[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705A
200 Independence Avenue, SW
Washington, DC 20201
Call to Order and Introduction - Ms. Frawley
MS. FRAWLEY: Good morning, everyone. I'm Kathleen Frawley, and I'm chair of the Subcommittee on Privacy and Confidentiality for the National Committee on Vital and Health Statistics. I welcome you all this morning on this hearing, which I think should be very interesting for all of us.
As you know, the use of the Internet for health care information and privacy implications, we have certainly seen a lot in the media recently about concerns about the use of the Net to collect information. Some of you may today have seen USA Today, which had an article called, "Targeted Ads, Consumer Trap or Necessity. Privacy Battle could threaten free Internet sites and services."
Recently in Newsweek there was an article, "Fighting the Cookie Monster. It's risky to view or say anything on the Web that you are not willing to announce on live TV." So certainly we've been seeing a lot of information out there, and we look forward to today's panels to help the subcommittee in its concerns on privacy and confidentiality. And hopefully, we can make recommendations to our full committee in this arena.
What I would like to do is start with the members of the subcommittee introducing themselves, and then we'll ask the panel to introduce themselves, and then the members of the audience. So if you would start, Gail.
MS. HORLICK: I'm Gail Horlick from the Centers for Disease Control and Prevention, and I'm staff to the subcommittee.
MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation with HHS, and I serve as the privacy advocate of the department, and I'm staff to the committee.
DR. ZUBELDIA: Kepa Zebeldia with Envoy Corporation and a member of the committee.
MS. GREENBERG: Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.
DR. COHN: I'm Simon Cohn. I'm a practicing physician and the national director for health information policy for Kaiser Permanente and a member of the committee and subcommittee.
MR. BLAIR: I'm Jeff Blair with the Medical Records Institute, and I am a member of the committee.
MS. FYFFE: Kathleen Fyffe, a member of the committee, and I work for the Health Insurance Association of America.
MR. GELLMAN: I'm Bob Gellman. I'm a privacy and information policy consultant here in Washington, and a member of the committee.
MS. GLAZEBROOK: Tanya Glazebrook, president and CEO of MedicAlert Foundation International.
DR. BOOTH: I'm Dr. Thomas Booth. I'm the vice president, medical affairs, and editor-in-chief for PersonalMD.com.
MS. GOLDMAN: Janlori Goldman. I'm the director of the Health Privacy Project at Georgetown University.
MR. WIESE: I'm Calvin Wiese. I'm chief executive officer of HealthMagic.
DR. SUGAR: I'm Dr. Sam Sugar, the CEO and president of 4Healthylife.com.
MS. FRAWLEY: Okay, the audience, if you want to start in the back.
[Introductions were made.]
MS. FRAWLEY: Thank you very much. I'd like to turn the proceedings over to Bob Gellman, who has an opening statement.
MR. GELLMAN: Thank you, Kathleen.
Many types of health information services are available on the Internet. The focus on my comments this morning is on Websites collecting identifiable health information from consumers for non-treatment uses. Sites that attract visitors on an individual basis whether or not the visitors are overtly identified are also included. Some of the sites that I have excluded here also raise privacy concerns, but those are concerns for another day.
Not player in this industry is a bad actor, but there are enough of them to go around, and industries are often judged by their worst players. You only have to look at public perceptions of used car salesmen, lawyers, and politicians to understand the point.
What I see here is an industry that is trying to make megabuck by trafficking in identifiable health information. I see an industry that acts through ignorance, indifference, or deception to wheedle health information from consumers to sell for the benefit of shareholders. I see an industry where the company with the worst privacy policy may have the highest stock valuation, because it has the most data sell.
However, if anyone has watched the recent fall of Doubleclick stock over its privacy problems, Wall Street may turn out to be an ally of privacy in the end. That remains to be seen.
HHS is currently preparing privacy regulations under HIPAA. Unless a Website is engaged in the treatment of patients, it will not be covered by those regulations. The industry, therefore, is and will be unregulated. Consumers have no statutory protection in this area for the most part. They must rely instead on the honesty and integrity of an industry that finances itself by selling consumer data.
A California HealthCare Foundation report shows that honesty and integrity are hard to find in Websites. The combination of a lack of any restraints, together with an apparent financial incentive to exploit data paints a disturbing picture. Some health Websites have signed onto codes of conduct. I'm not sure that self-regulation will actually be adequate here. I see this as an open question.
But some of what I have seen so far is just awful. The Health on the Net Foundation code for example says little about privacy, and offers data subjects no protections whatsoever. It's a privacy travesty. Too often industry privacy codes display a race to the bottom mentality. Industry insiders write codes that do not inhibit the buying and selling of personal information, and that not offer fair information practices to data subjects. These codes are often cynical devices intended to fool the public into thinking that privacy is protected.
Let me give you an example of a major omission. Health information if privileged in some contexts. The privilege typically applies to confidential communications between doctor and patient. If the patient discloses that information to a Website for storage or use, then the privilege may be lost.
I have not seen any Website or code that warns patients about the loss of privilege, and the lesson for consumers is that giving information to health Websites may be fatal to your physician-patient privilege. Not only do these Websites offer little or no privacy protection, they may actually strip consumers of privacy protections available elsewhere.
I want to offer a couple of comments on Doubleclick, which is a company that serves ads on Websites, and collects detailed personal profiles on consumer activities on and off the Internet. Doubleclick is the company that The Washington Post recently described as "one of the most vilified companies in the online world."
In my view, any health Website that does business with Doubleclick is engaged in a prima facie unwarranted invasion of personal privacy. There is no excuse for allowing Doubleclick to monitor visitors to health Websites. It doesn't matter whether the visitors are overtly identified by the site, or covertly identified through Doubleclick cookies.
Doubleclick can identify users, even if a Website does not know who those users are. Doubleclick, and some of its Website partners secretly share identifiable personal information. Doubleclick will not identify those partners who are engaged in covert data activities, and until we have a list of those Websites, every Website using Doubleclick is suspect.
Now I know that some Websites have announced plans or engaged in activities that are trying to restrict the ability of advertisers to track users. However, until there is a fully independent audit of everyone involved, with the audit plans and results made completely public, I'm not prepared to believe that any restrictions are meaningful or even in place.
Why am I so skeptical? We have seen a series of instances in which Internet said one thing about their privacy practices and did another. Lawsuits over privacy violations have been brought against Doubleclick, Amazon, RealNetworks and others. As a class, Internet companies trafficking in personal data have little credibility.
The California HealthCare Foundation report demonstrates that health Websites are as bad or worse than other sites. And just to make matters worse for consumers, Websites typically reserve the right to change their privacy policies at any time. They also tend to place the burden of monitoring the changes on their customers. This means that a Website with a strong privacy policy at midnight could make a change and start selling customer data at 12:01 a.m. Even a good policy with an unlimited change provision may be worthless.
In my view, health information Websites should operate under the strictest privacy standards. They should adopt a fair range of fair information practices. Notices to consumers should identify all data sources, all uses, all disclosures, all business partners, and all third parties. Notices should identify all risks to consumers that may result from storing health information at, or visiting a Website.
Health Websites should make greater use of anonymity, and I think that complete anonymity should be the standard, with any deviations fully explained and justified. And when identifiable information is collected, there should be complete audit trails for all uses and disclosures, and the audit trail should be available for review by the data subject.
There should also be routine and independent verification that privacy standards are being implemented as promised. There should be an independent policy review of all uses and disclosures by the equivalent of an institutional review board consisting of reputable people, with no stake in the company.
Health Websites should not reserve the blanket right to change policies at any time. And further, there should be bridge pages that clearly inform users when they leave the health Website and link to another site with different rules.
For the moment I offer three simple rules for consumers using health Websites. First, if you find an ad from Doubleclick on the site, leave immediately. Second, if the site asks for your name or other identifying information, leave immediately. Third, if a site's privacy policy says that it is subject to change without notice, leave immediately. A good health Website will do more than just meet those three rules, but those rules are a good start for consumers.
I have no doubt that a viable health Website can serve consumers fairly, honestly, and ethically, and still make a profit. The problem is that too many of the players in the industry don't feel the same way. The California HealthCare Foundation report documents a pattern of lies, misrepresentations, inconsistencies, and privacy invasions. This industry may be able to clean up its act, but it's got a long way to go. It's starting out below sea level.
Finally, I want to say a word about the pharmaceutical manufacturers. We wanted representatives of the manufacturers to testify at this hearing. Drug manufacturers gather a wealth of identifiable consumer data through their own Websites and calls to 800 numbers, and a variety of other ways that may not be so visible. How this information is collected, maintained, used, and disclosed is not clear.
That's why we invited PHMRA, the Pharmaceutical Manufacturers and Research Association to testify. The association refused to come. I'm issuing a public challenge to the industry to come forward and discuss its privacy practices and policies. If the association is unwilling, then we should hear from the companies themselves. I don't think they should be able to hide their policies behind an unwillingness to be held accountable in public.
Thank you.
MS. FRAWLEY: Thank you, Bob.
I'm going to start now with our panel, and we're going to start first with Janlori Goldman.
Janlori.
MS. GOLDMAN: Thank you, Kathleen.
Well, Bob, that was a very strong opening statement, and I'm looking at my statement and thinking it sounds a little on the mild side, but I'll do my best.
I very much appreciate the chance to be here before you, and to talk both about the report that we co-authored with the California HealthCare Foundation, and with Richard Smith, who will be here this afternoon, and to talk generally about health privacy.
You made a statement, Kathleen, at the opening about if you are not prepared to say something on national TV, be careful what you do. I was watching the evening news last night, and there was a story about doing exercise in front of your computer. That for people who are stuck in front of their computer all day, there are a series of exercises you can do to kind of relieve stress.
And this woman was doing this exercise, and it made her look completely ridiculous. And she was lifting her arms, and doing this and doing that, and looked a bit like a chicken. I thought it was kind of funny and bold of her that she did. At the end of the interview she said, I just hope my co-workers never see me doing this.
It's just a little bizarre, and I think sometimes with the Web there is again this illusion of anonymity, just as this woman being interviewed last night clearly had some disconnect between the reality that she was going to be on national TV, and the fact that she was embarrassed with the idea that her co-workers might see her doing these exercises.
One of the things that we have known and I have testified about this before here is that the lack of privacy in the health care setting acts as a barrier to people seeking care, and to the quality of care that people get. We have now been involved in a number of surveys and a number of polls that have come out that document empirically that a significant percentage of people are either reluctant to seek care because of the lack of privacy, or they seek care in ways that undermine the kind of care that they get, their diagnosis and treatment.
And in some of the cases that I would call kind of the worst case scenarios, people shy away from care altogether, because they don't trust how the information will be used. You'll hear this afternoon from Sam Karp from the California HealthCare Foundation about some recent survey data focused specifically on how people use Internet health sites, and some of the concerns that they have.
As we are seeing that health care is moving to the online world, both with the expansion of what some are calling clicks and mortar operations, and sites that only have a Web presence, we decided to ask the question, is the privacy of people's medical information being protected by these health Websites? And the FTC has done a series of investigations into this. We wanted to be very focused on privacy policies and privacy practices. And this was very important, because you can look at the privacy policies of a number of sites, but not actually know what the practices, because it's not visible. It's not transparent.
So we got together, with the support of the California HealthCare Foundation, the Health Privacy Project, working with Richard Smith, a security consultant. And we decided to look at the match up, and whether there was a match up between policy and practice. We picked on -- and I'm sure some of the feel that we picked on -- 21 Websites that we either specifically focused on health, or allowed for links that provided information on health at their sites.
We measures the sites' policies against a set of widely accepted fair information practice principles, some of which Bob Gellman referred to, that were developed almost 30 years ago, and have been used to develop federal legislation, that have been used by the FTC in measuring privacy policies. So we picked essentially a set of accepted principles and measured the policies against that.
Essentially, what we discovered, and we discovered this across the board is that the privacy policies of these health Websites do not match up with their practices. More specifically, here is what we found. Health Websites did appear to be more aware that privacy needs to be addressed, and I mean more aware than Websites generally, because 19 of the 21 that we looked at did actually have some written policy.
However, in nearly all of the cases, the policies fell short in two major ways. The policies failed to comprehensively address fair information practice principles, and second, as I said, the stated policies didn't match the sites' actual practices.
So let's look at the policies themselves, except of course for the two sites that didn't have policies. Those policies provided inadequate notice as to what was being done with users' information. Most sites did not give users the right to access their own information at the sites, collected either voluntarily or involuntarily what is sometimes called passive information collection.
The most critical privacy principle I think in this context that we examined was the users' ability to have a say over how and whether their information is disclosed. Health Websites were truly lacking. Some sites say they give users some control to limit the disclosure of their information to others, but some sites are completely silent on the issue.
Most disturbing, many sites explicitly disclaim any liability for the actions of third parties and others that might have access to a user's information. But because of how these sites operate with banner ads and other companies nearly indistinguishable to most users, we believe these disclaimers actually negate the site's entire privacy policy. And again, you will see a demonstration of this, this afternoon during Richard Smith's testimony.
In other words, when somebody visits one of these health Websites, particularly one that has banner ads at the top, most visitors do not distinguish, and cannot distinguish between all of the various activities happening on that page. They might see a banner ad, but not know that it's a separate company that is running it. Or they might fill out a health assessment, and not know that another company is actually doing the health assessment on behalf of the host company. People are not aware, and again, because it's not truly transparent, how much information is being captured and gathered, and by whom at the sites.
Profiling, from what we have found out, may actually be seamless, but privacy is not. If a privacy policy does not follow users wherever they are on that site, and wherever they link, where that link is part of the site's activity, regardless of who is watching then the chain of trust is broken.
And I think in some ways that is one of our most critical findings. We think that there needs to be a chain of trust established at these sites so that business partners -- and I use that term, although it is used in a different way in another context -- so that business partners or contractors or those that essentially are doing business with a site, and are so entwined with the site's activities, need to adhere to the same privacy policies to be bound by those policies of the host site.
Some people think that they are anonymous on the Web if they are just browsing. In other words, if they don't fill out a health assessment, if they don't give their name, and if they don't register at the site. Some people may even understand that cookies are just a number, and profiling is just about the sites collecting aggregate, non-identifiable information to run their site better. That's what many of the privacy policies say. So what's the problem?
Well, again, in the demonstration -- and sometimes it's hard to talk about this without seeing it visually, so I'm glad that Richard will be able to do this -- you will see how the third party ad networks that operate the banner ads at these sites collect cookies and other information about you whether you click on the ads or not. This was a huge revelation for me.
That if you go to a health Website, and there is a banner ad at the site, there's good chance that that ad company is collecting information about you, just by virtue of you going to that host site. There is no notice of that in any of the sites.
We then discovered that you may be anonymous even at that point until you decide to divulge something about yourself. You might give your email address to receive a newsletter. You might give your email and name when you want to forward an article to a friend. You might provide your medical history if you are filling out a health assessment. And you might even provide something specific if you are on a mental health site or an HIV site.
At that point, some of the profiling data, what is considered non-identifiable, although again, I think that's up for question as to whether it's identifiable, some of that non-identifiable or profiling information that is gathered earlier can then be linked with the identifiable information that you have shared.
Do people actually care? Have people just kind of given up? And again, they have not. The survey data that you will hear about later shows a very strong majority of people do still care. They want their to be privacy policies at these Websites. They want those policies to give them some control over their personal information.
A significant percentage of people don't use health Websites, don't use the Internet to gather information about health, because they are concerned about confidentiality. And again, there are certain, specific concerns that people have, whether it's again, about trying to find a doctor online, or having their medical records shared, or buying a refill for prescriptions. But again, most of those people also said that their privacy concerns could be addressed or could be quelled if there was a strong, enforceable privacy policy.
So what we did with the findings in our report, coupled with the public's expressed desires in this area, is we made four recommendations to the Internet health community:
1. Overhaul your site's privacy policy, and make sure that that policy adheres to fundamental, fair information practice principles that we again, review in our review.
2. Close the loop between policy and practice. The only way to truly do that is to create a chain of trust with your business partners and advertisers, so that one policy at the site fits all, wherever the user is.
3. Aim provide users with anonymity to the greatest extent that you can.
4. And as a community, both for-profit and non-profit, come together to strive to develop a model privacy policy that goes beyond just the set of principles, but a strong policy, so that people will have consistent, fair, clear, workable standards that are there to reassure them no matter what site that they visit in this area.
Since releasing our report, a number of things have happened, and I just want to provide a quite update. Some of these things we could say are a direct result of the report, and some of them probably are not. Two of the sites that we did investigate no longer exist. They have been gobbled up by other sites. This seems to be a fairly common practice right now. I don't think the report had anything to do with that.
But the Internet Healthcare Coalition -- and you will hear about this I assume this afternoon -- did issue a set of draft e-health ethics policies that includes a privacy statement. It's a draft. My understanding is it's available for public comments, and I urge all of you to look at it and to comment.
In addition, the day after the report was issued, five members of Congress sent a letter to the Federal Trade Commission calling for an investigation to look into this matter. And Sen. Torecilli(?) did introduce an Internet privacy bill.
Now when you talk about legislation in this area -- I've been doing this for long enough -- that many people say we can't regulate the Internet with legislation. Because of the nervousness of doing that, and also the practical difficulties of doing that, many privacy advocates and regulators have been looking for a long time at how to create a set of binding principles to look at self-regulation to kind of nudge and push and prod Internet sites to develop good practices.
One of the things that I think has been particularly frustrating for us first of all is that that's not been effective, and we've been at that for a long time. But the second thing is that as we have been moving forward to create enforceable privacy rules at the federal level, and now have a set of draft regulations that have been issued by the Department of Health and Human Services on medical privacy that we hope will be finalized either late spring or early summer, 40,000 comments were filled on that draft regulation, 30,000 of them came from consumer groups -- at least 30,000 I should say. So there is a deep concern out there about this issue.
One of the frustrations is even though we are encouraged that we may actually have some real rules in this area come late spring, most of the activities that this report addresses are not covered in the federal regulations. These sites are either not providing health care under the definition of health care providers. They are not a health plan. They are not a clearinghouse.
They may appear to be providing some kind of a medical service, but many of them would not be directly covered by the regulation. So again, it is an unregulated area. I know the FTC is looking at it. The extent to which we actually have some enforceable rules in this area I think remains to be seen.
Let me just close by saying that our goal with this report was to measure privacy policies and provide an empirical basis on which health Websites could act. Our experience generally is that privacy is not built into the design and operation of most sites, and is not a first principle in the activities in the health care arena; it has not been up until now.
I think given the economic pressures and commercial temptations that drive privacy to the bottom in the Internet area, fundamental choices have to be made about how these sites are going to operate; how profit is going to be made, or whether it's going to be made; and essentially how we are going to pay for some of these services.
In some ways I have kind of taken for granted that you will understand that my perspective on all of this is that all of the technology and all of these services can be designed with patients in mind, and can serve people by giving them more information about their health status, by providing them an opportunity to talk with other people online who have similar conditions and may be able to give them advice, to allow them to get information anonymously, where they might not otherwise get it in the offline health care environment.
