Home > Medical Billing Resource Center > Medical Website Privacy
How's
Your Health Site's Privacy? A Must-Know Primer on Privacy
Policies
by
Kevin P. Richardson, President, MedRocket, Inc.
About the Author - Kevin Richardson is a healthcare marketing consultant, executive coach, and writer who provides fresh perspectives and expertise about online healthcare marketing. Sign up for his FREE "MedRocket Ezine" newsletter and discover how to profitably attract and serve healthcare consumers online. Subscribe at http://www.medrocket.com.
Billions
of bits of personal and health information zip around the Internet
universe as you read this. Our hospitals, health plans, and other
healthcare organizations are keen on using the Internet to inform,
educate, deliver care, and market services.
|
"When
all is said and done, will our health care records be
used to heal us or reveal us?"
Donna Shalala, former U.S. Secretary of Health and Human Services |
We've encouraged health consumers to use the Web to pre-register for surgical procedures, get advice from physicians and nurses, and schedule appointments. They submit their daily blood glucose levels, check on the results of their lab tests, and search for detailed health information on every medical ailment and disease from A to Z.
Consumers provide an unprecedented amount of closely guarded information to hospitals and health organizations. We expect them to trust that their privacy will be maintained. But will it?
The fear factor
The Pew Internet & American Life Project found in its August 2000 survey on Trust and Privacy Online that 89% of those who seek health information online are concerned that a health-related Web site might sell or give away information about what they did online.
Since the information people share with their health providers is most sensitive and personal, naturally they may be reluctant to be completely forthcoming. It's not that they might have something to hide, it's just that they fear the information may be used against them to deny insurance, determine employment, and more.
If folks have trouble sharing information with their own physician, it's no wonder that 89% of online health information seekers are wary of divulging such information on the "faceless" Internet.
Take a walk on the wild side
The real question to ask yourself is this: Is the privacy threat real, or imagined? If you're leaning toward the latter, then here's a simple exercise that just might change your opinion.
You probably think you know all about cookies -- I thought I did before I discovered this nasty little secret that I'm going to share with you now. You see, even the most basic information gathered from "cookies" can be pooled and used to create a profile of your activity across various Web sites.
The secret here is that it's possible for a third party to follow your activities on different Web sites. They can gather, store, and record your personal data, and possibly even distribute it to other companies! Just think of the ramifications of this threat to health information privacy.
For an eye-opening demonstration of how a mythical banner advertising company can use cookies to invade your privacy, check out the cookie demo at: http://www.privacy.net/track .
Sure, it's just a simple example of consumer profiling. But it illustrates the need to be completely aware of the information gathering and use practices of any third parties, such as banner ad companies, that operate on your Web site.
Increasing consumers' comfort level
Healthcare organizations can increase the comfort level of consumers by creating, posting, and promoting a comprehensive Privacy Statement for their Web sites.
A Privacy Policy page is an excellent way to demonstrate that your organization is committed to respecting and protecting the privacy of Web site visitors. It should specifically describe how personal and identifiable health information might be gathered and used during and after a visit to the Web site.
It's a good practice to feature prominently a link to your privacy statement on your main page and any page where you collect user data. However, it's simple enough to include a link on every page of the site.
One in four health sites has a privacy policy
Almost a year ago, MedRocket conducted its first survey of hospital Web sites to determine who had posted privacy policies and what was the caliber of those privacy statements.
At that time (March 2001), the results were disappointing. Out of 895 randomly selected hospital sites, only about 11 percent (102) had posted a privacy statement. If you are interested, you can peruse the last report that includes all of the charts and graphs. Find it at http://www.medrocket.com/news/news-040201.html
|
Only
26.8 percent of Hospital Web sites had prominently posted
a Privacy Policy.
|
Eight
months later in November 2001, MedRocket conducted another survey.
This time we surveyed 1285 hospital sites listed in the HospitalWeb
Directory. There were about 1400 listed in the directory; 215 were
unreachable. HospitalWeb is located at:
(http://neuro-www.mgh.harvard.edu/hospitalweb.shtml).
The results of the follow-up survey were better. A total of 344 hospital Web sites out of the 1285 (26.8 percent) had prominently posted privacy statements on their Web sites.
Sure that's a 244 percent increase. Still only a quarter of hospital sites seem to take consumer privacy seriously. Why is this?
A little help from Uncle Sam
You still haven't posted a privacy policy for your Web site? Well Uncle Sam is ready to give you a little help in moving it to the top of your to-do list.
No doubt you've heard of a little law affectionately known as HIPAA?
The Health Insurance Portability & Accountability Act calls for security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future. If your Web site collects this type of information, you definitely need to post a privacy policy.
