Volume 18, Number 6
September 2001


Drafting and Reviewing Privacy Policies of Health-Related Websites

By Sharon M. Erwin

Health-related websites are faced with a patchwork of federal and state legislation, an array of self-regulation options, and little or no enforcement of stated policies other than irregular and isolated legal action by government agencies or, more recently, state attorneys general.

Responses to the problems. Several organizations have been created to address interactive health care communications. The standards and guidelines promulgated by the Health on the Net Foundation (HON), the Internet Healthcare Coalition (IHC), Health Internet Ethics (Hi-Ethics), and the American Medical Association (AMA) provide useful guidance.

It is also important not to overlook the Safe Harbor Privacy Principles agreement between the United States and the European Union, which permits U.S. companies to receive the personal data of individuals in the European Union conditioned on compliance with privacy principles set forth in the agreement. Unlike the privacy initiatives of the AMA, IHC, HON, and Hi-Ethics, the Safe Harbor Privacy Principles provide for potential legal penalties and damage awards if organizations agreeing to comply fail to meet their own standards.

The HON Foundation is a Swiss nonprofit foundation whose mission is "to guide the growing community of health care consumers and providers on the World Wide Web to sound, reliable medical information and expertise." HON was among the first organizations to suggest an ethical code for health-related Web publishers, creating the HONCode privacy program.

Sponsors of IHC are primarily commercial entities but also include several nonprofit organizations. The IHC's mission is quality health care resources on the Internet as it strives for "a self-regulated Internet in which voluntary guidelines provide effective means for the legitimate dissemination of associate healthcare information." As part of the effort, IHC approved its e-Health Code of Ethics.

Hi-Ethics is a coalition of some of the most widely used U.S.-based consumer e-health sites and information providers, including IHC and HON. In May 2000, Hi-Ethics member companies released Hi-Ethics: Ethical Principles for Offering Internet Services to Consumers, consisting of a set of principles that member companies will follow.

The various codes and initiatives of these organizations use different vocabularies, address different needs, and vary considerably, leading to confusion for health care Internet sites. As a result, HON, IHC, and Hi-Ethics have formed a coordinating committee to establish a common glossary of terms and to coordinate compliance efforts.

In response to the European Commission's Directive on Data Privacy that went into effect in 1998, the U.S. Department of Commerce, in consultation with the European Commission, developed a "safe harbor" framework intended to provide a streamlined means for U.S. organizations to comply with the directive and bridge the gaps between the different privacy approaches of the European Union and the United States. The Safe Harbor Privacy Principles consist of seven privacy principles relating to notice, choice, security, enforcement, "sensitive information," data integrity, and onward transfer.

The different codes. The HON Code of Conduct (HONCode) is the most widely used certification program for e-health sites. It contains no privacy definitions or specific requirements, however, and merely holds to the principle that the confidentiality of data relating to individual patients and visitors to a website is respected by certified sites. The site owners also "undertake to honor or exceed the legal requirements of medical/health information privacy that apply in the country and state where the Web site and mirror sites are located." Like the IHC, Hi-Ethics, and AMA guidelines, HON relies on self-regulation for enforcement, but unlike them, it has a policing procedure with the ultimate sanction of losing the right to post the HONCode seal if a site fails to institute corrective action upon notice.

The IHC e-HealthCode of Ethics defines "health information" and respects users' rights to determine whether or how their personal data may be collected, used, or shared. The code specifies the need to obtain affirmative consent to collect, use, or share personal data in the ways described in the notice to users. It specifies that sites should "make it easy" for users to review personal data and correct or update it, and that reasonable efforts are to be made to ensure that sponsors, partners, and affiliates abide by applicable laws and uphold the same ethical standards. Reasonable steps to prevent unauthorized access or use of personal data are also part of the code. Enforcement is through self-regulation.

Under the Hi-Ethics principles, "appropriate procedures" for consumers to review and correct personal information is required, as are notice and choice for third-party access. Agreements between Hi-Ethics subscribers and third parties with access to health-related information must also follow the Hi-Ethics principles in giving consumers notice and choice with respect to the third party's access and use. Security procedures are not specified. The Hi-Ethics coalition is working toward a compliance component for the principles but notes that a failure to adhere to the principles after adopting them could lead to an enforcement action under deceptive trade practices laws.

The AMA specifies opt-out procedures for nonmedical personal information, provided the use of the information adheres to the AMA principles and is within the bounds of current regulations and law. Opt-in procedures are specified for personal medical information. Unlike Hi-Ethics and IHC, the AMA guidelines do not provide for consumer access to personal information once it is provided, although all e-mail alerts and newsletters should contain an unsubscribe function. Disclosure of personal medical information to third parties is permitted only with an individual's consent. The guidelines state that individuals responsible for websites that advertise "should be aware of current technology and access possessed by third-parties that post or link" to the site. Although the guidelines also state that "extensive measures" are taken to ensure the safety and security of the site the measures are not described. Enforcement is through self-monitoring, and no dispute resolution procedures are mentioned.

The Safe Harbor Privacy Principles are more exacting than the codes and principles described above. To begin with, "sensitive information" is defined as "personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual." Notice for the collection and use of personal information must be given. Opt-out procedures may be used to determine whether non-sensitive personal information is to be disclosed to third parties or is to be used for a purpose incompatible with those originally stated or subsequently authorized. Opt-in procedures are required for sensitive information.

In May 2001, the Federal Trade Commission issued its report to Congress on Privacy Online: Fair Information Practices in the Electronic Marketplace. The commission recommended that Congress "enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy." The commission acknowledged that effective and widely used seal programs could be an important component of the overall framework. What is also apparent from the report is the extent to which the e-health community's most recent initiatives are responsibly setting standards that meet the FTC's vision and its view of online privacy best practices. One area of tension remains the FTC's concern over the prevalence of notices that privacy policies are subject to change and that users should periodically review the policy for changes. The other is the extent to which e-health sites are drafting and adopting policies that do not mirror the site's privacy practices.

The need to monitor and be consistent. Once a privacy policy is in place, a commitment to monitor compliance is critical. Privacy is an area in which some states are taking an aggressive stance, supplementing the FTC's enforcement actions. A good illustration is the lawsuit filed by the attorney general of Missouri against More.com, a health and nutrition retailer, alleging that More.com violated its stated privacy policy by purportedly sharing customer information with third parties in direct conflict with its privacy policy, as evidenced by customers' receiving solicitations for related merchandise from third parties.

General and health-related sites are increasingly sensitive to privacy concerns, developing and posting privacy policies on their sites. Many, however, may be unwittingly creating liability traps for themselves by failing to properly monitor the site's adherence to its own policy. In some instances, concerns over privacy policies and compliance have led to the appointment of corporate privacy officers, and an increasing number of companies are seeking privacy audits.

Sharon M. Erwin is the principal of the Law Offices of Sharon M. Erwin, LLC, with offices in Philadelphia and Ardmore, Pennsylvania.

This article is an abridged and edited version of one that originally appeared on page 10 of The Health Lawyer, December 2000 (13:2).

Back to Top