Those are all fabulous, fabulous goals, motivations and intentions, which I think need to realized, but we have to address this issue up front. It needs to be built in at the start, or we are not going to get there.
Thank you very much.
MS. FRAWLEY: Thank you, Janlori. Calvin?
MR. WIESE: Thank you very much for the opportunity to address this subcommittee. The time of doing this couldn't be better. When Gail first contacted me, I think back in November, why I had no idea that the environment would as conducive for a discussion like this. So I'm very pleased to have the opportunity at this to address a body of this significance on this significant issue.
I am the CEO of HealthMagic. We are a company that develops personal medical records, and we welcome the interest that is now being focused on this issue, because we think it is very important. We think the bar needs to be raised to a much higher level than we see it being set at in this industry. We have spent four years and in the range of $10 million creating technology that would effectively deal with these kinds of issues.
We think they are very important issues that can't be trivially addressed with health care Websites. So we really look forward to the opportunity of getting the public more interested in what's underneath the Websites to protect their privacy.
HealthMagic is a consumer-center health care information technology company that offers Internet-based health information solutions for consumers. Our products include a life long health record system that provides consumers with interactive, personal health management tools. We have invested millions of dollars to create technology that makes it safe and secure for consumers to store and access their personal and confidential health information through our service.
One of our things we are known for is we are the company that has the contract to provide this service to Drkoop.com. With the recent stress in this space, DrKoop.com has not yet chosen to implement this service, because of their concern about these matters. We do have a beta version of our product on one of their partner Websites that we are very happy and interested in people looking at to see how we think this issue really should be managed.
We believe many of the current problems associated with the management of health care information can be solved by putting the consumer in the center of the health care information universe. The life long health record provides a single, and we believe the only logical location for the storage of life long health information.
Once a consumer authorizes HealthMagic to receive their personal health information, any data we receive is incorporated into their life long health record. Thereafter, further access to and dissemination of that information in individually identifiable form is controlled only by the consumer. If authorized by the consumer, the life long health record or portions of it can be accessed through the Internet at any time, and from any location.
I am here to discuss how we at HealthMagic believe this information stored on behalf of consumers should be used. I want to start by enunciating a set of principles that guide our company. First, in our view, the storage and management of personal health care information for consumers creates a trust relationship that must never be violated. The Internet is a tool that should be used to enhance consumers' not business' control of their health information. Consumers should be given more control over their health information, not less.
Second, permission to disclose a consumer's individually identifiable health information needs to be explicitly granted by the consumer. This guiding principle is rarely implemented today, including in the offline world. When consumers are asked to authorize access to their health information, they are often presented with forms that are hard to comprehend, and often do not under the scope of the access they are authorizing.
The Internet enables a much more detailed understanding of these decisions, and a much more nuanced approach to access authorizations. That being the case, once consumers obtain access to, and control over their confidential personal health information, no further disclosure in individually identifiable form should be permitted with the consumer's specific authorization.
Third, Internet access to personal health information holds out the promise of substantial benefits to consumers. These are things like: increased knowledge about their health care; greater understanding of health care issues, and with it, better management of their personal health care needs; more convenient access to health care and health care information, and increased involvement in personal health care decisions, and as a result, we believe better health.
We believe government must act responsibly to insure first that consumers have the opportunity to realize these benefits, and second, that enterprises which stand to be rewarded economically from these developments succeed, because they provide real value to consumers.
HealthMagic has formulated company policy governing its disclosure and use of consumers' health information, which then seeks to incorporate these concepts. First, no identifiable health information will be disclosed without explicit authorization from the subject of that information, the consumer. This means that HealthMagic does not permit access to anyone unless the consumer is aware of the information disclosed, and the identity of the party accessing that information.
Second, personal health information will not be packaged, sold, or marketed to any businesses. Consumers, however, may request marketing information in the form of personalized messages. In response to such requests, and with the individual's permission, we may evaluate the consumer's health information to customize information about various products and services. However, HealthMagic will not provide, and neither other businesses nor marketers will have access to the identities of the consumers to whom these messages are delivered.
Third, de-identified information may be disclosed without explicit authorization, but consumers are able to prevent such disclosures through selections on the appropriate access control screens, but the default position is that disclosure of anonymized information should be permitted, so long as the consumer has the right to shut that off.
Providing access to health information over the Internet though provides a set of unique challenges that requires complex access, control, and sophisticated security policies and infrastructure. Two critically important dimensions of access control are identity and granularity. Effective integration of individual health information using the Internet will not be achieved or accepted by the public until we establish a means to positively link individual identities across enterprise boundaries, and across information connections.
Since under current practice each enterprise establishes an enterprise-specific identity for each consumer, many thought the logical way to a unique health identifier was to overcome the high risk of binding errors associated with the current record keeping system. And you all know, privacy concerns have overwhelmed the efficiency considerations on this issue. And despite the HIPAA mandate for HHS to adopt a standard, Congress quickly reversed course and prevented all work from going forward.
We believe that the solutions previous offered for positively binding a consumer's health information across health episodes of care have all been flawed from a privacy perspective, and that any use of a single, unique, individual identifier will result in a serious erosion of health information privacy that will injure consumers.
HealthMagic believes there is an answer to the unique identifier problem that protects privacy, and which will be accepted by individuals who have privacy concerns. Our health identity service that is an integral part of our life long health record maintains for consumers, the enterprise-specific identifiers of each health care enterprise that is linked to or used by that individual. Each health care enterprise accessing or contributing to the consumer's health information will be identified by their enterprise-specific identifier, which is different for each health care enterprise.
Since the consumer's record is the central repository of their personal health information, this mechanism permits a positive binding of consumers' identity across enterprise boundaries and episodes of care, without requiring the adoption of a national identity system, or disruption in the existing record keeping systems of health care providers. In our view, this kind of functionality is critical to the secure storage and communication of personal and private health information.
The second dimension of access control involves granularity. Access control in health information cannot be an all or nothing issue. It must protect both personal health information privacy and provide appropriate access to health care institutions. The proper balance is best achieved by giving consumers the ability to limit access to particular data for particular entities, and we believe consumers must be given the right and the functionality to do that.
In some instances, such as medical emergencies, consumers may wish to set access controls so as to grant unlimited access to certain classes of entities, such as emergency rooms and urgent care centers. On the other hand, there may be other data consumers deem to be of sufficient sensitivity that they don't want it disclosed to anyone, including their own physician.
Some have asserted that providing consumers the capability to selectively manage access to their health information destroys the credibility of that information. We disagree. Data hidden tomorrow by a consumer using a consumer identity service will often be the same data that a consumer would not disclose or provide as a copy of a paper medical record to a health care provider today. Moreover, permitting consumers to deny access to some of their personal health information doesn't not compromise the validity of the information that is made accessible.
My final point concerns the issue of continued access to the information an entity contributes to a consumer's Internet health record. We believe that any entity that puts data into a consumer's health record should have the right to maintain access to the information that is put in there.
We at HealthMagic are very optimistic about the opportunities created by Internet-based collection and dissemination of personal health information. We believe a consumer-centric health information system has the potential to revolutionize the way health services are delivered. We think consumer management of access to information makes for efficient exchange of personal and confidential health information across enterprise boundaries.
We are confident that accurate binding of consumer health identities across enterprise boundaries will reduce the cost of information exchanged and reduce the incidence of medical errors. Finally, we believe these innovations will increasingly engage consumers in the management of their health care, and thus usher in a new era of health management and better health for consumers.
Thank you.
MS. FRAWLEY: Thank you, Calvin. Sam.
DR. SUGAR: Thank you for inviting me to speak today. It's a pleasure to me here today. My name is Sam Sugar, and I'm a physician specializing in internal medicine. I have been in private practice for 26 years, and I recently retired as the medical director of E&H Medical Group, which is a large, vertically integrated managed care organization consisting of three hospitals, and over 500 physicians, with another 200 physician trainees. So that I have supervised over the last years upwards of 700 physicians.
My interest in Internet medicine, and I'm privileged I guess to be the first physician to speak today, was a simple one. When I began thinking about creating 4Healthylife.com, which incidently was my wife's idea -- the name was anyhow -- I wanted to create a tool by which I as a physician could enable my patients in a patient-centric way -- we hear that word a lot, it's the buzz word in the industry -- allow my patients to interact with me, not only in person, not only over the telephone, but with their physician of choice across a wide spectrum.
This created a number of challenges, many of which have been mentioned today, and I'm pleased to say that I feel very good about Mr. Gellman's comments, and I'll show you why now. 4Healthylife.com has been online since the end of last summer, and my report to you is a report from the frontlines of medicine and the great little town of Evans, Illinois, home of the great Northwestern Wildcats, where they used to have a pretty good football team. And I am the founder and president of 4Healthylife.com.
I changed my presentation just a little bit to include a little bit of news. The first talk we had from Janlori made it to the AMA News, and this is a newspaper that is read on a regular basis by the majority of the physicians in this country. Believe me, physicians are interested in this topic.
Our administration here in Washington has also whipped up a debate regarding privacy issues. That was also in the AMA News this week. At the president's press conference on Wednesday he further announced his intention to change the landscape of American medicine by embarking on a very ambitious and well funded program to reduce medication drug errors and other fatal interactions by 50 percent in five years. Again, this represents government's attempt to improve what is already a good system, and make it the best system around.
So why did I do what I was doing? I purposely made this slide uncomfortable, because that as a physician is what I am when I see typical medical records. I'm very pleased and proud of my own personal medical records, but I go to great expense to have them typed up. If they were in my handwriting, no one in this room would be able to ever use them; and of course, that's part of the problem.
But I was also very much concerned not only with poor records, poorly organized records, illegible handwritten, lack of JCAHO compliance, and the Joint Commission on Accreditation for Health Care Organizations is the organization that certified hospitals and vertically integrated companies for their charter to continue practicing medicine and receive Medicare funds.
Therefore, we put together for 4Healthylife.com -- we made it patient-centric, and we made our goal patient empowerment for care. The only person, the only individual who has control over the medical histories stored in our site is the patient. We allow the patient to acquire services, products, and individualized, actionable information from their care providers by entering a portal that they can share with their providers.
We do offer customized self-health assessments. The difference is we don't sell them to anyone. And we do have a disease management module. All of this put together means that I, as a physician, can treat my patients in the state of Illinois where I'm licensed, the same way I treat them over the telephone, but with much more information. At three o'clock in the morning when the emergency room calls, all I have to do is go to my PC with the patient's permission, and get their record.
Moreover, this type of activity does something very important as a physician. It improves my work flow. I don't have to wait for charts. I don't have to wait for reports. It helps me be a physician.
Now candidates for the presidency have spoken out on this very issue, and all of you can see that. Both Vice President Gore and Sen. Bill Bradley have made it very clear, their positions on the individual's right within the health care system. And on the other side of the aisle, George W. Bush and John McCain have also made very clear statements indicating that we must return personal control of decision-making process in health care to the individual, or his or her family.
What I want to present to you today is a little bit of an overview about where medicine stands today. I don't think you are going to be hearing this from anyone else, but today's crisis in medicine -- wait until tomorrow, there will be another one -- for the practitioner is the concept of subjective evidence versus objective evidence.
We have now entered the age, thanks largely to the Internet, of evidence-based medicine. Meaning that if you prescribe a treatment for someone, there had better be scientific back-up in the medical literature to back it up, to make sure it's something that can be accepted widely, or you shouldn't do it. We have minimized the art, and maximized the science and statistics of medicine.
Now this is important, because the person who controls the data that is thus generated, creates enormous power. The managed care organization can get contracts, retention and new business, as well as investment and growth, and by doing so can control an entire population of providers and consumers, and be recognized as the leading edge or bleeding edge business that sets standards, and is the best practice.
The individual physician, however, is in a bind. Our practice models that have been around for 50, 60, 70 years are terribly antiquated. Practice groups are going bankrupt because of the revolution in how we finance health care, which is another topic for another time. And demand for services is rising, but reimbursement is falling. This kind of a crunch has had an impact on the quality of providers.
We have a different individual going to medical school today than we did 30 years ago. I believe personally that the quality of American health care has fallen and continues to fall substantially despite everything we have said. And the biggest issue here is that patients have a problem -- every one of you in this room has a problem, but you don't know what. Your medical records are lousy. They are terrible in paper form.
Before we can transition to an Internet-sole system, we have to understand how we can make tools to help physicians treat you better. The ideal tool, to make a long story short, facilitates work flow, reminds doctors to do preventive medicine, and allows time for interaction and reflection.
When I see a new patient in my office, the amount of time I actually spend examining him or her is trivial. What takes time is asking and getting answers to the critical questions, 95 percent of which could be better done with a computer.
When we put 4Healthylife.com together, we had bedrock values. One, and I'll emphasize this as much as possible, it is my belief that there is a reason why physicians and surgeons are licensed. They are held to a higher standard than businessmen. Only physicians or their designees should practice medicine and control medical information. I believe the patients must own their own data. Now they can share it, and there are lots of ways, and we heard some ways this morning of sharing it, but ultimately ownership must be in the hands of the patient that is described.
Data should never be for sale, even aggregate data, ever. Now part of it can be addressed this way. For example, if you were my patient and I took your paper-based chart, and I sold your name and address and telephone number, I don't think anyone in this room would like that. The fact that your record is now on the Internet doesn't change the ethics. It is my firm belief that data should never be sold.
One of the things that people don't know about is what's been discussed, the Internet freebie syndrome. Sure, sign up here. Everything is free. Well, there is a price to everything. Nothing is free. When you sign up for a free sign, you are giving away a lot. This has led to a large discussion about public identification keys and authentication, and we will hear more about that later from Mr. Musacchio.
In the Internet personal health record field there are any number of players. It changes from day to day. We are in the high 20s now, maybe a little bit less. The landscape changes constantly. There are huge dollars invested in this, and the companies range from the goliaths of the companies, to companies like mine, which are little fleas on the landscape comparatively speaking.
What distinguishes one company from other? Capitalization and leadership have to do with the business model as well. The highly capitalized companies have to show a business model that shows profit within a relatively short period of time, and as a result, they are forced to develop models which develop revenue. Their philosophy and vision may be very different from company to company. Ours is simple. It's patient-centric.
The depth and connectivity and content of each site varies by their philosophy, and patient empowerment can range from giving patients the only complete access to their records, to denying them access.
Now I have been asked to tell you what information we collected for 4Healthylife.com. In summary, we connect and create standard Joint Commission on Accreditation of Health Care Organizations charts, and that is your typical medical chart, with contacts for emergencies, preventive health information.
We provide hospitals with admission screens for impairments. Perhaps in the questions I can answer about that.
We also supply insurance information, provide our updates, and we are the only Website that includes your pet. The same information -- when you leave town, your pet has health needs too. That was my wife's idea too.
So just a few quick slides about what we create. This is actually taken from the site, and it gives you an idea of the 19 categories that we do collect, including hospital of choice, so that the hospital, if you choose to, can be aware of choices for health care.
And our general health questionnaire, I thought I'd include just a few simple answers and questions of the questionnaire we are using. Some of them are more obvious than others, and I won't read them. And this is the last eight or nine.
You will notice that the very last one is clinical updates. This is our interface with the provider when given permission by the patient. The provider can enter clinical updates, laboratory results, currently data that is in text form. We are working toward MRIs and EKGs, and do so, so that the patient and the provider both share in that information. It is simple to do.
Now the question is what is all this talk about why collect the IPHRs? Data collection is not an end in itself. It is a means to an end. And as a result, this powerful medium, the Internet, which is changing the world, can empower patients right now. It can enhance physician activity right now. Shortly, we will be seeing the Internet practice of medicine, as I have alluded to, and it can improve access to patient services, turn into cost economies, and ultimately re-engineer long-term care.
I wanted to spend just a moment comparing two very important concepts. One is the electronic medical record, which Jeff Blair's group has been so active, along with Peter Wagemaan(?) in working on and trying to set standards for. There is a meeting here in 10 days about that. The electronic medical record difference from the Internet personal health in that it is a permanent, non-modifiable form of medical information, a huge difference from the Internet personal health record, which is a fluid record.
You can read through this, but most importantly the EMR excludes the patient as a source of input or power over their own information, whereas the Internet health record does the opposite. It redefines the medical enterprise, and allows self-assessment, and ultimately with a positive influence on the cost of care.
I believe integrating the Internet-based personal health record with the electronic health medical record is where the future of Internet medicine is. These are all the things that will stand in the way of integration: shareability, connectivity, naming conventions, all of which are being addressed in other venues.
But with personal health record integration on the Internet we allow sharing within the enterprise, and we allow the consumer-patient to control their data. Integration will be the holy grail. My vision is that ultimately there will be some conformity within the Internet personal health record field that allows an integration program to download into existing legacy systems in hospitals and health care organizations, thereby avoiding the need to spend hundreds of millions of dollars on brand new systems.
Either way, what we want to do is empower decision support tools, not only for physicians, but also for administrators to practice good preventive health. We want to get more timely information for physicians and patients. We want the consumer to run this show, and we want the consumer to have better health care. We want to avoid preventable care errors by checking for drug interactions, dosing allergies, and allergies. We want our consumers to understand their management, so that they can more effective participate.
And we want physicians and patients to access timely, patient-centric, actionable information. And I want to emphasize this point. The difference between a Website that simply collects data and one like we have designed is it is designed for actionable interaction. That is, a message from the provider to the patient, change your dose of lepitor, because your last cholesterol was too high.
And we wanted to create a portable record for today's mobile society, which I think speaks for itself. We wanted to centralize records for the entire family and their pets in one place. I have to go back to my wife this afternoon, and I promised, so I beg your pardon. And we want to help them identify self-health risks that they can get into earlier. Basically, the idea behind this was a TQI effort, a total quality improvement.
So conclusions, the electronic medical record to which we are tumbling quickly, and the Internet-based personal health record are parallel, but not the same. Both can improve patient care. HIPAA does not now cover the Internet-based, and probably should not, but that's another discussion as well.
Access versus privacy and security are paramount issues, and really determined by business models, not philosophy. Federal oversight of these Internet-based sites is controversial. To foster credibility -- and that's really what we are talking about today -- Internet vendors need better privacy policies, transportability and field definition standards so that they can transport and integrate their data into EMRs.
They need ethical financial models, and I think this may be the most important thing I say today. Business models sometimes conflict with ethical models. There has to be a way, and hopefully we've shown some leadership in that respect, to do this in a way that does not endanger privacy and upholds the highest standards of medical ethics. We want broader consumer enablement, and we need physician buy in and partnership, not dominions by large Wall Street organizations.
I thank you very much, and I'll be happy to answer any questions in the discussion or now, whichever you prefer.
MS. FRAWLEY: Thank you, Sam.
DR. BOOTH: My name is Dr. Thomas Booth. I'm vice president of medical affairs and editor-in-chief at PersonalMD.com. I would like to thank the committee for giving me this opportunity to enter into this discussion. It's something that we view as being something very important in the health care field right now.