HIPAA's Privacy Rule covers all individually identifiable health information in the hands of healthcare organizations. To read about it, just whip out your personal copy of the 1500-page tome and check out Section §164.520 -- Notice of privacy practices for protected health information.
The "covered entities" that HIPAA potentially affects, includes all healthcare organizations and health care providers, single-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
But just who is covered under HIPAA?
To determine, for example, if a physician is a "covered entity" under the scope of HIPAAs Privacy Rule -- and therefore must adhere to the rule's guidelines -- the answer to all three questions must be "yes".
Does the provider accept health insurance (including Medicaid) or participate in an HMO?
Does the provider engage in the type of standard transactions necessary to bring him or her within the scope of the privacy rule? (e.g. submitting health claims or equivalent information related to physician-patient interactions; determining eligibility for a health plan; receiving health care payment and remittance advice; and receiving referral certification and authorization.)
Does the health care provider transmit information in relation to these standard transactions electronically in the required standard format?
Proposed changes to the Privacy Rule for "covered entities" would explicitly require them to first obtain the individual's specific authorization before sending them any marketing materials -- assumably both offline and online.
The good news: There's still time to comply. The Privacy Rule was published on December 28, 2000, but due to a minor glitch didn't become effective until April 14, 2001. Compliance with the Privacy Rule by April 14, 2003 is required of health care providers and most health plans. Small health plans have until April 14, 2004. There's no reason to wait.
Why HIPAA privacy protection isn't 100% effective
The bad news is that HIPAA doesn't offer consumers the level of online protection that we all really need. While it covers the usual healthcare organizations mentioned above, it doesn't cover the majority of health sites on the Internet.
For example, there is no Federal privacy protection for consumers when they are visiting Pharmaceutical company Web sites, or any of the multitudes of Web sites selling drugs without requiring a prescription.
Similarly,
consumers are on their own at general fitness and nutrition sites,
medical information Web sites, and treatment option sites. In these
cases, it's up to the Web site to comply and then foster a level
of trust with health consumers.
Want
some help creating your privacy policy?
 |
|
MedRocket's |
If you've at least posted some sort of privacy policy on your site you're still ahead of 75 percent of your colleagues. However, even among the sites with policies, the quality continues to vary considerably.
After carefully deconstructing the privacy statements of more than 100 health sites, MedRocket created an online privacy statement generator as a free resource for all healthcare and health-related Web sites. You'll find it at http://www.medrocket.com/tools/privacy_gen.html .
The generator does most of the heavy lifting for you. It even includes the required HIPAA language for the opening paragraph. To create your own privacy statement, all you have to do is fill in the blanks based on your current information policies.
When you're finished you can view the policy online, or enter your email address and the completed statement will be e-mailed to you for further editing, refinement, and posting to your Web site.
A few lessons from other health sites
I've examined and evaluated hundreds of health site privacy policies in the past year. A few dozen hospital Web sites had exemplary privacy policies in place. It was obvious that they had invested considerable time and effort in creating them.
However, among the remainder of hospital sites with privacy statements the content and quality varied considerably. There are a handful of "mistakes" that came up again and again.
Here's a review of a few of the major issues:
Disclosure
versus disclaimer
A privacy policy should be a disclosure of how you treat user information
at your Web site. A very common mistake is combining a site's "terms of use" page
(generally a disclaimer) with the privacy policy language (accountability and
disclosure). Don't mix disclosure with disclaimer. They should be treated separately.
Hold
third parties accountable
Remember that you can't honestly disclaim any liability for the actions of
your business partners if your privacy policy states that third parties are
involved in the processing of information in any way. You need to hold your
business partners accountable to the same privacy standards that you espouse,
and have a system of checks and balances in place to verify this.
Practice
what you preach.
If your privacy policy says you do so and so to protect personal data, make
sure you are actually doing it. Good intentions don't protect consumer data
from hackers. If you claim that your site uses a secure server protocol (https:
rather than http:) to safeguard the transmission of personal data, make sure
you really are.
Keep
it simple
Your privacy policy can and probably should be reviewed by legal counsel, but
resist creating a document full of legalese. In fact HIPAA is very clear about
the need for creating easily understood policies. Keep the language simple
and unambiguous.
Provide
access for all
Some Web sites have the link leading to the privacy statement embedded
into a graphic rather than use a simple text link. This means that
vision impaired
visitors who use a text-based browser or screen reader can't see the link in
most cases. This can be fixed if you also include the image's "ALT" tag
containing the text of same verbiage as the graphical link.
Audit
your policy and practices
Check your privacy policy regularly. Make sure your information gathering and
exchange activities are accurately reflected in the statement. Post the date
of the latest revision as part of your privacy policy. It's also good practice
to list the name and contact information of the person responsible for maintaining
the policy in case Web visitors have any questions or concerns.
