Physiatry Practice Management Resources

Physicians face dual issues: How to safeguard your own personal data as well as that of your patients.

Do much Web surfing? Have any idea how much personal information you give away with each click of the mouse? Consider this: According to a recent report by Richard Smith, an Internet consultant based in Brookline, Mass., banner ads -- those advertisements at the top, bottom and sides of many Websites -- send information back to Internet marketing companies that can include e-mail addresses, as well as the user's full name, mailing address and telephone number even if you don't click on them.

In addition, other information that is often sent can include so-called "transactional" data such as names of products the user may have been looking at on-line, details of travel plans made on-line and phrases used at search engines.

"Most people who use the Internet probably do not realize that banner ads that they are seeing on Web pages are also sending information about them back to Internet marketing companies," Mr. Smith stated in the report.

Indeed, until last February, when DoubleClick Inc., the largest on-line advertising company, said it was under Federal investigation for the way it compiled data on consumers' Web surfing and shopping habits, the issue of personal information privacy over the Internet was mostly discussed among privacy advocates, industry players and government regulators.

But DoubleClick's plan to cross-reference anonymous information it obtained about Web users with consumer information from its marketing database -- a practice known as profiling -- caused a firestorm of controversy and put the issue of on-line privacy in the headlines.

How do Internet companies acquire such sensitive information? Most Websites use cookies -- digital tags or small text files stored on users' computers. The cookies, usually placed on the computers without the users' knowledge, assign unique numbers to individual users. Every time a user returns to a Website, the cookie is sent back to the site, allowing it to track the user. In addition, those banner ads on Websites send cookies to keep track of surfers -- even when they're on different sites.

Most companies, however, track users only as numbers without any personal information other than the Websites visited.

Even so, many Internet sites require users to register before allowing them to proceed to the information they are looking for. Some sites give surfers incentives to register -- the chance to see more detailed information, for instance. In addition, just about every on-line retailer requires shoppers to register before making a purchase. Some require registration even before providing pricing information.

"Every Website collects information to one degree or another," Mr. Smith says. He says the difference between companies like DoubleClick acquiring information and others is that most offer a choice -- people can "opt out" and refuse to provide the information a site is seeking.

Privacy advocates argue that a better system would be to have an "opt-in" program in which users must specifically request that they receive personalized ads before on-line profiling can begin.

For the healthcare industry, the on-line privacy issue is even thornier.

"The medical profession faces some of the greatest challenges on the Internet," says Mark Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), a privacy advocacy group based in Washington, D.C. "Medical information is considered among the most sensitive information there is."

He notes that one recent study found gaping holes in the privacy practices of healthcare companies. "The assumption is made that if they have a privacy policy in place, then that's all they need. But a privacy policy has to be translated into privacy practice," he says.

The report, conducted for the California Healthcare Foundation by the Health Privacy Project at Georgetown University and Internet consultant Mr. Smith, found inconsistencies between health Websites' privacy policies and the actual practices. In addition, the policies in place often fall short of actually safeguarding the information and many sites do not have adequate security measures in place to protect information from computer hackers. The study also found that even when a site has a privacy policy, the protections in place do not follow the information once it leaves the site. And like DoubleClick, many sites collect information about visitors, often without their knowledge or consent.

"The issue with health records is that the security infrastructure is not there yet," Mr. Smith says. "Another concern is whether people will use medical records for marketing. Those are the two biggest areas I'm worried about."

For individual physicians, on-line privacy should be an issue worked out well in advance if a Website is set up or goes live, privacy experts say.

"Doctors are generally pretty good at protecting patients' privacy, so they need to take that culture and the Hippocratic oath and then integrate that into Website design and structure," says Evan Hendricks, editor of Privacy Times (www.privacytimes.com), a biweekly newsletter about privacy and the freedom of information. "A doctor can easily get information out to patients or potential patients without collecting personal information."