Also, I included in your packets my email and phone number. If there are any questions that come up later on, or any further information that is needed by the committee, you can feel free to email me.
Just to give you a kind of introduction into what we do, it's going to sound somewhat similar to what Sam just talked about with their Website. We provide a variety of health and medical content along the same lines of lots of these other medical sites, some of which have already been mentioned. But more importantly, we provide a personal medical record system. A lot of what I'm going to say is going to echo what Sam said.
We believe that with this medical system, we empower consumers to gain some control over their own health care, and empower them by allowing them to gain control over their data and their medical information as well.
A core value that we had in creating this system is providing access to vital medical information, primarily for emergency situations, but our system would also work well if a patient is traveling across the country or moves across the country and establishing with a new physician, and needs to give that new physician his past medical history.
So we view our core value as providing a way for vital medical information to be accessed by emergency physicians on a much faster timeframe than is currently available, especially with paper-based medical records. We have also recognized that many emergency rooms throughout the United States, and especially throughout the world are not equipped for Internet connectivity at this point, and we have provided a system that allows a fax-back system to work as well. So a patient's important information, like baseline EKG, can actually be faxed into the emergency department. That is also included in our system.
Well, what we really do here, and this is basically what the medical record system looks like, we provide various pieces of information that most physicians are familiar with and will recognize as being among the most important pieces of medical information that the physician needs in order to treat a patient, especially in an emergency situation.
Kind of as a background, I practiced in the emergency room as well as in urgent care centers. So what I saw was a great need, and I think Dr. Sugar also mentioned this need for timely medical information that will enable the physicians to do a better job in treating the patients. I have had numerous examples of being in the emergency room at 3:00 a.m. where a patient comes in with chest pain, and they have no copy of their baseline EKG or previous EKGs are not available.
Oftentimes patients are in pain and uncomfortable, and just get confused and can't even really remember the names of the medicines they are taking, whereas when they are feeling well, they probably could remember their names. But since they are in pain and upset, they can't even recall the names of their emergency contacts, their phone numbers.
What we have attempted to do here is attack that problem, and give patients a way to organize their information, and allow that information to be accessed by physicians at 3:00 a.m., where otherwise the emergency room would have to wait until the next morning to contact the patient's physician, and wait for the paper-based record system to arrive, sometimes hours later.
And this actually can be make a critical difference. If you are trying to treat a patient and make a decision on whether or not to give so-called clot busting drugs, often times you can't wait hours to make that decision. So that's really the problem that we have tried to attack with this system.
We provide basic information and emergency contacts. We provide a system that will allow patients to have an automated system where the emergency room physician can, in an automated fashion, make a contact with the patient's emergency contacts.
We provide the general medical information, a list of the medications, a list of the drug allergies that the patients have. It is not uncommon for patients in the emergency department to be unable to recall what medicines they are allergic to. I think everyone can see that that can have a profound impact on the treatment of the patient when we know that the patient is allergic to a medicine, and they can't recall what the medicine is that they are allergic to. Here we can access the patient's drug allergies immediately.
What diagnostic tests they've had -- an example I just used was the baseline EKG. Using this system a baseline EKG can be stored. If the patient had a coronary angiogram two months ago, the report of that can be stored in here. And then if the patient again shows up in the emergency room, that emergency physician can have access to the angiogram report in a matter of minutes, rather than hours.
History of previous hospitalizations, surgeries and treatment, and past medical history, and then we provide an emergency record summary that can be, as I said, either faxed or accessed through the Internet, and that can be immediately available to an emergency physician.
Well, how is the record used or accessed? The record is accessed by only those people that the member grants access to. A primary way that that access can be granted is through the use of the emergency card, which members receive and can carry in their wallet. There are two forms of access, the information that is on the card, the fax ID, and the PIN code grant read only access.
This is the way that the patient would use the card if he or she showed up in the emergency room. They could give the fax ID and the PIN code to the emergency physician, and the could, either by Internet or fax machine, download the emergency summary.
Access by the patient is also granted through information that is not on the card, that is, read and write access. That's the way the patient can enter the information and change the information, and update their information so that if they are put on a new medicine, they can immediately go and update the record with the new medications.
I think this correlates with what Dr. Sugar had mentioned in this being a fluid document, so that the most up-to-date information is included. Again, the access is by the user ID and the password, which are something that the user controls, and is not on the card.
So I think I already gave you the example of how a patient can present in an emergency department and use the card with the PIN number to gain access. One point I think I'd like to open up in the discussion is the risks versus benefit of even including the PIN on the card. In the system right now, the patient has the option to either include the PIN or not include the PIN on the card. When you sign up for the card, that's one of the choices that you as the owner of the information make. So some people can elect not to include a PIN on the card.
The one downside to not including a PIN on the card is if you are brought to an emergency room and you are unconscious, and you don't have the PIN on the card, and the emergency physician has no way of accessing that vital information. So if you have a baseline EKG and you're unconscious and you don't have the PIN on the card, then that emergency physician has not way of accessing that information.
So this is something that we felt that we needed to give control of this to the consumer. But also we tended to shy away from making recommendations on whether people should or should not place the PIN code on there. That's something I think would be a valuable discussion at that point.
Just to give an idea of the growth for the personal medical record system, we are approaching and actually have exceeded 100,000 members that have decided to use an electronic personal medical record system.
Now I would like to kind of move on into sort of our privacy statements and how we view the confidentiality of personal ID. As I said, our core values are to provide a way that emergency room physicians and physicians in general can access vital medical information in a timely fashion. We also feel that the data that is put into our system is owned and should be controlled 100 percent by the patient or consumer.
We have also decided that one of our core values is that we will disclose or sell this information to anyone, and the only person that can authorize disclosure of the information is the consumer or member. We give links on our privacy statement that link people to the Health on the Net guidelines. We also are conforming with a trustee, and we give a link to that as well.
This is a summary of the privacy statement. I actually copied the privacy statement in the packet. The entire privacy statement I downloaded from the site, so it should be included in the packets.
There are several ways that people can register for the site. They can become a basic member, and not create a personal medical record, but get personalized newsletters, and also can access personalized articles on the site. We create a "my page" that is preference controlled, so that the patients can elect to see say primarily asthma-related articles if they have asthma.
A premiere member is when they create the personal medical record, and we collect their names and the medical information. So those are the two kinds of registration that you will see on the site.
There has been a lot of talk about cookies, and what I wanted to show you is how we have kind of addressed this problem. This is also in the privacy statement that is on the site. We use cookies to create the personalized "my page" and to deliver the personalized news that the patient selects as their preference. So basically, we have a list of preferences that are various diseases, and the member can then elect to receive news articles and feature articles on asthma, as opposed to searching through all the information on the site.
Most people when they see the cookies, the first thing they want to do is learn how to disable it. So we give on-site, a way to disable the cookies. There is a sign-in. If you sign-in with your member registration, then you have access to the personalized "my page" and the news that is based on your preferences. And you simply disable the cookie by signing out. And then there is no cookie anywhere on the pages that you access from that point on.
So we do use the cookies in an aggregated fashion to better design the site, and to focus our articles and our news gathering on the diseases and conditions that our patients are asking for. I think this again is going to be, when we are discussing health care and the Internet, an area that you may find a conflict between people's demand for a more personalized experience on the Internet, and wanting Internet sites to recognize their personal preferences, versus giving up anonymity and privacy. So that's another area that might be good for discussion.
Again, this is summarized from the privacy statement. And in this we talk about here how the information that is collected is used. As I mentioned, we use it to personalize the services, and also we personalize the newsletter as well.
On the privacy statement we tell people that we provide this emergency medical record and card free of charge. And we do that because we display advertisements. So we felt it was important to openly disclose this on our privacy statement, that we are offering the free service, but we do that by placing banner ads on the site.
Again, below is a statement right from the privacy statement that shows how advertisers can ask us to display an ad only to members over 35 say, and that's how we do that.
At no point does any advertiser have any access to any individual account information. The only time that ads are served, it is based on de-identified, aggregated information. Those classifications are very broadly based. Like it may be age groups from 25-45 or 25-35, and so at no point, if you enter that you have diabetes, do we use that information to direct an ad on diabetes to your page.
Also, people have had some concerns about is anybody else collecting the data off of our site and are we sharing it? And the answer is no, we don't share our data with anybody. Once you put that information into your medical record, it is actually encrypted. No other business partner will have any access to that information. There is no advertising that has any access to that information.
In fact, even employees of the company have no access to that information. I can't even go in and view patients' individual medical records, because the database that houses that is totally encrypted, and employees of our company don't have access to that.
We do feel it was important to include notification that other sites that have advertising may use cookies, and may collect their own information. And I think that that was important to notify members that that could happen. I think that could happen if you clicked on an ad and you went to another site. So we make sure that we have included that information for the members to realize. And again, the question is do we share the information with anybody? And the answer is no, the information is totally secure, and not disclosed to anybody.
I want to touch on the Doubleclick issue, because we did elect back in October, to use the Doubleclick to serve up our ads. We, at that point, did establish a chain of trust agreement with them, and took an extra step that I think most other people that have dealt with Doubleclick haven't done, and that is that we had another clause that was written by us specifically added to the contract that specifically prohibits them from accessing our information, from combining any information that we have used to serve to our members with any other data that they may be collecting.
They have assured us both in writing and verbally that they are not using our information in serving our ads and combining it with other information they have gathered from others. So we have a specific contract clause with Doubleclick that I think goes above and beyond what most people have with Doubleclick. We actually implemented that right before we began using them. That was back in October.
What about information on the public forums and chat rooms? Because we do have chat rooms and open discussion forums on the site. Here we felt it was really important to inform people that anything they say in a chat room or forum is public information. I think that goes back to what was mentioned earlier about anything you say -- don't say anything in these type of forums that you wouldn't want anyone on the Internet viewing it to know about.
Well, how do we go about securing this information? What processes do we have in place so that members can track how their information is used? The most important thing we have is an automated audit log. So the members can come in and view how their information is used, every time it is accessed, so that they can know where their information is going and keep track of that.
And what actually happens is the patient can receive an automated email notification anytime there is activity to their information or to their account. Of course, they opt out to not receive that, but the default is to opt in and receive automatic email notification every time there is any kind of access.
Other security measures are fairly standard in the Internet community. We use SSL, secure socket layer for data encryption during the transmission, a Verasign secure server firewall protection. And as I mentioned earlier, our database is encrypted so that even if penetration through the firewall is accomplished, which it hasn't been, the database is still encrypted, and we use the 128 bit encryption over the browser. Anytime anybody is entering into their medical record system, it's in a secure browser form.
Well, what kind of choices do people have in controlling this information? Because certainly I think what most people that elect to create a personal medical record, whichever company they choose, has in their mind gone over what's the balance here between the risks of disclosing information, putting information on the Internet in an electronic form that they realize can be transmitted, versus the benefits of having a system that will allow vital information to be transmitted to an emergency department three in the morning.
So I think what we are aiming at here is to give people a choice of multiple points to make their own decisions, and to either opt in or opt out, or change their mind and totally remove their information. So we have set up options so that as they enter the information, they can decide not to do so.
And we have created a very easy method for them to totally remove any information they put in, and essentially wipe out all the medical information on our database. They simply go into their medical account and say, delete my account. And we totally erase every bit of information in our system about the member.
How do they update or correct any information that may have in their records? Because obviously if you realize that you have put in some incorrect information, you want a way of changing it, updating it, and making sure everything in there is correct. Again, simply go into your record, and you can use the edit and update method to make sure that the information in there is correct.
So in conclusion I think that as a practicing physician I have seen many cases where having the proper information about a patient can make a huge difference in how the patient is treated. I'll go back to having a baseline EKG for a patient in the emergency room at 3:00 a.m. that is coming in with chest pain. I think that's a great example. That's a case where having that information has a huge impact on the care that the patient can get, and can have a huge impact in the outcome.
And what we realized is that we would like to find a way to balance that urgent need for a patient care issue versus how that information is transmitted. Predominantly now information like that is transmitted in paper form. We think this addresses a critical. We feel that we have to find a way to balance these privacy issues with the need for the transmission of medical care.
So finally, the reason that we are here is that we feel that these issues of privacy do need to be addressed, do need to be continually looked at, continually improved. So part of the reason that I'm here is to hear what other views are in the industry, and make sure that we are doing everything possible to make sure that the privacy of our members are upheld to the highest standards.
So thank you.
MS. FRAWLEY: Thank you. Tanya.
MS. GLAZEBROOK: Thank you. MedicAlert Foundation is pleased that the committee wanted to hear from one of the oldest organizations in this business, as well as the newcomers.
My background is not in medicine, but consumer and customer-oriented organizations. I owned my own consulting firm for about six years dealing with strategic planning and marketing for both private and government agencies dealing with crisis management and corporate decision-making. I spent 25 years in leadership positions with United Way around the country, concluding with 7 years as the president and CEO of Miami, Florida. I joined MedicAlert Foundation five years ago.
It's a delight to lead this organization, because it is the nation's leading emergency medical information service, with 2.7 million members in the United States, and another 1.3 million worldwide.
I'd like the opportunity to tell you a little bit about MedicAlert. Even though we have been around for 44 years, people still tend to think of us as the bracelet people. And we do have the bracelets, but we do a little bit more, so I'd like to share some of that with you. The organization is non-profit, a membership organization whose mission is to protect and save lives by providing identification and information in emergencies. It was founded in 1956 by a California physician, and is governed by a volunteer board of directors comprised of national influential leaders in both the health care profession and business sector.
MedicAlert members receive an annual membership card, and a bracelet or pendant engraved with the famous MedicAlert trademark, and a toll free 24 hour access telephone number. Also engraved may be, depending on the choice of the member, specific medical information critical to their treatment in an emergency. Certain conditions, allergies, medications, or advanced directive status may be included.
The core of our service, however, is the 24 hour emergency call center. The call center is staffed around the clock by 60 highly trained and experienced customer satisfaction representatives who field over 600,000 calls each year, as well as handle the emergency hotline service for 800,000 of our Canadian affiliate. Through AT&T translation services we can respond to calls in almost any language around the world.
Information stored in a MedicAlert member's electronic file includes: name, address, personalized identification number, primary physician, secondary physician if applicable, and individual identification such as sex, date of birth, Social Security number, and the primary person the member wants MedicAlert to notify in an emergency. In addition, other relevant medical and non-medical information can be stored; it's the choice of the member.
Our extensive professional education program assures that emergency responders look for the renowned MedicAlert emblem, read the engraved information during patient assessment, and then call our response center for all the member's key medical facts. There are an estimated 3 million emergency responders in the United States, and we annually provide free training tools to assist them in better treating our members in a crisis. Where information is stored is meaningless in an emergency unless the person attempting to assist you is aware of its existence.
One aspect of our program that is most popular with our members is the family notification service. We will call the member's family contacts during an emergency, provide the name of the contact person, and the facility where the member is, or is being transmitted to.
In addition to those member services for which we are best known, MedicAlert has more than a decade of experience in providing confidential registry services. Because of patient confidentiality concerns of the FDA, MedicAlert was selected in 1989 to locate the 33,000 patients in the United States who had received the defective BSCC heart valve implants. We were then retained to manage a life long registry that the court had required Shiley(?) Corporation to maintain.
We later accepted responsibility for registry management for more than 30 countries for this implant in an unprecedented and very successful registry venture. We continue to work with the U.S. District Court, 7th District of Ohio that continues to maintain control over this class action settlement suit, developing cohort studies for them, again because of our reputation of confidentiality.
We are also the official designated provider of repository services for pre-hospital do not resuscitate, DNR, advanced directive documents for residents in Arkansas, California, Kansas, Indiana, Maryland, Nevada, New Mexico, and probably as of this week Wisconsin. Over 6,000 members have DNR orders on file at MedicAlert, and hundreds of members have the existence of their advanced directive notice in their emergency medical file.
Recognizing the growing demand from our members and from the medical professionals for expanded services in the area of advanced directives, MedicAlert Foundation will be launching an national advanced directive repository later this year.
We also provide national repository services for an especially vulnerable population, children with high risk medical needs. During medical emergencies, emergency physicians can gain access to their young patients medical histories by contacting our call center. Access to this relevant information is critical to effective assessment and treatment of these high risk youngsters.
Our unique role as a consumer-directed, provider-supported emergency medical information service assures that any and all personal and medical data is provided voluntarily by our members. MedicAlert has always provided its members with full disclosure regarding use of their personal data. MedicAlert obtains prior written approval for all storage and transfers, electronic or otherwise, of the members' personal data.
The foundation is taking considerable steps to insure that the information loop between members, MedicAlert, and emergency personnel remain closed, thereby avoiding any breach of member confidence and security by other information handlers or processors. Thus, both our members and the emergency personnel who serve them can be assured that medical information remains secure, confidential, and used only for authorized intended purposes.
We have written standards and procedures and protocols in place to secure the protection of that information. Our policies preclude the selling, renting, or loaning of any part of our records, including but not limited to: name, address, telephone, position, any medical information. All employees, all volunteers, and any service contractors who have access at any point in time to member information must sign confidentiality agreements.
Our written Internet policies prohibit data drilling or other uses or abuses which do not specifically relate to the confidential collection, storage, and authorized transmission of our members' personalized information. We will not release any information to any individual or entity not specifically authorized to receive such information under emergency situations, and only by court order will we release information of a member at the request of the law.
MedicAlert also serves as a conduit in many instances for our members receiving additional information, however, we will not provide to any of those entities who are providing information, direct access.
With overview of our services and our position on confidentiality, I would like to touch on our Internet-based services. We will continue to employ very strict privacy and confidentiality protocols as we expand our Internet-based services. We currently use our Internet to provide information, accept registration for new members, and accept limited updates on existing member records, and that's really name and address changes.
MedicAlert designates one individual in our emergency call center to oversee any of this Internet activity. Any questions or concerns are followed-up directly with the member by one of our medical resource team nurses. This system is separate from our master database system, therefore insuring that there can be no access to the membership database.
We maintain system integrity with the following features: a standard secured Web server, secure firewalls on site for both hardware and software, uninterruptable power supply, back-up generator, and a back-up server stored off site. We are continually investing and enhancing our computer information technology systems, and our data storage capacity.
But as we look to the future expansion of service to our members, we have made a strategic decision to move cautiously in developing and implementing Internet-based information and service offerings. Since MedicAlert is a non-profit organization, our sole purpose in establishing enhanced Web functionality is to meet the needs of our members. Any revenues or donations that we receive are obviously reinvested back into the organization to better serve our members.
With the popularity of Internet-based health records we are frequently approached -- one a week -- by companies seeking a partnership with us. Because we have limited financial resources, we always explore these opportunities to determine whether or not there may be a relationship that could be beneficial to our members. However, we will not allow access to our database. We will not allow any partner to data drill via our Website.
