February 26, 1998-- Heartinfo.org, a Web site run by the Center for Cardiovascular Education, has overhauled their statement regarding the use of personal health information collected from visitors to the site. The Center for Democracy and Technology (CDT), which filed a complaint with the Federal Trade Commission in December about the use of personal information collected by this site and one other, applauds this action.
CDT's complaint to the Federal Trade Commission in December asked the commission to investigate the use of personal health information collected from visitors by both Heartinfo.org and Asthmacontrol.com, run by Glaxo Wellcome Inc., a subsidiary of the research-based pharmaceutical firm Glaxo Wellcome plc.
CDT was concerned that Heartinfo.org and Asthmacontrol.com were undertaking marketing, product development, list compilation and other research using personal information obtained from visitors to their sites -- without telling consumers about these activities and without gaining their affirmative consent. CDT believes this practice, if engaged in by the sites, is unfair and deceptive.
Today CDT staff counsel Deirdre Mulligan found that Heartinfo.org has overhauled their statement regarding the use of personal information. The new statement assures visitors that the detailed information they provide to the Web site including information about prescription medications, cholesterol, sex, age, name, email and postal address, and phone number, will not be disclosed to others including the sponsors of the site. However, the new policy reveals that visitor's personal health information maybe used to generate reports and maybe provided in aggregate form -- not linked to a specific person -- to Web site sponsors, which include pharmaceutical companies such as Bristol-Myers Squibb Company, Merck & Co., Inc., Sanofi Pharmaceuticals, Inc. KOS Pharmaceuticals, Inc. and others.
CDT is pleased that Heartinfo.org is providing more detailed information about its use of personal health information and its provision of information to its sponsors -- and urges other Web sites to follow suit. However, CDT believes that Heartinfo.org should be aware that individuals are not keen about the use of personal health information for research -- even if it is used in a form that does not reveal their identity. The 1993 Health Information Privacy Survey found that:
64% (of survey respondents) do not want medical researchers to use their records for studies, even if the individual is never identified personally in publications, unless researchers first get the individual's consent; and,
56% (of survey respondents) believe that researchers must get the individual's consent each time they wish to use a health record and that a general permission is not acceptable.
Consumers consider health and financial information to be their most sensitive personal information. A bevy of surveys over the past five years have documented a heightened concern with the privacy of medical information, and an even deeper concern with the automation of medical information.
CDT strongly believes that the collection, use and disclosure of personal health information should be regulated by a strong federal medical privacy law. We are pleased that Congress is resuming its effort to craft a federal privacy policy for medical records with today's hearing in the Senate Committee on Labor and Human Resources. With or without legislation, CDT believes that Web sites engaged in the collection of information about individual's health must provide consumers with full information about the use and disclosure of their personal health information. As our complaint stated:
The failure of the sites to clearly and conspicuously disclose the research and product development uses (and perhaps disclosures) of the personal health information collected from site visitors misleads consumers to their detriment. The sensitive nature of the personal information at issue, the well-documented consumer privacy concerns, and the serious consequences the individual may suffer if health information is misused require a full and comprehensive notice to consumers.
CDT believes that Web sites collecting personal health information should:
provide a full disclosure of their respective information practices, including the uses each site and parent company makes of information, the compilation of personal information into searchable databases, the release of data to sponsors or other parties, the technical, procedural and contractual safeguards in place to protect personal data in its care, and the ability of consumers to review, correct and delete such personal information; and,
gain affirmative and express informed consent from each consumer.
A growing number of pharmaceutical companies and others are using the World Wide Web to gather data from individuals. If the current practice of collecting personal health information without full disclosure and informed consent continues, individuals' privacy will be compromised and their sensitive health information will be subject to growing misuse and abuse.
While we press for passage of comprehensive privacy legislation for medical records and await a response to our complaint from the Federal Trade Commission, CDT urges entities operating on the World Wide Web to respect the privacy of Internet users.
Full text of complaint available here
# # # # # 