors is not hackers, says Charles Stewart, communications officer for the foundation. "The greatest danger or greatest likelihood that an individual’s health information will be captured and deployed for some other use than he or she intended is the presence of third parties on a Web site or access to a Web site by third parties."

The third-party companies can own the entity that owns the Web site or can make a deal with the owner of the site to place ads on it. "Once they place ads on that Web site, they can then gather information when someone visits the Web site, even if [the user] doesn’t click on the ad," he explains.

The investigators found that third-party networks are receiving access to information through some of these sites that would allow them to build detailed, personally identified profiles of individual’s health conditions and patterns of Internet use.

One patients’ rights group says it is concerned about the lack of informed consent on these Web sites. "Consumers are being told, Don’t worry. Your privacy will be guaranteed. You’re not in any real danger.’ They need to be informed much more than they are now," says Peter Kane, MSW, LCSW, BCD, executive director of the National Coalition for Patient Rights in Lexington, MA. "They should understand the risks. [Placing medical information on the Internet] shouldn’t be painted as such a positive thing with no downsides."

Stewart says the foundation sent the Web sites advanced notification that they had been analyzed in the report. "Some have denied that there are any discrepancies between their stated privacy policy and the practices on the Web site," he says.

One of those companies was HealthCentral. com, based in Emeryville, CA. After the report was published, released a statement saying its site does not share personal or health information collected from visitors. "The manner in which operates its business was misinterpreted in the survey," says Albert L. Greene, president and chief executive officer. The company is active in organizations that establish codes of ethics, quality, and privacy on the Web, he adds.

Other sites said they didn’t know about the discrepancies between the privacy policies and practices, and said they would correct them. "We were hoping for the latter response," Stewart says.

The foundation plans to update the survey at a later time. "We want to give full credit to Web sites that reduce or eliminate the discrepancy between their stated policies and their actual practices in terms of protecting privacy," Stewart says. "We also want to find out what the next trends are."