Given our adherence to these privacy standards we find that most partnership opportunities are in fact only a company's desire to access our database of nearly 3 million people with medical conditions. While we have purposefully chosen this cautious approach, we fully acknowledge that it has cost the organization if you will, in terms of lost partnering revenue, market share, and even investment funds for technology. However, we continue to place a greater value on the confidentiality of our member information.
Our frequent surveys of our members indicate that trust and desire for confidentiality are the top two reasons people select MedicAlert as their provider of emergency medical information. Ultimately, we believe that informed consumers, health care providers, and policymakers will also value confidentiality and privacy of personal medical information. This is what differentiates MedicAlert Foundation from many other companies and organizations that have taken a decidedly different marketing approach.
MedicAlert is open to partnership possibilities, but only with entities that adhere to the same ideals and values we do. Certainly the technology will exist in the very near future, and there are those who will tell you it exists today, to insure privacy and confidentiality in medical record transfer.
We are currently exploring two avenues that we believe will permit us to make that service available, and still protect our members, a collaboration with Dr. Betina Experton(?), who is the president and CEO of Humantrex.com(?), who I believe has presented to this committee before. Dr. Experton shares our vision, and she has patented a secure Internet smart card, and that is one the methods that we are investigating that might be a way for us to move more safely into Internet access.
We are considering two other proposals with companies who have willingly put the needs of our members first. We are very anxious to add Internet capability to our traditional service package for those members who are comfortable with having their information shared online, but we will do so only when we are confident that not just the medical information, but any information we store cannot be accessed by others without their expressed permission.
In the future we know that we will be able to provide emergency medical personnel, our secondary customers, with authorized, secure Internet access to the files so that they may download that in case of emergencies. However, our Internet-based services will continue to be supported by our 24 hour emergency call center, staffed and accessible 24 hours a day, 7 days a week, 365 days a year anywhere in the world.
MedicAlert is not a virtual company. We are an organization with an Internet presence, Worldclicks(?), but we are supported by the physical substance or our bricks. In our case, that substance has experienced people who answer the call for help 24 hours a day. Because as rapidly as the information age moves forward, our members, over 4 million, may encourage emergencies worldwide where they are not near a modem.
We are proud of our 44 year record of success in providing timely, accessible, accurate, and confidential personal medical information during emergencies. While the methods of collection, storage, transfer, and communication is changing this technology, our commitment to privacy and confidentiality of personal information will remain constant.
Again, I thank you for the opportunity to present our case, and I'll be happy to respond to questions.
MS. FRAWLEY: Thank you.
What I would like to propose is we are a little behind schedule, so to only take a five minute break. The reason for that is Sam Sugar has to leave at 11:15 a.m., he has another commitment, and we would like to have the opportunity to include him in the panel discussion. So we'll take a five minute break and reconvene at 11:00 a.m., and start our panel discussion.
Thank you.
[Brief recess.]
MS. FRAWLEY: What I would like to do is invite the members of the subcommittee that have questions for Sam to direct those first, since unfortunately he has another commitment and does have to leave us in a few minutes. So I'll just turn it over to any members of the subcommittee.
DR. COHN: I think I have a general question for everybody, but since Sam is leaving soon, maybe we'll have him start the conversation. Obviously, I am very concerned about this issue, as I think many of us are. I really do appreciate the fact that all of our testifiers I think sound like they have very reasonable security practices, but I also know that this could change in a day, a week, whatever.
What occurs to me is at least part of the solution, and I'm curious about how much of the solution is that the HIPAA privacy and security rules ought to be extended to include the types of practices that you are all involved in. Now Sam, you had specifically sort of brought that up in a bullet that said, well, no, but I don't think so. So maybe you should start off by explaining why you don't think so, and obviously, I'd like to hear from everyone else, especially Janlori if that's really part of the solution or not.
DR. SUGAR: Dr. Cohn and Ms. Frawley, I appreciate the forbearance of the committee. I apologize for having to leave early. With regards to HIPAA specifically as the regulations are written and evolved, they currently don't apply to paper-based records, as we know. And they do apply to the 20 percent of medical records that are in EMR format.
They are specifically silent on the issue of Internet-based personal health records. And the reason why my own personal stance is that HIPAA should not apply to the Internet-based personal health record is as follows. I believe that these companies, organizations, these methodologies will emerge over time. What we are looking at is volume 1.0, or 1.1. The first iteration really of this venture into Internet medicine.
Secondly, I believe that if they are too regulated, if you think people are worried about their insurance company getting their information, just ask them how they feel about the government getting their information. Now that may be an anathema here in Washington, but in the heart of America I will tell you that if you took a survey and said, what is the one organization that you don't want having your information? It wouldn't be the insurance company, it would the government in one form or another.
And so I believe that the growth of this industry may be thwarted. In effect, it may be for naught if suddenly consumers are faced with the problem of complying with giving the right information to the right people at the time, in the right format, which is why I am not a proponent of HIPAA coverage for IPHRs, because I believe the consumers are the ones who generate the data. You would be putting the onus of responsibility on the consumer, which I think is inappropriate.
DR. BOOTH: I'd like to also talk about HIPAA. I think Dr. Sugar does raise some valid issues with those concerns. We have taken the position, however, that we intend to be fully HIPAA compliant, and have actually already started the process of being HIPAA compliant, and established an officer within the company to make sure that we begin implementing what we think HIPAA will look like when it comes out. It is not entirely clear what is going to be included in that, but I think we have a pretty good idea.
We have already done a study with an independent outside consultant on the steps that we need to take to be fully HIPAA compliant, and in fact a lot of our system already meets those standards, such as already having our database encrypted, and having security measures in place, and having our information de-identified, and not having any patient-specific identifiers on the information. We have already taken some steps that will meet that. We definitely plan to be fully HIPAA compliant. We see that as not so much a burden, but as actually a benefit to us to be HIPAA compliant.
MS. FRAWLEY: Jeff?
MR. BLAIR: I'm sorry, I didn't want to cut off any other --
DR. COHN: I was actually hoping we could hear from the rest of the group about this issue. Is that okay?
MR. BLAIR: Sure.
MS. GOLDMAN: The issue of the current scope of the draft regulations both in the privacy and the security area under HIPAA, I think there are a lot of broader issues than the ones that are focused on here. But let me just say that in terms of the current scope, in terms of covering health plans and providers and clearinghouses, we have taken the position that the scope is inadequate, and not due to any weakness on the part of HHS, but because that was the delegation of authority under HIPAA to the secretary. So she is constrained by that delegation. And if there were to be a broadening of the scope, it would need to happen through legislation.
But I do think that where there are health care entities, whether they are operating on the Internet, off the Internet that are providing care, and where there is covered information, identifiable information, then they are clearly within the scope of HIPAA. Even if the information was once in paper form, once it is in electronic form, even the information that is then in paper form is covered under the draft. So I think that's important, that only information that is in paper form and stays in paper form would not be explicitly covered.
On issue of whether there should be a broader scope, I think that looking at HIPAA and trying to come into compliance because it is good practice would be the right thing to do here. It's going to be very confusing for people, particularly if you are talking about health care activities, that there should be some uniform set of privacy rules.
There should be some expectation that people's expectation of privacy should be mirrored in the practices. And if you are holding yourself as an entity that is in some ways directly related to health care, then it is important that you see yourself as in compliance voluntarily. That the scope of HIPAA right now is there because the delegation which was authorized in 1996, before many of these entities even existed, or they were still in the very formative stage, I think shouldn't constrain where we go, because it's the right thing.
The other thing is that the comments about we're in nascent stage, and we don't want to hamper develop -- you hear that all the time when you are talking about economic activities. I think it's really important that we take advantage of the fact that many of these activities are in their nascent stage, because that's where policy can be shaped.
Once you have an entrenched industry and you start to hear about well, it's a $40 billion industry, and we don't want to hamper or in any way create a lower revenue, then the argument becomes even more powerful. This is exactly the time when you want to put rules in place, when things are at a nascent stage and you can retool and design.
And in terms of the government regulating, government regulation does not mean government access. The government regulates all kinds of activities -- commercial activities, non-commercial activities, and that doesn't mean they have access to the data. It means that there are rules in place that have to be followed. I think there is nothing in the federal regulations that would require access to identifiable data.
MR. BLAIR: Actually, I'd like to save my questions for after Bob Gellman has asked his question, if that's okay.
MR. WIESE: I don't think it's hard for entities like ours to be in compliance with HIPAA. I don't think the scope of what they are talking about really gets to the issues. I do think HIPAA transactions ought to be -- consumers ought to have the right if there are HIPAA transactions occurring, electronic standardized transactions, consumers should be able to raise their hand and say, if you are giving that information to someone else, I want it, and be able to get that information transferred to their personal medical record.
But as it relates to regulation of this type of activity, I would encourage -- in fact, I just explored with a lawyer this week, I think there ought to be FDA regulation for these types of Websites. I would welcome that, because I think it would keep the riff-raff out. I think that if you are going to be engaged in this type of activity, you ought to be willing to meet a standard that something like the FDA could impose on you, and I would welcome that standard and that regulation.
MS. GLAZEBROOK: I think certainly the points raised are all on target. I would only add that from the perspective of a high percentage of our members, there are many who are elderly, vulnerable, with multiple conditions, and seek some kind of protection. They are concerned and nervous about medical information and the Internet.
They think when we look at consumer-directed activity on the Internet, there is a tendency to think of those who are healthy and fully capable of making decisions, of reading privacy statements. And there are a great number of individuals who are not that comfortable in understanding what may be happening to them, and to their information. So I'm not normally a proponent of regulation, but I think in this instance it is certainly appropriate.
MS. FRAWLEY: Bob?
MR. GELLMAN: Dr. Sugar, who owns your company?
DR. SUGAR: I do.
MR. GELLMAN: Personally?
DR. SUGAR: Yes.
MR. GELLMAN: Planning an IPO?
DR. SUGAR: Do you want to buy?
MR. GELLMAN: No.
DR. SUGAR: That's usually the question. At this time, no, we are not planning an IPO. Our company is only about five months old, and we are in the very early stages of growth, although growing we are.
MR. GELLMAN: One of the things you said that struck me as very interesting, you talked about the need for ethical business models, and I think that is exactly what is needed here. I think that's what is absent from at least some of the people in this industry.
We have some of the pages from your Website. I liked some of what I heard from you in terms of how you are operating. We have some of your Web materials here. I don't know if we have them all, so it's really hard to draw a conclusion, but the privacy stuff is okay, although I find the privacy disclosures incomplete. I think there is more that needs to be there.
The only thing that I see here, and this is a difficult area, is you've got the Website from the Health on the Net Foundation. And as I said in my opening remarks, I think that's totally useless in terms of privacy, and it's almost deceptive in terms of promising some thing.
DR. SUGAR: I think that deserves an explanation. The Trust-E System, which is the other well known system for security and privacy on the Net is a rather expensive system for a start-up company to buy. It costs a lot of money, and I frankly didn't see much benefit in either of them, to tell you the truth. So we elected to do the Honesty on the Net code, which at least is a starting point. I think our policies go far above that.
MR. GELLMAN: I think that's true. And by the way, I don't think Trust-E is very good either. Trust-E has got a lot of problem, and I think a Trust-E seal on a health Website is basically inappropriate, because Trust-E allows you to disclose information with an opt out, rather than with an opt in, and I think that's entirely inappropriate.
DR. SUGAR: It's for precisely those reasons that we have at the very top -- it didn't reproduce very well, but if you go onto the site, there is an entire section on security and privacy that explains it. It's right at the top of that left-hand column, but you don't see it very well on the reproduction. But it's there, and it's where we want everybody to stop before they shop.
MR. GELLMAN: I have other questions for other people.
MS. FRAWLEY: Okay, Jeff.
MR. BLAIR: I don't know many of you know that I'm blind, but this weekend my reader read to me for like five hours, reading through this absolutely fantastic briefing book that Gail Horlick put together. And I was really riveted. This is a very sensitive, important issue. It is a subject area where I know that I personally am waiting for the time when I put my health records on one or more of your services. And I think that this is an area where there is going to be great demand in the future. It is a real value.
I was also impressed that virtually every one paid attention to privacy and confidentiality and security in some manner, and some of you have done extensive work in trying to insure privacy and confidentiality. You probably can tell by the way the compliments are coming first, that I have some concerns.
And I drive it down to the things that I am concerned about where it almost comes down to two questions in my mind, and I would like to hear from all of you on these two questions. These are valuable services. Number one, is it really possible to provide these services, and provide ironclad -- I mean ironclad -- privacy, confidentiality, and data security?
I know that a lot of you have done a lot of things, but Bob Gellman did a very good job, and so did Janlori in pulling together this information to show where the exposures are. And those exposures are sufficient to be a deterrent. Doubleclick is the most obvious one.
The other one is to what degree are advertisers able to capture information, and then piece them together later with other information? So it raises the question in my mind whether the business model of having advertising on these displays, is that viable? It may be financially viable, but is it viable, is it possible to do that and still have ironclad confidentiality and privacy protections?
The second question that I have is if you say that it is viable, then I would like to really hear how you could address the concerns that Bob Gellman indicated with respect to being able to insure that the information isn't combined with other information, isn't mined in some manner or form. Because to be honest with you, I would like to see these problems addressed, because I think that these services are needed.
Could each of you maybe address that?
DR. SUGAR: Sure, and again, I appreciate the opportunity of doing so. By its very nature, the Internet is a public medium. If you are smart enough, if you are clever enough, anything that goes on in the Internet is yours. And as a result, I reluctantly answer your first question as no, I do not believe that there any way with today's technology to make an absolute, positive assertion that no one will ever see the data that you enter in your personal health record. I don't believe that's possible.
Having said that, however, one must take the balance of the benefits versus the risk. I don't know that at this point the risks of divulging medical information that you don't want divulged are that high. My technical people tell me that in order to get into our database, it would take a hacker of the tenth degree to break through.
You know, we've all got firewalls and SSL and all that stuff. That doesn't mean it's impossible, but I could never guarantee it. I think the key issue here, and I'll stress it one last time, is the business model of the corporations that are doing this. If your business model is an Internet revenue-sharing agreement with advertisers and people who partner with your site, what they are buying from you is information. And we have taken the stance that that simply will not happen on our site at all.
If you use the Internet model you are locked into the idea that you are going to be selling something, that you are going to be sharing something in return for revenue, and that's where I think a number of the issues come.
Thanks for the opportunity of being here.
MR. WIESE: I don't think it's possible to have an ironclad guarantee. My chief architect is a Bell Lab computer scientist. My president has got a Ph.D. from MIT, and they assure me that I could never make that attestation. I do believe that you can create very significant and reasonable safeguards that will minimize the likelihood very significantly. I think there is a huge difference between what you can do, and what many sites do.
I do think that I can completely protect information from falling into advertisers' hands. I think that is achievable, and I think that has to be done.
MR. BLAIR: Explicitly, what other things would you do that you haven't done so far to be able to do that?
MR. WIESE: I don't know of a thing that I haven't done so far, because I've spent about $10 million doing it. I did every one I knew.
DR. BOOTH: I don't think -- we've seen over the past few weeks where Yahoo and some of the biggest names in the Internet have been sort of denial of service attacks. And I think there are always going to be people out there that are trying to break into these systems. I also don't think that no matter what kind of security we have in place, and we have as good of security as anybody, but I don't believe that anybody can say anywhere on the Internet that is 100 percent ironclad guarantee that somebody won't figure a way to do something malicious to these systems.
I also think that we need to again look at kind of the risks versus benefits, and kind of look at how the paper-based medical record systems in hospitals are today. There they are not as secure as what we have using the encrypted databases. I mean you can walk down any hall in any hospital and you will see patient charts sitting on desks, and they are on carts that the clerks and the nurses move up and down the halls. It's really not that hard for someone to put a medical chart under their coat and walk out of the hospital with it.
So I think the idea that your medical information is totally secure, even in the hospital, even in your doctor's office -- there is nothing to say someone couldn't break into your doctor's office and make off in the middle of the night with all the charts. And then your medical information could be anywhere.
So I think there are a lot of security breaches in medical information, not just on the Internet, but in the hospitals' paper bases, the insurance companies' records, the information is available in lots of different places, and there are lots of security holes in all of those systems.
I think what I struggle with as a physician with the privacy issue is the question if the information is locked up so tight that no one ever views it, then it's really not going to do the patient any good. If the physician never has access to other physicians' notes, and they can't be transmitted, then it really is not helping the patient out.
As a physician, my strongest motivation is to see what I can do to provide the best medical care for the patients. That means the flow of medical information across various systems from one state to another. The way people travel and move, they don't just go to one doctor anymore. If you only ever went to one doctor, then you could have a much tighter clamp on the security of the medical information, but people are traveling, and can end up in emergency departments across the country, and they move.
So we have to find a way for this information to be able to flow between the different health care providers. I think as soon as you do that, you automatically start creating security holes and places where privacy can be violated.
MR. BLAIR: So as I understand, the one that I had the greatest concern about was relationships with Doubleclick, and what advertisers might do to gather information.
DR. BOOTH: I certainly had no intention, and like I said, we have a contract in place that specifically prohibits them from even combining the small amount of de-identified information we use to serve up the ads, we prohibit them from combining that with other information they may get from other sources.
I think we've gotten it in writing and verbally that they are not doing that. Could they maliciously do that? I think it's a possibility. A relationship with Doubleclick and any other partner that we might do business with is always in constant review. It's something that we feel strongly enough about that if it happens that we feel our contract and the intent of our contract is violated, I certainly think that we'll take every step that we can to eliminate that problem.
MS. GLAZEBROOK: Mr. Blair, I think the reality is that as long as there is a perception among venture capitalists or dot-com wannabes that there is an opportunity to make money on your medical information, then this business model will continue. And for whatever reason, if that opportunity is curtailed, then there may be an opportunity to look at it differently.
Ironclad, never, just as has been explained by colleagues. That doesn't occur now, and will not occur in the future. But as long as there is a great profit line viewed on medical information, whether it's a pharmaceutical company, an insurance company or dot-com Internet, there is going to be an issue around confidentiality.
MR. GELLMAN: I have a few questions and a couple of comments. I just want to make a comment on this issue of HIPAA applicability. It depends what you are talking about. HIPAA has got security standards which may have some applicability here. HIPAA privacy standards have no applicability here whatsoever. They are designed for an entirely different environment.
And in terms of the FDA regulation: (a) I'm not aware that FDA has any jurisdiction in this area; and (b) FDA does have a very good track record on privacy issues to begin with, but I understand the comment.
I have some questions for Dr. Booth. Do you consider your service to be providing treatment to patients? Do you have a doctor-patient relationship?
DR. BOOTH: No.
MR. GELLMAN: Let me read you a sentence from your own statement. Privacy statement for PersonalMD. "We regard our relationship with our members as privileged as a doctor-patient relationship." How can you say that?
DR. BOOTH: I don't think we view it in the strict terms of doctor-patient, but I think we are trying to hold ourselves to that same level, and trying to do everything we can do to protect a patient's medical information.
