To people considering the use of an online health site, privacy and security are the
paramount issues. After all, personal medical data is far more sensitive than a credit
card number.
Consumers showed their concern in a survey conducted this winter by Cyber Dialogue for
the California Healthcare Foundation. Seventy-five percent said they are worried about the
transfer of personal information from health Web sites to third parties such as
advertisers. Another 60 percent expressed concerns that a hacker might access their
personal health data.
Yet the survey also found that if privacy is assured, consumers are willing to share
personal information in exchange for health services. But they are divided on who should
protect their private data. Twenty percent said industry associations should be play that
role, compared to 35 percent who chose government. This puts policymakers in a difficult
position when it comes to protecting consumer privacy while allowing health Web sites the
freedom they need to succeed.
The release of the survey this winter, in combination with a study conducted by
researchers from Georgetown University's Health Privacy Project, caused a firestorm in the
online health field. It illustrates how the industry is turning to self-regulation to
maintain consumer trust and avoid government regulation.
The Georgetown researchers traced the flow of information among consumers, advertising
companies, and health sites such as Drkoop.com and WebMD. The team then compared health
sites' privacy policies with their software code and uncovered significant
inconsistencies. It charged that several prominent sites were collecting personal
information about their users and sharing it with advertising companies without notifying
consumers in the privacy statement.
"The study authors didn't think we provided enough information in our privacy
policy statement," said Charles Saunders, MD, chief medical officer of
Healtheon/WebMD. "They implied that...personal information leaks out."
Saunders
said that the only information WebMD shares with advertisers is the number of people who
view an ad and the number of people who click on it.
Several of the sites targeted in the study have contracts with a privacy watchdog group
known as TRUSTe to monitor their privacy practices. To display the TRUSTe seal of
approval, Web sites must post a privacy policy that discloses when and how information is
collected. They must also allow consumers to choose whether or not that information will
be shared with third parties. TRUSTe audits sites every year before renewing their
contracts to ensure that privacy policies are consistent with business practices.
Consumers can also file complaints with TRUSTe.
Dave Steer, a spokesperson for TRUSTe, said nine of the health sites examined by the
study have contracted with TRUSTe. He said the study found that seven of those health
sites "are not compliant with their own privacy policy."
In February, TRUSTe said it planned to send an alert to more than a thousand of its
member sites, reminding them of the importance of disclosing data-sharing practices to
consumers. TRUSTe has also begun working with the health sites found to be violating their
privacy statements to ensure future compliance. "This study arms us with the
information we need. If Web sites don't comply, we can revoke their seal or we can take
them to court for breach of contract," Steer said.
In response to the study, WebMD plans to display its privacy policy more prominently on
its site, so that users do not have to click through multiple pages to reach it. "We
intend to beef up the amount of information and the directness with which we communicate
the details of our policy," Saunders said.
The road to an online health world has hit one of its bumps. How the industry responds
will determine how quickly consumers feel their privacy is guaranteed enough to put their
personal information in cyberspace.
� 
