AMA releases principles to guide its own Web sites

Visitors must volunteer to provide personal data

Health information management personnel who want to create principles governing the privacy of their Web sites and those used by hospital staff now have another reference source.

In March, the American Medical Association (AMA) in Chicago issued a set of guidelines governing the editorial content, advertising, sponsorship, privacy and confidentiality, and secure electronic commerce for its Web sites. While these guidelines were developed for the AMA Web sites and visitors to these sites, they may be useful to other providers and users of medical information on the Web, authors of the principles say.

The guidelines’ writers note that access to the Internet has the potential to speed the transformation of the patient-physician relationship from that of a physician authority ministering advice and treatment to that of shared decision making between patient and physician.

AMA developed the principles in response to the barriers that impede this transformation, such as "wide variations in quality of content on the Web, potential for commercial interests to influence on-line content, and uncertain preservation of personal privacy."

"[The AMA guidelines are not designed to be] global, in the sense of being international, and encompassing, [as are the] International e-Health Code of Ethics [offered by the Internet Healthcare Coalition in Washington, DC]," says John Mack, coalition president.

"For the most part, the AMA guidelines are very specific for AMA publications and Web sites, and while there are many common points, these guidelines could not be expected to be followed by all health Web sites.

"As I see it, other guidelines are more narrowly focused on a particular industry or for a more specific purpose," he adds. "I believe that additional guidelines may be developed by other special interest’ groups, but that those guidelines will look to ours as the model and/or the overarching set." (For more information on the Internet Healthcare Coalition’s guidelines, see Hospital Payment & Information Management, May 2000, p. 68.)

Be aware of third parties

Like the Internet Healthcare Coalition, the AMA is concerned about Web site visitors’ rights to privacy. The association plans to protect their rights in these ways:

1. A link to the privacy policy of the Publica-tions Web site should be provided on the home page or the site navigational bar and should be easily accessible to the user. The Publications Web site should adhere to the privacy principles posted.

2. Individuals responsible for Web sites that post advertising should be aware of current technology and access possessed by third parties that post or link to advertisements. Web sites should ensure that the technology and access used by third parties adhere to the Web site’s privacy policies.

3. The site should not collect name, e-mail address, or any other personal information unless voluntarily provided by the visitor after the visitor is informed about the potential use of such information.

4. The process of opting in to any functionality that includes collection of personal information should include an explicit notice that personal information will be saved, with an explanation of how the information will be used and by whom. The opt-in statement should not be embedded in a lengthy document and should be explicit and clear to the viewer.

5. Collection, retention, and use of nonmedical personal information about site visitors may be offered to viewers when the AMA believes that such information would be useful in providing site visitors with products, services, and other opportunities, provided such use adheres to these principles and is within bounds of current regulations and law. (For more information, go to http:// www.ftc.gov/privacy/index.html.)

Opting out

Individuals may agree to have such nonmedical personal information collected or may choose not to, with the understanding that opting out of having such information collected prevents the site from being tailored to their particular needs and interests. Such information will not include personal health information, such as any information about medical conditions or medications purchased.

6. Names and e-mail addresses of site visitors should not be provided or released to a third party without the site visitor’s express permission.

7. E-mail information, personal information about specific visitor’s access and navigation, and information volunteered by site visitors (such as survey information and site registration information) may be used by the site owner to improve the site but should not be shared with or sold to other organizations for commercial purposes without express permission.

8. The AMA will use e-mail addresses voluntarily provided by site visitors, to notify them about updates, products, services, activities, or upcoming events. Site visitors who do not wish to receive such notifications via e-mail should be able to opt out of receiving such information at any time.

9. The AMA has licensed its physician and medical student list to third parties for more than 50 years. This information is licensed to database licensees under strict guidelines. The names and addresses of physicians in the AMA Physician Masterfile are made available only for communications that are germane to the practice of medicine or of interest to physicians or medical students as consumers. E-mail addresses are excluded from such licensing agreements.

Nonidentifiable Publications Web site visitor data may be collected and used in aggregate to help shape and direct the creation and maintenance of content and to determine the type of advertisement to be seen by site visitors while on the AMA site.

What is a cookie?

10. The AMA will not collect and will not allow third parties to collect personal medical information (medical conditions, health-seeking behaviors, and questions, and use of or requests for information about drugs, therapies, or medical devices) without the express consent of the site visitor after explanation of the potential uses of such information.

11. A cookie is a small file stored on the site user’s computer or Web server and is used to aid Web page navigation. Two types of cookies are commonly used:

— A session cookie is a temporary file created whenever a Web site is accessed and is self-terminated based either on an expiration date (such as three hours from creation of the cookie) or by closing the Web browser.

— A persistent cookie is a permanent file and must be deleted manually.

Cookies referred to in the context of these guidelines are persistent cookies. A cookie function may be used on the site to track visitor practices to help determine which site features and services are most important and guide editorial direction.

The cookie makes it possible for the user to access the site without requiring entry of a user name or password, allows the user to view different restricted areas of the site without re-registering, allows the user to personalize the site for future use, and permits the user to make subsequent purchases without reentering credit card information.

Users who do not desire the functionality created by the cookie should have the option to disable the cookie function, either by indicating when asked that they do not wish to have a cookie created or by disabling the cookie function on their browser. Individuals should be able to opt out of cookie functions that permit tracking of personal information at any time.

12. At this time, the AMA Publications Web sites do not use persistent cookies. Users will be notified if and when AMA Publications Web sites begin using persistent cookies, as specified in these guidelines.

13. E-mail messages sent to a Web site might not be secure. Site visitors should be discouraged from sending confidential information by e-mail. Site visitors sending e-mail accept the risk that a third party may intercept e-mail messages.

14. Market research conducted by the site or its agent to enhance the site should be clearly identified as such.

15. E-mail alerts and newsletters should contain an "unsubscribe" option.

(To view the principles in their entirety, visit AMA’s Web site at pubs.ama-assn.org/ama_web.html.)