MR. GELLMAN: I think the statement is highly misleading. Any patient who reads this, who is not a lawyer probably, and even many of the lawyers wouldn't catch it, would think that their records are privileged as doctor-patient records are privileged, and they are not. I think this is highly misleading.
On the same theme, "Does PersonalMD share my information with anybody? No." Now there is an earlier point in here in your presentation in which you say no, we don't disclose information without a court order. And you say we generally don't. As I read through your statement, it said, "PersonalMD may disclose or access account information when we believe in good faith that the law requires it, and for administrative or other purposes that we deem necessary to maintain service, and improve our products and service." That means you can disclose any information you have to anybody. That's your own statement.
DR. BOOTH: I think the point we were trying to say is there could be instances like if the server crashes, that we would have to go in there for administrative purposes to get into the database.
MR. GELLMAN: That's not what the statement says. If you wanted to say that, that you may have technical requirements which may require you to look at records, that's something else. This thing says as broadly as you could possibly write it, "For administrative and other purposes that we deem necessary to maintain service and improve our products and services." You can give information to anybody at all under that standard. I think that is inconsistent with the statement that you make earlier, and I think it's entirely inappropriate, and totally misleading.
DR. BOOTH: I think that's probably something we need to review and update, and make a better statement, because that's certainly not our intention, to use it as an out to disclose information. So I think can certainly rewrite that so that it's more clear. Like I said before, you mentioned before not changing it. What I would like to do is be able change them to make them better. I have no compunction about improving our privacy statement so that it's clearer and not giving an out to disclose information.
MR. GELLMAN: Oh, I think the problem of changing statements is a difficult one. I haven't seen a Website that has done it well. I think there is a need to preserve some rights to change statements. I just don't think that blanket rights to change statements at will, without restriction is appropriate.
Another place in your slides you say, "Users can opt out at the point where we request information about the visitor." What are people opting out of? You say you're not sharing information with anybody. What's the opt out?
DR. BOOTH: It just means whenever there is a place where it asks you to enter a field, there is an exit button so you are not forced into answering that to get at those screens.
MR. GELLMAN: And that's what you are calling an opt out? Normally, an opt out is opting out of authorizing disclosure stuff.
DR. BOOTH: Yes, there are various pages, and some of the have specific opt outs and opt in buttons right at the place of the information. There was maybe a exit button.
MR. GELLMAN: Well, I'm just confused about terminology here, because opt out, if you are not disclosing information at least in the traditional way opt out is used, there is no reason to offer people an opt out. The fact that you are offering opt outs suggests that perhaps, and I don't know based on what you said quite where it applies, what it means.
I have a question for Janlori. In your report I don't think you looked at PersonalMD. I'm wondering if since you did your report, you had a chance to look at their Website?
MS. GOLDMAN: Well, we did not look at it for the report, but knowing that we would be on the panel, I thought I would look at the site. I have a number of questions about it, and I know the co-author of our report, Richard Smith this afternoon may actually call up the site so we can look at it.
But one of the questions that we have, and one of the things that Richard was able to tell was about the use of cookies by Doubleclick. I don't know if you are aware that Doubleclick does use cookies in looking at your visitors to your site.
DR. BOOTH: Only because I tried to some investigation for this committee. So I'm not sure I know precisely technically how the cookies are used, but I'll certainly take a look.
MS. GOLDMAN: What we were able to tell, and again, this is where Richard's expertise was so useful to use, he is able to look behind what is transparent at the site, and was able to tell that yes, they in fact do use cookies, and that they place that information at their site, not at your site, which some third parties do, but they place it at their site.
Given what we know about them is that their goal, and regardless of whatever agreement they have made with you, if they are using cookies, which they don't need to use in order to perform their service, in a way that allows them to get information about the user: what page they are looking at; what information they have disclosed at that page.
Then their stated goal in their marketing materials is to then combine that information with identifiable data so that they can develop a marketing list that they then use. So it's very, very troubling. I know there has been a lot of attention about their practices. But I think it's very difficult to suggest that they are not gaining information, when we actually were able to tell with the steps that Richard hopefully will walk people through this afternoon, that they are actually gathering information.
MR. GELLMAN: Janlori, can you tell us right now what information was transmitted in a cookie from PersonalMD to Doubleclick? Do you have that?
MS. GOLDMAN: Richard is going to show it, and again, I always defer to him on this, because I think it's an important visual. My understanding is it's the URL, and the information embedded in that URL. In other words, the URL of the host site -- in this case it would be PersonalMD -- as well as information about the page that person is at. If they are on a page for instance on diabetes, or they have just entered in some registration information or other personal information, that that often goes as well.
We have even seen instances where the email address of a user is transmitted as well. I'm not sure in this instance that email address is transmitted as well, but I do know that the URL and the page from which the person is linking is transmitted through a cookie.
MR. GELLMAN: So there is information going from PersonalMD back to Doubleclick, notwithstanding what Dr. Booth has told us, that they don't disclose information to Doubleclick?
MS. GOLDMAN: That's our understanding.
MR. GELLMAN: Do you want to respond?
DR. BOOTH: The way I understand that the ads are served up, it is based on totally de-identified information. It is information that people choose in their preferences. They are specifically asking us to supply information on various diseases. The way we serve up the ads is based on totally de-identified information. To my knowledge there is no personal information that you put into your record that is supplied to serve up the ads.
MR. GELLMAN: You are welcome to stick around and watch Richard Smith's presentation this afternoon.
DR. BOOTH: Sure.
MS. GOLDMAN: I think it's important to point out that when we released our report, we found that many of the sites that we surveyed either didn't quite know how Doubleclick operated, or how information is transferred through cookies. And then how you are able -- because what appears to be de-identified, may be not always be identified all throughout a person's use of your site.
And I think that once that information is made available, you need to take action again to make sure that the policy is consistent with the practice. I think that's the purpose of the report. That's the purpose of the demonstration. These are not necessarily easy issues, but once it is made clear, action has to be taken.
MR. GELLMAN: Kathleen, I have some more questions, but I'll wait another round.
MS. FRAWLEY: Let me give Kepa a chance. Kepa?
DR. ZUBELDIA: Yes, I have some questions along the same line. When you access an outside site like Doubleclick, you are always in the URL. You can't prevent the URL from going out. You have to be careful with what goes in the URL. When you are looking at the PersonalMD pages that we have in the book, it shows that the URL has the log-in ID. So it's not only the page that it is accessed from, but also log-in ID of the user accessing that page that gets transmitted to Doubleclick.
DR. BOOTH: Actually, I think that's not the same as the ID. It's not the log-in ID. It's a totally separate, random ID.
DR. ZUBELDIA: If Doubleclick is serving the ad with FTP instead of HTTP, they will in fact get the email address of the person reading the ad automatically, because the FTP programs automatically in the protocol, serve the email address to access the server. And a lot of people don't know that, that without accessing cookies, without using cookies at all, you are serving the email address of the person viewing the page.
But you mentioned that there is an opt out mechanism in PersonalMD where the user can press a sign out button and disable the cookie. That was very interesting, because I'm on the technology side, and I've never heard of a way to disable a cookie. In fact, going from one page to the next, the only way for the next page to know that they are not the other cookies is by having a cookie in the first place, because that's the only way you have to track the session.
So you do have to have the cookie. You can't disable the cookie. So there may be some invention that maybe talking with your technology people we can share and learn something about it.
But there was something else. I would like to get a clarification from you what is Doubleclick's interest in PersonalMD if they cannot use the information? Because they have to have some interest other than just goodwill.
But there was another question, and I'm sorry to stack up two questions. You mentioned that you keep the database encrypted. I agree that that is probably the only way to prevent a hacker from breaking into your site and coming out with thousands and thousands of records, because if it is encrypted, they can't do anything with it.
And you also mentioned that your employees don't have access to it, which is commendable. It's great. But in your presentation when you talked about how to correct or update the information, the user can correct the information by visiting their own Web page, and inputting their own ID and password and correct their own information. Or, and this is like number 14, they can send an email to operations at PersonalMD, and request the changes. And if the page is truly encrypted, and your employees don't have access to it, it's pretty puzzling to me how they can make those changes.
DR. BOOTH: Well, I think that sort of gets into the other issue that we were talking about with the only way they would use that is if they, for some reason, couldn't understand how to make the corrections. Then we would go back and tell them how to get back into their record and make the correction. We wouldn't actually go in there and do it.
The only instance I can think of where an employee would actually go into the records is if for some reason there was some technical problem with the computer, and the person is trying to delete their records or change their records, and they email us and say I'm in here. I'm trying to make this change to my record, but the system won't make the change. Then at that point, if it was a technical problem with the software or the hardware, then the technician would have to be able to figure out how to correct the problem.
But that's not the standard way that patients update the record. If the system is working, they don't need to email us. They can do it on their own. But we do have to have a way in place that if either the user can't figure out the system, or is in trouble with it, they can contact us and then we can tell them how to do it. If it's a problem with our hardware, then we'll have to fix it. But the standard way to do it is to go into your system and manage the account.
DR. ZUBELDIA: Can you help us understand that's the interest of Doubleclick?
DR. BOOTH: Yes, I think simply we're just paying them to serve up our ads. It's not like we are trading out our information for their ads. The ads, to my knowledge, are expensive, and we would have had to have spent hundreds of thousands of dollars to be able to serve up ads.
MR. GELLMAN: Are you paying Doubleclick, or are they paying you?
DR. BOOTH: No, I think we are paying them. I wasn't involved in the actual contract, so I'm telling you to the best of my knowledge what I think is our situation. And that is why we added that extra clause that I had mentioned before, that would specifically prohibit them from accessing even like the information that you mentioned on the cookie.
DR. ZUBELDIA: I have another technical question. Maybe you know, or maybe you don't know the answer, but you mentioned that you use a 128 bit encryption, and a 40 bit encryption for browsers outside the US.
DR. BOOTH: I believe that's because of the regulations involving --
DR. ZUBELDIA: How do you know they are outside the US?
DR. BOOTH: I'm not sure how we know that. All I know is that we're trying not to violate the laws in place that say you can't provide the encryption to outside the United States. Technically I don't know how that happens.
DR. ZUBELDIA: One of the projects in which I'm involved is the interoperability pilot. We found it very difficult to require 128 bit encryption in the US, because most people don't have browsers are 128 bit browsers. We found that if the Website restricts the users in the US to only use 128 bit encryption, it was a nightmare. Have you found that?
DR. BOOTH: I think the way the system works is I think it can detect -- because when I talked to the technical person, they said we can use up to 128 bits. If they have a browser is not 128 bit, then we can detect it and transmit back and forth at the level of the users' browsers. I believe that's the way it works, but I'm not positive.
DR. ZUBELDIA: Then I have a question for Calvin too. You mentioned that you have done everything that you can possibly do to tighten your security. Have you done penetration testing?
MR. WIESE: Yes.
DR. ZUBELDIA: Good. And the results were that you are secure?
MR. WIESE: Yes.
DR. ZUBELDIA: Excellent. There is another concern that I have with the way you explained you are doing the identification process of people. On the Internet it's very difficult to capture a single transmission, even with 40 bit encryption. It's very capture to decrypt a single transaction and get anything useful out of it. Even if you were to decrypt that session, you would get one person.
But we have seen some situations lately in which a site is attacked, and the information in the site is captured. In fact, there was a hacker that got into a site and stole maybe 100,000 credit card numbers and the threatened the company. And as proof that he did have the numbers, he released 25,000 on the Internet, just as a token. And that is pretty scary, because our sites are vulnerable, other than the transaction itself.
At your site you said that you are maintaining a database of the domain-specific identifiers that individuals use. The domain-specific identifiers have a privacy benefit. It's that if a domain is penetrated, and you get the identifier from that domain, then my privacy, if I lose my dental plan ID number, my privacy is not affected, because all the other domains are isolated.
But if you have one site where you have all my domain identifiers -- my mental record, my medical record, my hospital record, pharmacy -- if your site is penetrated, then that's a terrible privacy problem for me. So how are you protecting that database of domain identifiers from intrusion, even from your own employees?
MR. WIESE: I'm not a technical person. I'm a CPA, so I'm sure I couldn't explain, nor would I try to explain how that happens technically. I'm sure that it is not invulnerable though. At least yesterday I asked my chief architect whether it was, and he said never, ever say that. So I don't.
I think that's the big risk here. We talk about the security that is lacking in the physical environment. And you go into a doctor's office, and you can find many bad privacy problems. What mitigates that is it is only what he has got about you. Where you concentrate lots of records and lots of data, that becomes an attractive place.
Hackers probably aren't going to go to Dr. Jones and try to get his records nearly as much as if I have 5 million people with all of their domain identifiers, I'm a much more attractive place. And my burden of protection is far higher. All I can tell you is I can do whatever the technology available today allows me to do, and I'm doing that. But I can't eliminate the threat.
MS. FRAWLEY: Bob.
MR. GELLMAN: Ms. Glazebrook, I have a couple of questions for you. I just want your opinion on the use of the Internet for sort of all this emergency sharing of information. Every time I hear people talk about any kind of electronic medical records this is always the example. You're on vacation in Montana and taken into an emergency room. I'm very skeptical of this.
You guys provide a very limited amount of information on people, and is that adequate? There is no question that having more information might be more useful, but: (a) do physicians have the time to do this; (b) do they have in the Internet connections in emergency rooms? I'm assuming all emergency rooms have telephones. Could you talk about that?
MS. GLAZEBROOK: Certainly, thank you. We take our counsel from the American Academy of Emergency Physicians. And each year when we re-evaluate the hierarchy of the emergency information that we retain, we have a panel of those physicians review it, because things do change as time passes. There is only a very limited amount of information that they find useful in an emergency situation. And it's information that they need to have immediately.
When we counsel with our members as to the kind of information they include, because we are specifically emergency information-driven, we don't need to know that you broke your leg when you were seven. There is certain information that we need to know, and we keep that in a hierarchical pattern.
Physicians do tell us that more information is not always better in an emergency situation. Now for physicians who may be contemplating surgery, or there is additional activity that takes place after the crisis, certainly additional medical records would be helpful. There are those physicians who will tell us that even an EKG is not something that is useful to them. They are going to take that test. They are certainly going to test for blood type, whether or not that's in the record.
One of the interesting aspects of the emergency side of the information is how quickly a physician can obtain that from you. It's the timely matter. How much information. We fax, if the hospital emergency department asks us to fax the rest of the record. And it may be an extensive list of medications, and in certain conditions you may even include the dosage. And that may occasionally be useful to a physician, but they will tell us very quickly there are only six, seven, or eight things that we need to know in an emergency situation.
The same is true with EMTs. This is especially true in do not resuscitate or advanced directive matters. They need to know if there is a file on record. They need to know if it's approved by the state they are in, and whether there is an reciprocal arrangement. I think a number of our physicians would say ideally -- and it's why we are looking at the secure, smart card approach -- ideally they would love to be able to click into their computer, if they have one, and pull up just that amount of information we retained. I think very few of them would tell you they want the entire medical record.
MR. GELLMAN: Simon, would you like to offer a comment?
DR. COHN: Bob Gellman was looking at me, because like Dr. Booth, I actually am also a practicing emergency physician and board certified. I actually agree with what you are saying. Without having seen that data set, one could imagine at the very highest part of the list are things like is there a DNR? Are there drug allergies? What medications is the patient on, or very pertinent to acute diagnoses.
I personally think myself, probably like Dr. Booth, I do occasionally like to see an EKG, just because sometimes that is important at the moment. But you are right, I think it is really a relatively limited set of issues.
MR. GELLMAN: I have a couple of other questions. I went to your Web page last night, and I had a lot of trouble getting to your privacy policy. You have one. This is more a technical matter. I kept clicking on it, and I couldn't get to it. It comes up in a box, and the box keep being hidden. I don't mean that there is anything deliberate here. I was able to eventually figure out what happened, but it took me a couple of minutes, and I actually clicked around enough things, and I was able to bring up the privacy policy, so that may need a little bit of attention.
MS. GLAZEBROOK: We are not as sophisticated as we would like on our nickels and dimes.
MR. GELLMAN: It actually may be too sophisticated. It would be easier if it was a separate page, but I'm not offering advice on how to code pages.
You offer an opt out on your page to your users. The opt out is limited to email. People can opt out of email. I'm just curious, is there a snail mail connection that you have with people? I just sort of expected to see an opt out that applied to everything?
MS. GLAZEBROOK: Because we do not have any advertisers or any partners, no one has access really to any information that we do retain. At this point in time the opt out does only relate to email. I think one of the reasons for trying to include a broader policy is as we move forward to different Internet development, we wanted to make sure that the policy was really inclusive.
MR. GELLMAN: I think your policy makes reference to your business partners. Who are your business partners?
MS. GLAZEBROOK: We have no business partners. Again, that's a point in fact of saying as we move forward into development. We currently have no business partners.
MR. GELLMAN: Now you ask your subscribers to provide Social Security numbers. Why?
MS. GLAZEBROOK: The Social Security number is the back-up identifier in the event that their identification is not available. That's they've been in an accident in which that have been removed from either their card or emblem. It's a double reference for us. And we have used it several times.
MR. GELLMAN: I found in going at least part way through the registration process it wasn't required. I was able to register without providing it.
MS. GLAZEBROOK: Yes, you can.
MR. GELLMAN: In general, I thought your privacy policy was pretty good, but I think the disclosure statement that you have on your page is really incomplete. I think there are other elements of fair information practices that you could address. You may want to take another look at it.
MS. GLAZEBROOK: Thank you.
MR. GELLMAN: Calvin, I have a question for you. Much of what I heard from you sounded pretty good. I will tell you that the most disturbing thing I saw in the materials from you is your connection to Drkoop.com, and your connection to Dr. Koop. They didn't do all that well in Janlori's report, and they don't seem particularly sensitive to privacy. It's very nice to hear you say all these strong things, and I'll reserve judgment, as you have to with all of these sites, about what everyone is carrying through with what they promise.
But with Dr. Koop sitting on your board, and showing a significant degree of insensitivity to privacy, I really have to question your credibility here. Do you want to comment on that?
MR. WIESE: I probably don't want to send any messages that would reflect poorly on the good name of Dr. Koop. He is an icon in the industry. We did notice they didn't do real well in her report. And they have contacted us. It was interesting. They were very concerned about the pilot site we have with one of their community partners. Our response to them was we are very comfortable if people want to come look at when you go into the personal medical record piece of Drkoop.com, we are really comfortable in being investigated.
We may find problems, but we don't think the problems that happen when you are on the actual site continue to exist when you get into personal medical record. It is hosted separately. It's hosted in an server that Intel hosts, in a totally separate environment. The security and privacy policies are much tighter when you enter the personal medical record.
So if there is guilt by association, I accept that. But I do feel -- I wouldn't say I'm invulnerable. This is a new space, and I'm not arrogant, but I know these issues are very, very important to us. We think the success of our company will be in a large way determined on whether we can navigate these waters appropriately. And we're learning as we go. If there are more things we can do, we certainly want to know about those.
