BOSTON (03/31/2000) - The authors of a report on privacy policies and practices of health Internet sites weren't necessarily hoping to spark a U.S. government investigation with their damning findings, but that appears to be what has happened.
Yahoo Inc. confirmed yesterday that it is being investigated by the U.S.
Federal Trade Commission (FTC) as a consequence of the report's study of 21 health-related Web sites, including Yahoo's. The "Report on the Privacy Policies and Practices of Health Web Sites" was written by researchers at Georgetown University's Health Privacy Project, which is part of the university's Institute for Health Care Research and Policy. The report, published in January, was sponsored by the California HealthCare Foundation, a health advocacy group based in Oakland, California.
"I don't think we were looking for a government investigation necessarily," said Zoe Hudson, a senior policy analyst for the Health Privacy Project. "I think we were hoping, first and foremost, that the sites themselves would revise their privacy policies."
Yahoo actually took steps to do just that, adding additional information regarding its privacy practices specifically at its health site. The company has posted that information at http://health.yahoo.com/health/dataprivacy.html/.
However, users of health sites need to be cautious about what information they provide and which sites they use, Hudson and Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), both said today.
"We're not big fans for the posting of privacy policies because what is much more important is privacy practice," Rotenberg said. EPIC is a Washington, D.C.-based nonprofit research center focused on privacy issues particularly related to technology.
Web health sites can be helpful, and Rotenberg said that it would be a mistake for users to avoid them, but he also issued a cautionary note: "We think it's very useful that people can go to the Internet and get a lot of information, but we think it's appropriate to draw the line where personal information is given at a Web site."
Security issues also are a factor, he said, because "leaky browser software" might inadvertently allow personal information to be captured, and banner advertising often also gathers personal information without Internet surfers being aware that is happening.
Some Web health sites, including Yahoo's, ask users to register. But even when that isn't a Web site's custom, companies that serve up the ads, notably DoubleClick Inc., do collect personal information about Internet users.
DoubleClick has recently come under fire for some plans it had previously announced to use private information it had collected, and contends it has done nothing wrong. It said earlier this month that it won't match names with anonymous Internet users' activity for the time being. EPIC last month filed a complaint with the FTC asking for an investigation into DoubleClick's practices.
The recent focus on data collection practices serves to underscore Hudson's point that "you might not have to register with a particular site for them to know who you are."
Consumer health information services are flourishing on the Internet, but are "not mature enough to be predictable and reliable," the report says. Such sites offer a range of clinical and diagnostic information, sell products and services, and provide interactive features, but "they have not matured enough to guarantee the quality of the information, protect consumers from product fraud or inappropriate prescribing, or guarantee the privacy of individuals' information."
The researchers reviewed privacy policies for each site and investigated whether actual practices follow stated policies. Yahoo largely passed muster, though the report found a couple of questionable areas related to limits on disclosures of information. Other sites surveyed had many more areas of concern or were found to not provide specific privacy policies or explanations of how data is collected and used.
In the case of HealthCentral.com, the researchers found that one health survey offered there asks users questions about heroin and barbiturate use -- "not just sensitive questions, but questions that would indicate criminal behavior," Hudson said.
Not surprisingly, a companion poll to the study found that 75 percent of users seeking health information via the Internet are concerned or very concerned that sites on which they have registered will share personal information without obtaining users' permission. The poll was conducted by the California HealthCare Foundation, which advocates industry-wide privacy standards for personal health information.
That last point is important, Hudson said, because there is no federal law regarding the use of private health information. Medical doctors are bound by ethics to keep patient information confidential, but Web sites unaffiliated with physicians or medical practices and third parties such as insurance companies do not have to follow such ethical guidelines.
"Many of the ethical regulations that govern medical care have been eroded," by technology and third-party involvement, Hudson said.
Technology and the rise in popularity of heath-care Web sites have "created a whole new stress on the system," she said.
"For consumers, one of the first things to be aware of at these health sites is that they're not necessarily medical professionals with an ethical duty," Hudson said. Web sites such as http://www.mayohealth.org/, affiliated with the Mayo Clinic, do have relationships with established medical practices and so therefore are governed by ethics, she noted.
Although it might seem that the FTC investigation into health Web sites will cast them in a new light and possibly lead to reforms, Rotenberg isn't so certain, despite the fact that EPIC calls for such probes for a variety of privacy-related issues.
"I have mixed feelings about investigating sites," he said. "I think that the FTC is making a lot of noise, but it's not clear that they're getting anything done."
A box in his office contains 1,000 complaints filed last year with the FTC, he added.
What's needed, in Rotenberg's view, are federal laws that protect the privacy of Internet users. Until then, he offers the advice that, when it comes to personal information, "think twice before you put that on a Web site."
The Center for Technology and Democracy (CDT), another nonprofit policy advisory group, also recommends that consumers read privacy policies of Web sites, because if the user then feels that the site does not follow its policy, a complaint can be filed with the FTC or with advocacy groups, said Ari Schwartz, a policy analyst for CDT.
Otherwise, CDT wants a three-fold approach to online privacy protection: legislation, industry self-regulation and building privacy controls into technology.
"It's really got to be in all three of those areas,'' Schwartz said of privacy protection. "It can't be just legislation or just self regulation. That's really simplifying the debate."
U.S. legislation affects only companies doing business within U.S. borders, and laws seen as too restrictive would simply push companies to move elsewhere, he noted.
While the CDT's stance is that the FTC needs to broaden its investigative scope (but the FTC contends it needs a mandate from the U.S. Congress to do that), Schwartz said that the investigations into health Web sites can have a positive effect by raising awareness.
"That kind of education is good because we do need to get the word out there that even on some of the larger sites, the rules of the road haven't been set in stone yet," he said. "Companies need to be extremely responsible and look at ways to build privacy into the technology."
The full text of the health Web site report by Hudson, Janlori Goldman and Richard Smith can be found at http://ehealth.chcf.org/.