MR. GELLMAN: Do you use Doubleclick on your site?
MR. WIESE: No, we don't.
MR. GELLMAN: Do you have any plans to serve ads on your site through a third party?
MR. WIESE: We certainly don't.
MR. GELLMAN: Okay, that's good. Do you have a privacy officer in your company?
MR. WIESE: I don't have a specifically designated privacy officer in your company.
MR. GELLMAN: One of the things that I've seen happen, and this is broadly in Internet companies from the biggest to the smallest, and I don't have a really good sample. There are lots of companies, but I have seen the same pattern consistently. Sometimes some companies do have designated privacy people. Sometimes they have other people concerned about it.
What tends to happen in companies is the privacy perspective loses every time to the marketing guys and the finance guys. If there is money attached, that's why Doubleclick is on a lot of sites, because people want the money. And I think this is a real problem. I think that companies need to have designated privacy people, depending on the size and activity. But I think that this isn't really an issue given what you are doing, with enough authority and clout to be able to present this.
What happens sometimes is it isn't until the stories hit the newspaper, as in Janlori's report. There have been other cases where companies have outrageous examples of privacy practices foisted by the marketing folks hit the newspaper, and then two days later the company backs off and says, okay, we're not going to do that anymore. I think that this report that Janlori may be that document. It may not be. I don't know what the industry is going to do to respond to this. We will hear a little bit more about this, this afternoon.
MR. WIESE: I think that's an excellent recommendation of appointing a privacy officer.
MR. GELLMAN: Janlori, do you have any advice to consumers about any of these Websites? Are you telling them to use them? Not to use them? What do you tell people?
MS. GOLDMAN: Well, I think the report stands on its own. As you said, there has been quite a bit of publicity around the report. We had an alert about it at our Website. People who subscribe to our list serve voluntarily, we let them know about it.
I think it speaks for itself. Our recommendation is that people need to be extremely cautious. That they need to look for a privacy policy and read it. I think in the current state of affairs that too much of a burden on individuals. I think people should just know that certain folks that hold themselves out in this field will have an enforceable privacy policy that has a chain of trust.
But right now what we are recommending is that they look for a privacy policy, read it, and be extremely cautious about what information they share. Disable their cookies if they are able to.
MR. GELLMAN: In my view, having looked at some of these policies and read your report, I actually don't think it's all that hard to write a decent privacy policy that gives consumers a fair shake here. Do you agree?
MS. GOLDMAN: I don't want to go to whether I think it's easy or difficult. I know when we put together the template that used, and we not only looked at the broad categories of fair information practices, but we tried to break it out with a series of questions. I think that any Website that wants to develop a strong policy that will protect people just needs to go through that checklist. I think every single one of those questions should be answered, given the benefit of privacy to the user.
And I think that if that's done, and if there is some kind of a systemwide agreement to do that, and again, these Websites all perform different activities for different purposes, so we are not necessarily talking about a one size fits all. But if that is done, and people have some assurance that it's done, people don't have to read five pages of a privacy policy, and then have to check every single time they are on a different place at the site, what the privacy policy is of that page, because the privacy policy sometimes changes, depending on what the activity is.
MR. GELLMAN: Do you think this industry can regulate itself?
MS. GOLDMAN: My experience with self-regulation is that it doesn't work, that it's not enough. But I am not completely a naysayer about it, because it's a very important step in the process. Self-regulation allows the public and policymakers to see what is possible. What businesses are willing to do to set the standard high for themselves.
When you are willing to do certain things voluntarily, because it's the right thing to do, and it's good for business, and it's good for the consumer, I think that then helps to weed out some of the bad actors, and I think makes the case for regulation, because then you are binding the good actors that have already risen to that standard, and you are saying to others, if you fall outside, there are repercussions.
MR. GELLMAN: I actually think I agree with that. I think even if we all sat around here today and said we want to regulate this industry, it would be two years at a minimum, maybe longer before anything happens. So the industry is going to have to look after itself for some time. So I really think there is not much of an alternative in the near future.
I want to ask all of you a question about international privacy standards. I know that MedicAlert has international customers, if you will. Do you pay attention to any of the EU privacy laws? Do you think you're in compliance with them? Is this something you spend any time thinking about?
MS. GLAZEBROOK: Yes, we certainly do. We have affiliate operations in 12 other countries, and we pay very close attention to the privacy laws of those countries. We recently merged our operations in Sweden, Norway, and Denmark into the British Isles, and that took us almost two years for that transaction, because of the difference in the privacy laws.
MR. GELLMAN: The EU privacy laws are stricter, generally speaking, than anything you find here. Do you offer the same privacy protections to your US consumers that are available overseas?
MS. GLAZEBROOK: Yes, we do.
MR. GELLMAN: Dr. Booth, do you have international customers?
DR. BOOTH: Yes, we have had international people sign up. We have looked at the European Union's international privacy statements, and we are taking whatever steps we can to comply with those. I don't think we have looked at every privacy standard for every country in the world. I think this is a great case where standardization would actually help us, and help other companies doing this. Rather than having to look at hundreds of privacy policies across the world, looking at one. So I think some government regulation or standardization would actually be beneficial to the industry.
MR. GELLMAN: Calvin?
MR. WIESE: I'm not conversant with international privacy issues.
MR. GELLMAN: Do you have any thoughts on the international problem?
MS. GOLDMAN: I think we have always hoped that the EU's data protection directive would drive the development of privacy policy in this country. I'm not sure that that has happened. But I think that those that are doing business internationally do have to comply with the data protection directive. It is the standard in Europe. How it is adopted country by country is not going to be terribly different in the EU.
But the requirement that non-member countries such as the US have to have adequate levels of protection in order to have an EU citizen's information transferred here should, I think, drive the protection up in this country, because again, we don't have a federal law or decent standards on this area, so we cannot have adequate levels of protection until a comprehensive law is enacted.
So again, the EU directive doesn't say that practice is sufficient to show adequacy. It may be. So I think that at a minimum, if you are doing business internationally, you have to comply with the directive.
MS. FRAWLEY: Simon?
DR. COHN: Good, I get to ask a question. Bob was running through his questions so quickly, I wanted to do actually a follow-on. The two of you had an interaction where you were discussing should there be regulations, and sort of very quickly went through that discussion. Not being a lawyer, I'm a little less sophisticated on some of these issues.
But I think in your report, of everything there, the thing that bothered me the most was your conclusion that there was an inconsistency between the privacy policies and the actual practices. So we can write great privacy statements, we can make every police themselves by having glorious statements all over their Web pages, but then they will do whatever they are going to do.
I guess I'm sort of wondering how does self-policing work in that environment, and what is a consumer to do? Even if they do bother to read the policies, they have no idea generally whether people are really doing it, much less Bob's comment being that the next day they can change the policy anyway. Explain to me how self-regulation works in that environment?
MS. GOLDMAN: Well, I can explain how it should work, how we would like it to work. It was also the most disturbing finding for us is that there was this inconsistency. I think that is the trigger for any action that the FTC might take in this area.
With an outside company doing an audit or an internal audit, you can look at your policies and make sure they match up with your actual practices. You can also bind business partners and those that advertise at your site, those that you do business with, you can bind them to those policies contractually.
Now I'm not suggesting all of that is easy. It complicates some issues for the sites, but certainly that should be done and can be done. I'm not suggesting that all of the sites that we investigated were engaged in intentionally deceptive practices. I think that there are times when policies are written by one arm of a company, and practices are engaged in by another arm, or by a business partner, and those practices are not made clear to the whole site. But that's not an excuse.
The answer is technology makes certain disclosure possible, and you need to know what they are. You need to perform audits. You need to have your sites audited to bring the practices in compliance with your policies, after of course you have updated your policies and strengthened them. So it is certainly possible and necessary to do this.
MR. GELLMAN: Can I add a comment on that? Just in dealing with privacy generally, and how do we solve this problem, for a while I have been basically opposed to audit requirements, because I'm afraid that in a lot of circumstances you are essentially saying to the Websites or the companies, you should do something about privacy, and you should spend a lot of money up front to do it. And I think it was too high a barrier.
But based on your findings Janlori and some other comparable findings elsewhere, I think this issue of whether companies are actually complying with a site, you can't overlook this and say, well, let's just get people to have policies and stop there. I think especially in this Internet environment, and maybe elsewhere as well, that I'm sort of abandoning my view that audits are an essentially. I think in fact they may be more essential just in order to make sure people are doing what they say.
MR. WIESE: Well, they certainly don't hurt though, do they?
MR. GELLMAN: Oh, no, they don't.
DR. ZUBELDIA: I have another question for Calvin, and I don't know if you will be able to answer it or not, because it's not a technical question. It's in the confidential business plan that we have under Tab 5, so I don't know if you can discuss it in public or not.
MR. WIESE: I can.
DR. ZUBELDIA: One of the bullets under, "Related Business Interests and Future Revenue Sources," the first bullet is data mining and analysis.
MR. WIESE: Yes.
DR. ZUBELDIA: Can you tell us what your plans are to do this without privacy invasions?
MR. WIESE: Our view is that we should be able to do aggregated analysis of health information on a non-identifiable basis, but consumers should have the right to opt out of that. So our default position is that they are opted in, but they can opt out if they don't want to even be involved in that.
DR. ZUBELDIA: And what's the value, kind of mirroring the question that Bob asked earlier, what is the value of opting out if you are not identified?
MR. WIESE: I have encountered consumers who say they don't even want that to happen. So I am trying to play to the interests of the consumers. So if it's valuable for them to opt out, I'm going to give them the switch to push.
DR. ZUBELDIA: That's great.
Now I have a slightly off topic question. You are maintaining this personal health information on the Internet. PersonalMD is maintaining personal health information on the Internet. Dr. Sugar mentioned that integration is the holy grail of this. Are you looking at using some sort of medical record standard to share this information with the medical establishment that will request in a way they can use it readily with their medical record systems? Or will this always be a Web interface, one of a kind type of interface? That's kind of a question for both of you.
MR. WIESE: We haven't figured out how that happens. It is holy grail stuff. But it isn't here. One of the reasons why are the issues you are raising. We can fantasize that we'll set a de facto standard, but that's pretty much a fantasy.
DR. BOOTH: We don't have any plans currently to do that. I think every physician has always dreamed of a totally integrated electronic medical record system, and I think there are a lot of technical barriers to integrating all of these various legacy systems that are out there.
MS. FRAWLEY: Well, our time is up, and I'd like to thank all of our panelists for excellent presentations. It was very enjoyable. We will reconvene at 1:15 p.m.
[Whereupon, the meeting was recessed for lunch at 12:15 p.m., to reconvene at 1:15 p.m.]
MS. FRAWLEY: We're going to call the meeting to order. We are back on the Internet, and have our afternoon panel with us. What I would like to do is ask our panelists to introduce themselves. Then we will start hearing testimony.
So Sam, if you would like to start.
MR. KARP: Good afternoon everyone. My name is Sam Karp. I'm the chief information officer with the California HealthCare Foundation.
MR. SMITH: Yes, my name is Richard Smith, and I'm an Internet consultant based out of Brookline, Massachusetts.
MS. VARNEY: Hi, I'm Christine Varney. I'm an attorney at Hogan and Hartson, head of the Internet practice group, and working with a group of medical portals called High Ethics.
DR. MUSACCHIO: I'm Bob Musacchio, a senior vice president for the American Medical Association. I'm responsible for their publishing and business activities.
MR. MACK: I'm John Mack. I'm president of the Internet Healthcare Coalition.
MS. FRAWLEY: Thank you. We're going to start off this afternoon with a presentation by Richard Smith.
MR. SMITH: I'd like to thank Gail and the committee for inviting me. I've been working with Gail since December on coming here. I had a little bit of a dance card problem in that I also agreed in January to be on an FTC advisory committee on online access. So I'm dancing between the two meetings here today. So that means I haven't heard what has gone on this morning here, so there may be some repetition, and I apologize in advance.
The presentation I'm going to do here is a brief on the issues of e-health Websites. The information I'm providing here came from my participation in a project that was funded by Sam Karp's group, the California HealthCare Foundation. And we looked at the issues of privacy policies, as well as the practices of e-health Websites. We ended up looking at 21 different sites.
My role in that project was to take a look at sort of playing the role of a typical user on the Internet, but then look behind the scenes of what was going on. The intention was to find out whether the practices at health Websites matched up with the privacy policies. A privacy policy of a Website basically describes what they will do with any kind of information they gain about users. This can be information that is voluntarily given, as well as inferred from as we go around the Web.
And I have about 15 minutes here to talk, so it's going to be a very abbreviated presentation here, but it just gives you a flavor of some of the things that we looked at in the project.
In the project we had 21 sites that we looked at, and since then that has been whittled down to 19. Two of them actually have been acquired by competitors. But one of the things that I really notice in doing this project -- I don't come from a health background; I'm a technology person and a business person -- but one thing that Sam really focused on in this study was the amount of data collection that goes on at health Websites, and what the potential use of this is for marketing purposes.
I just have one quick example here of one thing that we see at e-health sites. This is Drkoop.com. I could have chosen actually almost any of the sites that we reviewed here, so I don't want to just say this is an example that only Dr. Koop does. But it shows you here that what we have is if you are a smoker, you can take this test here, this online test about your smoking habits.
This would be very similar to the offline world of taking a magazine test, and then scoring each question at a certain level to measure say basically nicotine addiction. Now what is interesting about this test, however, is something that is fundamentally different than what we do in the offline world. If I take a test in a magazine, I pretty much only know the results of the answers to the questions here.
But when we are in the online world, what fundamentally makes this different is that all the answers to the questions get saved away. And they even call this a smoking profile. So they can get saved away. We can go back and retake the test.
Now what is interesting about this then, and I think it's an issue that is not really made clear, and this is what my own personal review in this project, this data collection looks like it is being done for the benefit of the user who is taking the test, and of course to some extent it is. But at the same, it's purpose here is to provide marketing information about us.
As we go to an e-health Website, this information is being used for marketing purposes. And we can see already on the Dr. Koop site here is that we have ads around the sides of the quiz related to tobacco, which makes sense. If we are reading the newspaper and we are reading in the sports section, we are going to see things sports related, or possibly demographically related, i.e., tires or that sort of thing. In this case here we are seeing products that are smoking cessation related.
But what is not made clear, and what we saw in the study is that this information is saved away, and then in essence we become rented out as users to marketers. The answers to these kind of quizzes are used for marketing purposes, as well as for our own assessment purposes. And when you go read the privacy policies of Dr. Koop, at least you read the one three weeks ago, there was no discussion of what was being done with this data. And since we did the study, there has been an updated privacy policy at Drkoop that more accurately reflects this kind of information.
But what we can see here is the ability, if we have different levels of smokers, they are potentially different kinds of anti-smoking products that can be recommended. So one of the things that could be done is selecting here by the answers from these questions to determine what kind of banner ads that we see on the page.
Now today there are a small number of banner ads to select from, so they probably blindly provide anti-smoking products just blindly on the page. But later on, they can use the information here in a profile for this.
Now as I mentioned, the Dr. Koop site at the time, take a quick look at the privacy policy. It's going to be a little hard to read here. I can see that the display is chopping off the display here, so I'll just read some things here. "The only information Dr. Koop obtains about individual visitors to the Website is those supplied voluntarily by the users. And personal information provided by visitors will not be disclosed to anyone unless there is an indication Dr. Koop may do so."
This really gets into the big concern here that when we go around the Internet, what is going to happen to our data? And as the California HealthCare Foundation consumer survey showed, that's the big concern here among consumers. And it says only statistical information about our visitors as a group, uses, habits may be shared with any partner of Dr. Koop. This again gets into what happens to my data.
Now since we did our study here, this privacy policy got updated a little bit here. This is about the sum total of it. The Drkoop site is an example of a site that didn't really say a lot. They tried to say a lot of reassuring words, but kind of left out a lot of things. Now they have gone in sort of the other direction of providing information overload in the privacy policy.
But they start talking about IP addresses right away, which is a techie term, and I saw this and I kind of gagged a little bit. But the meat of some of the things in here, our online surveys and questionnaires may ask visitors for contact, demographic information. User may opt out of demographic profile collected at our site. This information is shared with advertisers on an aggregate basis, and does not indicate the identity of the individual users.
So at least now they are being more forthcoming about the purpose of these surveys. They are not just for the benefit of the user.
As a rule Websites rent you out. They don't want to give away your personal information, in some sense it's too valuable. They way that they rent you out here, if we go back to the banner ads, is that they use in this case direct targeting by the Web page that you are at. But it may be that I have a personal Web page at Drkoop. I can sign up and create an account where I indicate the kind of information I would like to see every time I come back to Drkoop. So I have my personal Web page.
So what will happen in this case then, and I noticed this a little bit on Drkoop is that I went back to my personal health page, that I would see anti-smoking ads there after taking the anti-smoking quiz. So in some sense remembering this information that I'm somehow interested in stop smoking, although actually the truth be I don't smoke. But as part of the investigation, they now think I do smoke, and then provide that on my personal home page all the times that I go back there.
So this economic exchange that goes on here of me providing information about what I do, what health issues I am interested in, then gets fed back to me in terms of targeted advertising. And that can be in terms of banner ads, as we see on the screen here. Also email -- I can get customized email messages. And again, they would come from Drkoop, not necessarily the advertisers, but the effect is going to be the same, that information that I'm going to be targeted on the health areas that I'm interested in.
Another real quick thing here, we talk about a lot for folks who are in the Internet privacy area, we talk a lot about banner ads. And one of the concerns here with banner ad companies is we look on this page here on diabetes, we see five or six different kinds of banner ads are on the page. Those are not provided by Drkoop.
They actually come from a different company, which is called Doubleclick, and they are in the business of providing banner ads at Websites. They're called an ad network company. So that they provide banner ads across many sites, and they have thousands of different sites that they provide banner ads on. And the purpose of banner ad companies is so that advertisers deal with one company, the banner ad company, not a whole bunch of different Websites. So there is a role in the world for these folks here, just to make it a lot easier to get banner ads out there.
Now what's interesting though is the concern in the privacy area about banner ad companies is the fact that they get to watch. In essence they have created like a little spy network almost of as we go around the Internet. And the larger number of sites that a banner network is involved in, they know more and more about us.
So they are constantly getting information sent to them about what we are looking at, the sort of things that we are interested in. Along with that information, the Web pages we go to, they are providing what is known as a cookie. Basically, in the case of banner ad networks, the cookie is simply our customer ID number. So the first time that -- if we could buy a brand new computer and go out on the Internet, the first time we are given an ad from a banner ad company, they create like a little account for us. And they assign an ID number to us, which is basically an XID number, so we might become customer 1,000,777. That's stored then on our computer.
Each time we go to a Website that has a banner on it, that cookie is sent back, along with what page we were looking. This information then is used for profiling purposes in similar ways that a Website itself profiles. Information about us is put into a database about what we are interested in.
Now in the case of Doubleclick here, one of the things that they say is that they do not profile around medical-related issues. The only problem I have with that is when we started looking at Websites and the data that was being sent into Doubleclick as part of them providing banner ads, health care information is provided to Doubleclick.
This is going to be a little hard to see, and I'll just have to read it for you. The banner ads that are around the page here -- it looks like seven different ones -- all include a health condition which is diabetes, and it's related to the page that I'm at. So that information is sent in along with the Doubleclick cookie.
So the concern that we have here, and we saw this at multiple sites, is the fact that that kind of information is still going into Doubleclick. Even though they say they don't look at this stuff, it is still a large concern that this information is being provided to them along with the cookie.
One of our recommendations in the study was if you are going to use the third party banner ad network, in order to guarantee that not profiling goes on, you set up a situation where a cookie is not sent in. And that gets into some technical organizations, how a Website works. But the whole idea is to get the technology to match up with the claims that are being made.
Another quick example here to show some of the problems of banner ads and how they can provide intelligence information if you will is from PersonalMD. This is something I just noticed this week. Again, we are back to anti-smoking products. Apparently Nicorette has a big budget right now for doing banner ads.
But if we come up here, and again, it's going to be a little bit hard to see this down here, so I'm going to have to read it to you. In the URL with this banner ad is included a bunch coded information. It says zip=02446. Is anybody else from the Boston area in the room here? Well, that's Brookline. That's where I live.
So the PersonalMD folks, as part of their marketing program here, working with Doubleclick is providing basic demographic information about me to Doubleclick in order to provide an ad. So the question is, how do they get this information? Well, the answer is I gave it to the PersonalMD site. I registered with the site. And you can even see up at the top her it says, "Welcome John Doe." That's one of the things when I'm using sites, I don't give the correct information, but at least I did give my correct zip code.
There is also other information enclosed in there like age and this sort of thing. There may be income information in it, because when I signed up for the site, they asked for that. Now I don't exactly know why a medical information site needs my income information. Does that mean I get pitched more expensive products? I said I made $20,000, so it will be interesting to see what I get.
Anyway, what this illustrates is how information flows between different organizations that provide me this Web experience, if you will, not to get too deep on the marketing buzz words. And this is in the project, what I was looking at, is how information goes between companies.
Now you go read the privacy policy for PersonalMD, and it's actually a pretty good one. I just saw it after I did the study, but I think it was probably done before. They were much more forthcoming about what I call the economic exchange that goes on at health Websites. We'll provide you information about health issues and products and whatever. In exchange, you give us information about yourself in a variety of ways so that we can rent you out as something to be marketed to.
And they come out and say that, and I basically applaud them for that in the sense that they are being straightforward about what is going on at this Website. But I was rather bothered by the fact that not exactly personal identifiable information, but information that is about me was being transmitted to Doubleclick.
Now talking with the company -- I have chatted by email with the marketing director, and have gotten sort of a hazy feeling about what is going on here, and I still don't have a picture in my mind. But in general what we worry about on the Internet then is the fact that all these companies are constantly sending in data about us to banner ad companies. The issue is not just one company doing it, but the fact that information can be correlated between different sites, and it's all tied together by cookies.
In talking with Internet companies, what we don't know is how much of this information is being saved, and how much of it is being thrown away, and how much of it is being segregated for use among companies, versus only one company. There are a whole lot of issues there. But what we do know, and what I have seen very explicitly over the last couple of months is there is an amazing amount of personal data gets sent in as we across the Internet. When we are dealing with health-related issues, which are obviously very sensitive, that becomes even more of a deal.
So that's my quickie presentation here. Normally I do this in an hour and a half, so I apologize here for rushing through it. I think you were going to do questions here?
MS. FRAWLEY: Well, I know you have to leave.
MR. SMITH: Yes.
MR. GELLMAN: I have a couple of questions. If a health Website, any Website sends in non-identifiable information into Doubleclick, will Doubleclick still know who that person is?
MR. SMITH: They can know. That's one of the issues that a lot of health Websites don't realize. Doubleclick runs a variety of contests, and also runs a directory service where you provide information about yourself, and that is information is associated with a Doubleclick cookie. So as we then kind of go around the Web, then know where we are. They have that information.
That's not made very clear. And that's a function of some of the services that Doubleclick offers. That's why one of the main recommendations that I was pushing for in a report was that in sensitive areas, Doubleclick should provide ads from a different domain without a cookie so it cannot be correlated back. If I have chosen to register with their IAF.net service or with Net Deals, which is another service they offer, there is no correlation possible.
MR. GELLMAN: So that would be basically a very simple technical way of avoiding the problem of getting identifiable health information?
MR. SMITH: Right.
MR. GELLMAN: Do you think that it would be useful if the health Websites went to Doubleclick and said we won't do business with you unless you set up that kind of a site?
MR. SMITH: Right, exactly. That was basically the recommendation. Drkoop, since the report came out, said they were going to encourage advertisers not to use cookies. So I think they do recognize the danger here, although the article I read didn't make a lot of technical sense to me. I don't know what they were talking about. But at least I think they were thinking in the right directions.
MR. BLAIR: We have begun to discuss the idea of what is really non-identifiable information. We were struggling I guess about a year or so ago with where the boundaries are. It almost seems as if the urgency for us to clarify where the boundaries are now heightened.
So the questions that I have, and maybe this is to Bob Gellman and other experts on privacy on the committee, as well as to yourself, is do you feel like if we were to make recommendations to be able to accommodate the value of these services, but do so in a way that people really do understand clearly what information is being gathered about them, do you think it would make sense for us to either press forward on a precise definition of identifiable/non-identifiable information?
Or ask each Website, instead of using that phrase, to say explicitly these are pieces of information we do collect, when we collect them, and furthermore, maybe a disclaimer indicating that we can also put this information or others can put this information together within information that is gathered from other Websites. And that we cannot really guarantee that the information you are giving to us is non-identifiable? That's an open-ended question.
MR. SMITH: Right. In terms of answering the question, I'm also involved with the FTC in online access and control of information, and it is really tough sometimes to say the sensitivity of the information, whether it can be tied to you. There is a whole range of issues around information that Websites collect.
One thing they were doing in the FTC was talking about, and is actually quite applicable to the medical sites -- I'm not sure I love this idea, but it's something that is being looked at -- is to give users a better idea about the amount of data that is being collected about them. There is already at most of the health Websites, a mechanism for showing account information. Like you can type in an email address, and your name and address and so on.
So one of the things you can do is push another button that shows all the other stuff they have ever collected about you. So that gives consumers an idea here of the data collection practices of individual sites. So that is trying in essence to educate consumers about what is going on here. Also, they may give the option of removing that information.
Certainly one issue that I have a lot is disclosure by Websites. They talk about things in very general terms and don't get down to the nitty-gritty. Now I'm a technical person, so I want to see the nitty-gritty. It's unclear whether all the consumers want to.
MR. BLAIR: Well, since you are a technical person, have you been able to imagine something that might be a useful boundary if it was put into regulations?
MR. SMITH: Well, I mean in general in privacy the less data that people collect, the better off we are. Then we have less of a problem to worry about. So one of the questions I would have is do Websites really need to collect everything that they are doing? Do they need to save everything that they do? Because one of the tendencies as just human beings is well, we'll just save it in case we need it later. That happens a lot. So by having some regulations in the area of limiting data collection practices, we just have less of a problem to begin with.
But in terms of educating people about direct marketing techniques or whatever, that's a really tough thing to do, and that's in essence what you are talking about, being able to correlate data between different databases.
MR. BLAIR: I think I'm hearing from your answer -- I'm inferring from your answer that there is not a clean, definitive boundary that you can conceptualize. So the alternative therefore would be to increase the requirement for disclosure of explicitly what information you are gathering, and let the consumer make a decision of whether or not they are willing to take the risk to work on this particular Website. Is that correct?
MR. SMITH: That is one direction. I would say that's a first step. I would say disclosure is an important first step. It's not maybe the only one. I just can't say personally whether I'm knowledgeable enough to say go beyond that. But I would say right now disclosure is a very important thing. We are doing a lot of things now on Websites about data collection, so let's at least be honest about it.
And I just see not even medical Websites, but a lot of them really do not talk about their data collection practices. And they actually hide what they do. There is an effort not to say what they do. So I would say the first step is disclosure, and that may limit -- if they don't want to disclose what they do, then they simply stop doing the data collection practice.
DR. ZUBELDIA: Since you are a technical person, I would like to know your view on a couple of things. Have you seen any of these Websites using FTP instead of HTTP to serve the information?
MR. SMITH: No. Everybody who is using HTTP, and most of the time when you are entering like account information, it would SSL. It would be secure HTTP.
DR. ZUBELDIA: Because FTP will reveal your email address.
MR. SMITH: It used to. Since Netscape 3 it hasn't. People have realized that problem.
DR. ZUBELDIA: Now you mentioned the possibility of an opt out where you would go to Doubleclick and say I want to opt out of your database, and I don't want you to track me. Is that possible if the information they have is truly anonymous?
MR. SMITH: Well, yes. What happens in the Doubleclick opt out, which is you say I don't want to be profiled across the Internet by Doubleclick, and it's an issue with Doubleclick, they basically store on your cookie, rather than an ID number, it's the words opt out. So they can't tell you now from anybody else who has opted out. So all 100,000 people who have opted out kind of look like the same person. So effectively it removes your ID number.
Now the issue here is -- it's very interesting you bring up opt out, because in our study we looked at the 21 Websites. Approximately 10 of them I believe were using banner ads. Of those eight of them, if I've got the numbers right, were using Doubleclick. Not one of them disclosed that relationship on their privacy policies. Therefore, if you are user and wanted to make sure you weren't being tracked by Doubleclick, how would you ever know to go there?
I know how to find Doubleclick on these sites, because you just go read the HTML source code, but the average user doesn't do that. So the opt solution is interesting, but only if Websites disclose it. And as an example, Doubleclick's largest customer is the Alta Vista search engine. There is no discussion there of Doubleclick or the opt out option, unless they have changed it within the last couple of weeks.
So this is an example of Websites hiding their relationship with the partners that are involved on the Website, and I think that's a real problem. And I also think that privacy policies in general should cover all activity on the Websites including banner ads, just in general.
MS. FRAWLEY: Bob?
MR. GELLMAN: The kinds of sleuthing that you did to help with the report that was done, can an average person do that kind of monitoring? Do they have skills?
MR. SMITH: Probably not. If you have done Website developing yourself, it's pretty easy to go in and look at an HTML source code. But it kinds of looks like gibberish to the average user here. Let me just do a real quick one.
Basically, HTML is a set of instructions to your Web browser that shows how to display the page. This one here actually contains a lot of Java script codes, so you would really have to be a programmer for this. But the typical HTML page looks something like this. If you know a little bit, a little knowledge can be dangerous here. You can go in and you can see where the ads are coming from.
Now this tells you a little bit of information, and then also I used the program known as a packet sniffer. I'll show that real quick, which displays all the information that is going in and out of my computer. This is sort of the ultimate authority on data transmission. So this is really nice, because it does show the transactions between my computer and the Websites that are out there.
Just a real quick thing here at the top -- it's a little bit hard to read here, I'm sorry, because of the text. But you can see we do a connection to PersonalMD. And then down here we do connections to ad.doubleclick.net, and we can see in here before I signed up there is no zip code. After I signed up here, I got my zip code in here, and age range. And there are like five or six different fields in here that are used. I'm not sure what they all are coded for.
But when the rubber meets the road, this is how you really understand who is getting what data. This is the ultimate authority here.
MR. GELLMAN: Now the average user doesn't have a packet sniffer.
MR. SMITH: No, this is a programmer tool. If you are writing software that is going to be on a network, you would use this kind of tool.
MR. GELLMAN: What's a Web bug?
MR. SMITH: What's a Web bug? It goes under a lot of names -- tracker gift, invisible gift. The Web bug term is something actually I coined, but other people use different names. But it's a graphics on a Website. It is invisible. It allows one company to monitor what's going on at another company's Website. They are typically used for marketing purposes to correlate information as people travel around the Internet.
One quick example -- now we did not see any use of Web bugs in this study here, but typically if folks get junk email, you are getting marketing messages and email messages, and they have pictures in them. They look like a Web page, but they are an email message, and they are pitching you some product, they probably have a Web bug in there, and what they are used for is they send back an indication to the advertiser that you have opened up and read that email message. So they do a little bit of spying on you in order to understand consumer behavior here.
Proctor and Gamble likes to use them. They put the Web bugs on their pages for different products. They like to understand if you come into their Website, where you might have come from. You might have seen a banner ad on one page, and they use the Web bug to correlate to two. So it's this invisible thing in the Web page. Unless you really know where to look, you don't know it's there, but it's used for monitoring marketing purposes.
MR. GELLMAN: So it's another thing besides cookies that Websites can use to try and monitor users?
MR. SMITH: Right. They work in conjunction with cookies in the sense the whole purpose of them is to send back the cookie, but without having any kind of banner ad on the Web page.
MR. GELLMAN: I think you were the one who sort of discovered these in the place, or made them public?
MR. SMITH: I would say I made them public. I have talked to a whole bunch of people now. In the direct email business they are considered industry standard practice. I talked to people at Netscape. They have realized about them for a couple of years, and they thought they were this gross security hole that they didn't know how to fix.
So people have thought about this and looked at it in different ways. Netscape thought it was a security hole, because it could be used to verify email addresses by spammers. So a lot of people know about them, and that's why there are so many names. But nobody has sort of looked at them in detail in all the different ways they are used.
MR. GELLMAN: This, with cookies, is an example of how capability building to the technology is actually privacy invasive technology. And there is really nothing you can do about it, because it's just there. You can't stop it really as a practical matter.
MR. SMITH: Right. You can do a few little things about cookies, get a cookie buster program and that sort of thing, but they are kind of a pain to use. So overall, cookies are being used to watch you a lot in ways that the original designers of cookies at Netscape didn't realize, and anticipate some of the things that are now being done with them.
MR. GELLMAN: Let me ask you one more question about industry self-regulation. Do you have views on the effectiveness of self-regulation for the Internet? Do you think that this is an effective way of controlling privacy?
MR. SMITH: Well, the Internet itself has been self-regulated for 20 years. It is a classic example of a whole bunch of people getting together, setting rules, and it's amazing that programmers could do this. They usually have a lot of do it my way sort of feeling about protocols and things like this. So there is a tremendous amount of self-regulation already in the Internet, and that will continue. There is just no way that's going to go away.
But at the same time, there are obviously going to be a lot of laws and regulations around the Internet in all areas. We are already seeing that with domain names; people stealing domain names and squatting on them and whatever. And we have COPA(?). Just like the real offline world, we are going to have plenty of rules and regulations related to the Internet.
In the area of privacy, the concern here is how easy it is to transfer data between Websites. I showed here a quick example. It's my own computer that is kind of giving the information away about me. And it's been instructed by one Website to give it to another Website. So overall, disk drives are getting so cheap, it's so easy to record all this information, there is going to have to be some rules of the road on how we give away information on the Internet. There is just no doubt about it. I don't know when that is going to happen, and how it's going to happen, but it will be there.
MR. GELLMAN: Do you see any prospects for someone developing a privacy friendly browser that will stop some of these kinds of activities?
MR. SMITH: Well, I'm hoping -- Netscape said in the next version, that they are going to do better things about cookies. And maybe that will provide some impetus to Microsoft to do the same thing. But today, Microsoft controls about 80 percent of the browser, so it's really Microsoft we are talking about here. So the question is, will Microsoft make the change? And the answer is, I don't know. I keep pushing on them sort of from a security standpoint.
But one thing that's really funny though -- I just ran across this -- one of the ad network companies anticipates cookies going away, at least what are known as third party cookies, the ones that they use. So somebody has gotten a patent on well, if they go away, what do we do instead? And so we get into this "Spy versus Spy" stuff. If you are in the computer security business, you know this all the time. The hackers do something, you do something against them, and then they come. It's just oneupsmanship all the time. So even though if we make the browser more privacy friendly, there are still ways around that.
MR. GELLMAN: Can you describe the patent you just talked about, or is it too technical to get into?
MR. SMITH: I don't understand it. It's too technical.
DR. COHN: Just briefly, Bob was bringing up an issue that I was wondering about, which is how much of this problem is Internet, how much of the problem is operating system, knowing that Windows has most of the market, how much of it is chip issues?
MR. SMITH: In terms of privacy, it's mostly a browser issue. Cookies are sort of the main area of the problems, because they allow them to correlate information from one Web page to another. There are ways that we could design cookies -- originally, cookies were designed to do like shopping carts. So we go from one page to another, remember which shopping cart we are talking about here. Then they have grown into much larger uses.
There would be ways to adjust cookies so that privacy would be protected, and at the same time still provide some basic functionality like shopping carts. So one solution in terms of not so much law would be technical changes to browsers.
DR. ZUBELDIA: I have a technical question again. Right now the reason you know those banner ads are going to Doubleclick is because see the word Doubleclick in the URL.
MR. SMITH: Yes.
DR. ZUBELDIA: But Drkoop, just to use the same name that you used, could instead have a URL that doesn't say Doubleclick, that says Drkoop, and says everything looks like Drkoop, but in fact could go into a Doubleclick machine.
MR. SMITH: Right.
DR. ZUBELDIA: Is there anything to prevent that?
MR. SMITH: Then we would get into disclosure issues on the privacy policy. One very interesting thing about the Internet, one of the things that I can do, and people like myself is we can look at HTML and see what's really going on. But if things move back towards the server, if we get into some spy versus spy stuff here, you are right, there could be a special ad server in the Drkoop domain which actually is run by Doubleclick. So there could be some hiding that gets done here. Then we can't look at it in the same way.
DR. COHN: We need to move on, I know, but I was just sort of struck by a comment you made about disclosure versus sort of fixing things. I just want to make a comment that I actually have two kids at home, both of them are teenagers, who use the Internet like it's their second home. And clearly trying to teach them about disclosure at this point is not a winning proposition.
I think it begins to reflect on for example the privacy NPRM, where the issue was, let's not have everybody have to deal with disclosure rules and pieces at every turn, but let's have a standard set of rules that provides for what is reasonable and non-reasonable disclosure.
MR. SMITH: You could probably have here in terms of a standard set of rules here, probably within certain industries you could do that, like across health information Websites. They are very similar in the services that they offer. So there could be rules for that. But I would say that you get into different issues if you are talking about somebody who is selling CDs or books online versus a health information site. You probably want to have a different set of standards.
MS. FRAWLEY: Thank you very much, Richard. I know you need to go back to your meeting. I appreciate it. Thank you very much.
MR. SMITH: Thank you.
MS. FRAWLEY: Sam.
MR. KARP: Good afternoon again, everyone. My name is Sam Karp. I'm the chief information officer at the California HealthCare Foundation. I want to thank the committee both for your invitation, as well as for your insight so long ago in planning this hearing for this time. It's certainly, as I think we are all aware, a timely opportunity to talk about these issues.
I want to do three things today very briefly. First is tell you just a little bit about the California HealthCare Foundation. Secondly, why we are interested in this issue. And then thirdly, describe one of the recent reports that we released in conjunction with this privacy report on the policies and practices of health Websites. And that is a study which we conducted in cooperation with the Internet Healthcare Coalition.
The California HealthCare Foundation is a three year old philanthropy that resulted from the conversion of Blue Cross of California from a non-profit to a for-profit health plan. We are based in Oakland, California. Our mission is generally to improve the health and well being of Californians, with a particular emphasis on low income Californians.
The foundation has been actively engaged in the issue of exchange of information between health care stakeholders for the past couple of years. We are tremendously excited about the extraordinary opportunity that the Internet provides to improve the quality of clinical care provided at the time of care through better information. We are also excited about the opportunity to actually be able to measure the quality of care by having access to information.
Our interest in privacy came out of this work, and a concern that we had that the progress that was being made toward the exchange of electronic information, and particularly the benefit that the Internet has in being able to communicate with legacy systems in a much easier way than was able previously again drew us to this concern about privacy.
About 18 months ago we embarked on an effort with Consumers Union to heighten the awareness of the importance of safeguarding personal health information. We conducted a series of activities, some of which you may be aware of. The first was the commissioning of what we believe was the first independent national survey of consumer attitudes about the confidentiality of their medical records. It was a survey conducted in December 1998 by Princeton Survey Research, and released in January 1999. I have a sample of the findings that I'll pass around, and can make available for committee members.
But one of the principle findings of that survey was that nearly one-sixth of American adults were concerned enough about the confidentiality of their personal health information that they took what some would describe as privacy protective behavior to safeguard themselves from improper disclosures.
What that behavior consisted of was going to a physician outside of a network when they had health insurance and paying out-of-pocket, so that their diagnoses or treatment would not be recorded. It included saying things to their practitioner like Doc, I'm about to tell you something, but would you do me a favor and not write it down? Or at worst, not seeking care at all.
The second thing we did in conjunction with a series of workshops with Consumers Union that we conducted around the state of California, was publish with the help of Janlori Goldman and Zoey Hutson(?), a "Promoting Health, Protecting Privacy Primer." We distributed 50,000 copies of this, and another 30,000 have been downloaded from the Internet to practitioners in California, to policymakers, to the media, again, to heighten awareness of the importance of protecting health information.
The last thing that we did during this year and a half ago initiative was to commission a forecast done for us by the Institute for the Future. It's a five year forecast on the future of health care and the Internet.
These activities, we felt, began to create an environment in California where particularly for consumer advocates who long had been fighting for access to health care and lower cost for health care, it began to integrate the issue of an understanding of the importance of confidentiality. And in many cases how that issue underpinned some of the issues that others had been working on.
Over the course of the last year I think we have all come to understand that the Internet has discovered health care, and health care has discovered the Internet. At the foundation we decided that it might be important to undertake a second round of activity to again help inform the debate. This initial activity really was prompted by our concern out of our work, as I said, but also by the mandatory time frame in HIPAA, and the interest in involving consumer organizations, consumers, and providers, as well as other stakeholders in the debate.
It was an opportunity to participate in what was at the time, legislation that was moving on a lot of different fronts, and ultimately the issuing of draft regulations by the by the administration. As you know, the comment period just closed.
We undertook two different sets of activities, one that you heard about from Janlori in detail I assume this morning, and a little bit from Richard. And that was this report on the privacy practices and policies of Websites. What I want to talk to you a little bit now is the other survey that we did, again with the Internet Healthcare Coalition.
The idea was to understand a little more about consumers who were online, and what their feelings were about the ethical practices of health Websites. I'm presenting to you only a very small portion of the findings of that survey that deal particularly with the privacy issues. My colleague John Mack may talk about some of the broader implications that the survey had. But I thought it important to share with you half a dozen or so of the findings with respect to privacy.
Let me first give you the top line survey results. This was a survey that was conducted between January 10-17, 2000, so it's very current. Cyber Dialogue was the company that conducted the survey for us. They are based in New York. They surveyed 1,009 online users from a panel that they have that is broadly representative of the average American online user.
The four primary findings were that the average American Internet user is concerned about the privacy of online health information; that they are suspicious of the ethics of many of the Internet health care Websites; they are uncertain whether personal health information is actually protected by state or federal law; and they are confused about who should regulate Internet health information, or if it should be regulated at all.
Just to give you some perspective on the number of individuals in the United States who are using the Internet for health information, these are Cyber Dialogue's projections from other work that they have done. Currently, in the year 2000 they say there are about 34 million Americans who are going to health Websites. As you can see, they project that over the next couple of years that number is going to increase dramatically to 52 million American in the year 2003.
If you have seen some of the other numbers from other pollsters, you might say, gee, these numbers are a little lower than what you have seen essentially from Harris. But Cyber Dialogue would defend that they believe that these are much more realistic numbers. In any event, it's still a very large number of people.
One of the first things we learned from the survey was half of all online adults are concerned about potential invasion of privacy of their health information on the Internet. You combine the figure of those who are very concerned, and you see the over half.
Internet users are concerned not just about privacy issues online, but offline as well. We segmented our 1,000 users into those who are seekers of health information, and those who are non-seekers of health information. For those who are seekers of health information, 66 percent say that they are concerned. When you segment that data further, and you look at Americans who earn less than $50,000 a year, Americans who are over 50 years of age, Americans who are people of color, those numbers go to 72 percent, 71 percent, and 72 percent respectively.
The three main privacy concerns that came out in this survey were, first, that the site that I would provide health information to would share it with a third party without my permission; 75 percent of the respondents had that feeling. The second concern was that someone else would be reading my email other than the person it was addressed to; 65 percent. And third, that someone would hack into my personal information; 59 percent.
So the concern here is much more about unwarranted disclosure of information, rather than someone hacking into it. That is actually just opposite of the concern that we found in our survey that is being circulated prior to health activity on the Internet.
One of the most interesting things that we found in the survey, and Richard talked about this a little bit in his presentation is that users seem to be willing to share information with health Websites in exchange for more personalized or customized services. If you look at the blue arrows, you will see in pretty high percentages, 90 percent of users are willing to exchange their email address, provide their gender, 82 percent provide their name, 72 percent provide their favorite color.
You might want to ask why favorite color, and that's an important issue. One of the things Richard discovered in monitoring, every time he put his favorite color into one of the boxes, the banner ads came up in that color. That was Richard's view of the new form of subliminal advertising.
And on and on here. It drops a little bit when you ask about ethnicity and address. But you see the dramatic difference in the yellow bar. Providing this information, but allowing the site to share this information with other sites, companies or advertises. On the email address it drops from 90 percent down to 18 percent, 55 percent of the people who said they would provide their address in exchange for more customized service, only 8 percent of those said they would want that information passed to another site.
That is true with providing information about your employer, your health information or your credit card information; 11 percent of people said they would be willing to provide their credit card information, but 0 said they wanted it obviously to go to a third party.
Now that is very different from this information the right-hand side of the bar that shows the kind of information that consumers are willing to share about their shopping experience, and their shopping data. Fifty percent said that they are willing to share information about promotions that they respond to, and 30 percent said they would even share that with third parties. I thought it was interesting that the products you buy on a site, only 26 percent said that they would be willing to exchange that for more personalized information, but 55 percent, a majority, said they would be willing to share that with a third party.
So personal information about ourselves, about who we are, our identity, people don't want to see shared. But information about our shopping patterns, which maybe could assist in the customization of showing us information that we would be interested in, people are much more willing to do.
This is another interesting finding. It shows the difference between 1996 and 1999 in consumer attitudes about submitting personal information online. I think it's pretty self-explanatory, but I'll give you some of the highlights, and that is that in general, consumers are much more comfortable these days about generally sharing information online, and less concerned that sharing information online is necessarily going to result in junk mail, necessarily going to result in an invasion of privacy.
But yet consumers are extremely concerned that sharing their information online could be used by insurers. Seventy percent said that I'm concerned that providing information online would have an impact of limiting or affecting my coverage by an insurer, and 55 percent said they didn't want their insurer even knowing about their health-related activities online. And I would translate that to say sites I go to visit.
And when Richard was able to demonstrate that if you are on a diabetes site or on an HIV site, and that information is transmitted back, not just to the owners of the site, but to third parties, there is a very high risk there, and I think consumers are quite aware of that.
Similarly, consumers are concerned about information being shared with their employers. Fifty-five percent said that they would be concerned that their job opportunities or job status might be impacted; 46 percent said they didn't even want their employer to know about online health activities. I think that finding is particularly interesting.
I wouldn't ask you all in the room to raise your hand about how much Internet browsing you may do at work. I do a considerable amount of it, I'll disclose that. And employers have a very easy way of tracking, because they control if you have dedicated high speed access, they control the servers that provide that access, and can actually monitor what goes on. I think that is something that most employees in companies are unaware of.
People are more aware these days that employers actually own the email, and have a right to access that email if they feel that there is a particular reason to do so. But I think the ability for employers to monitor employees' Web usage is not as understood.
What are some of the positive influences that consumers said they felt about their willingness to share information with a Website? Eighty percent of people surveyed said that if a site is recommended by my doctor, that's a good thing. If a site has published a privacy policy that claims information you submit will not be shared with advertisers, that's also a good thing, 79 percent. If a site provides you with an opportunity to see who has access to your profile, that's a good thing. If the site allows you to make choices about the use of your information or has published a privacy policy that claims information you submit will not be shared with other sites, these are all positive drivers, 78-80 percent all of them.
What are some of the negative influences that consumers said they felt about their willingness to share information with a Website? Eighty-eight percent said that if a Website were to share your profile with an advertiser or marketing partner, that would be a negative influence. Seventy-nine percent said if the Website automatically collects information about you that you are unaware of, that would be a negative influence. If a site is sponsored by an insurance company, 45 percent said it would be negative. If it's sponsored by a pharmaceutical company; 40 percent. And if it was promoted by a national TV ad, 19 percent.
I always thought that if a site was promoted on "Oprah" like best books, that it would actually be a good thing. Consumers had a different view of that.
I think one of the surprising things to us was that when we looked at what were some of the characteristics that really had no impact on consumers' willingness to share information, a majority said that having a seal from one of the trade groups such as HON or Trust-E had no impact on their confidence that that site protected the confidentiality of their information.
One of the things that we found was that 7 of the 21 sites where we found serious problems in the practice and in the policies had Trust-E seals. I saw Trust-E quoted in one of the articles in response to the report saying that they were shocked and alarmed. I actually didn't see what they said they were going to do about it, and I would be much more interested in that than their initial reaction.
As I said in the summary, we asked the question as far as you know, are there current state or federal laws that protect the privacy and confidentiality of personal medical information on the Internet? Seventy percent said they didn't know; 24 percent said they didn't believe there were federal or state laws that protected them. Only 6 percent said yes.
When we asked respondents who should be responsible for regulating health Websites, 35 percent responded the government; 20 percent said industry associations; 6 percent said other, but a very large number, nearly a third said they didn't know. So one of our findings here is that there is a lot of confusion about are there laws? Should it be regulated? Shouldn't it be regulated? And who should regulate?
The last slide I want to show you is that we asked, well, who do you trust? If somebody recommended a site, or you wanted to go to a site, who would trust? I know this is a little hard to read, but we asked them -- and I'm bracketing the top bracket here -- they said the Institute of Health, is that somebody who you would trust? Forty-four percent said they would trust the Institute of Health.
The AMA, 42 percent said they would trust the AMA. Hospitals such as the Mayo Clinic, one of the most prestigious medical institutions in the country, 41 percent. Would you trust a non-profit group? Only 30 percent said they would trust. And we put a block around the top, even those that said they received highest degree of trust, none of them received the majority. So there is a significant amount of distrust.
I want to conclude by saying that we did this survey, and what we heard from the survey very clearly was that consumers said they were okay with sharing some information about themselves. They expected the sites to keep that information confidential. In fact, when we read the privacy policies, the privacy policies, even though they were sometimes hard to decipher and confusing, they provided that general impression that sites were intending to protect the privacy of the information presented.
I'm sure Janlori mentioned this morning that one of the positive things we found was that health Websites had privacy policies in probably a greater degree than Internet sites generally. So there seemed to be a clear understanding that consumers expected their privacy to be protected and safeguarded. But in reality consumers said they did not want their information shared with third parties without their permission.
Seventy-seven and 88 percent said they did not want information collected about them that they were unaware was being collected. And what our privacy report discovered was that in fact large amounts of information were being shared, including personal information, with third party marketers. And in fact, large amounts of information were being collected about individuals without their knowledge or without their permission.
The foundation intends to continue work in this area. One of the issues that we are beginning to look at, and Mr. Gellman raised this issue, and that is could a technology be developed that might be smart enough to have business rules, whatever those rules may turn out to be, whether they are regulation, or whether they are industry agreed set of standards and ethics, but could there be a software technology that is smart enough to run as some type of a server application or a stand alone.
But when you think about how an audit is conducted, whether it is a financial audit or an audit for internal controls, you need a mechanism that can come in and perform in the same, have access to the information or systems that it needs to have access to. But that is one of the things that the foundation is going to turn its attention to now.
Can we find a technological solution that would not just look at how personal health information is being protected on health Websites, but how is it being protected in the managed care environment, in the networks of information clearinghouses, where most of the paper and electronic records are going through between medical groups and labs and pharmacies and health plans these days.
I think that is a real challenge for us to be able to provide an instrument that can give the consumer the ability to have some control over how their information is shared, and how it is protected.
Thank you very much.
MS. FRAWLEY: Thank you, Sam. Bob.
DR. MUSACCHIO: Thank you very much. My name is Robert Musacchio. I am senior vice president at the American Medical Association. I am responsible for publishing and business activities, as well as for our e-commerce and actually have been actively involved in developing our own privacy and confidentiality policies as it relates to the Internet.
It is a pleasure to address this committee on behalf of the American Medical Association. I would like to also introduce Ms. Mariah Scott to the subcommittee. Mariah is the business unit manager for Intel's Internet authentication services. She is here today to respond to any questions you may have regarding Intel's interest in strengthening privacy and confidentiality, and also increasing the confidence in the use of the Internet.
My presentation today will follow the written statement that you should have received. I will be discussing an overview of the AMA/Intel digital credentials project. I'll touch on the roles of both the AMA and Intel. Next I will talk about virtual health care. I'll discuss some recommendations that AMA and Intel believe should be considered for any health care Internet security system. Lastly, I will share with you our vision for the transformation in health that is occurring now.
One important note, our project goes to a small but important piece of the Internet, and that is authenticating who is actually sending and receiving information, and who has access to information.
The AMA is working with Intel to deploy a new form of electronic credential that will protect physician and patient privacy and confidentiality. The credential will help authenticate that the physician engaging in the health care interaction, whether that is email and other transactions that will be coming down the road, is who they actually say they are. The AMA will issue the digital credential to physicians within the next few months. We are at a very early stage in this project. We are learning a lot as we roll this out.
What is a digital credential? A digital credential is an online identification card that uniquely identifies individuals over the Internet. It provides reliable authentication techniques. Digital credentials function in the online world the way a drivers license, passport, or other trusted documents function in the paper world.
The AMA and Intel believe that the potential for physicians to use the Internet as a tool to obtain data such as lab results, send prescriptions to pharmacies, store and retrieve information, and to improve the health care of their patients is basically unbounded. There is a lot of potential out there. However, we feel that health care, or as people are calling it, e-health has been limited in the fact that there is a lack of confidence.
We feel by authenticating the identity of the physician and providing a mechanism for strengthening patient privacy, this system will allow for a wide and growing variety of routine medical transactions to actually occur online. Ultimately, this development will help enable better patient care and lessen the administrative burden of both the physician and the patient.
The idea of AMA/Intel project actually goes back to about 1995-1996 when we started thinking about the problems that you never know who might actually break in, or have access to information. Or if you are actually engaging in a conversation online, if the person on the other end is actually who they said they were.
In fact, this came up through our membership ranks. A number of our members who have been in the online community for dozens of years have been saying that they are engaging in conversations, and the patients have been engaging in conversations, but they never knew who they were actually speaking to unless they actually had a personal or formal relationship with that individual. Therefore, without digital credentials there is really no way in a general sense, to authenticate who is on the other end.
The decision to provide digit credentials really is an outgrowth of one of our many committees, an electronic data interchange report, which was issued by our Council on Medical Service in 1998. The council recommended that the AMA work to establish consensus for electronic storage and transmission of medical records as an important means of protecting patient privacy.
In addition, a 1998 AMA survey of physicians found that more than 9 out of 10 physicians, 93 percent, have access to a computer in their medical practice. Of those physicians who have access to a computer, 96 percent of those computers have modem capabilities, and 76 percent have communications software. So therefore, the potential is real for these online transactions.
At the same time, Intel happened to be thinking about digital credentials, and they created a whole group within their corporate structure to look at authentication services, and to develop such a product. When each of us essentially learned what the other was doing, we thought it would be a good idea to come together and try to create a technology solution.
The AMA and Intel are using the AMA's physician master file database for the purpose of creating these digital credentials. For over half a century the AMA has collected and maintained information on physicians, and it is with respect to informed consent that physicians are informed of how the information is collected, what it will be used for, and they have the ability to opt out of that.
These files contain the most accurate and comprehensive data available regarding physicians. The file includes about 850,000 uniquely identified records of AMA members, non-members, and all active and inactive physicians in the US and its territories. All physician data are primary source, and are reported from over 2,100 different medical organizations and institutions.
Given the importance of these data and the critical privacy and liability issues associated with online transactions, the AMA identified Intel as an ideal collaborator on this initiative. Intel is developing and deploying a registration and authenticated access service. The technology infrastructure upon which the service will run is Intel's strictly. We feel with the relationship with the physician, we sign the physician up. We educate the physician on how to use this, and we provide the customer service. Intel is taking care of the technology part of this.
We hope that by participating with health care sites at which to offer these trusted doctor-patient interactions online, they will be using this credential. Intel and the AMA are working with leading physician service providers such as Healthy on Web MD, and MedQuest to make the credential an integral part of their operations.
The example of our roles in the marketplace. Physicians' and patients' use of credential with participating Websites. The AMA distributes these credentials under our brand to physicians. So it's an AMA credential. Intel helps integrate the credentials into the customer's Website. So Intel with Healthion(?), Intel will work with MedQuest to integrate this into their services. Intel validates or maintains the credentials. They again take care of the technology part. Intel and AMA are basically providing a service to online providers.
What we are hoping to do by deploying this system is to allocate risk in a way that will make people feel more confident and secure about using the Internet for personal transactions. As all of you know, electronic health transactions are unique, because health records contain intimate personal data. Identity matters when exchanging this data. A physician identity can be misused to create prescriptions, or gain access to medical records. Physicians, as you know, are liable for patient record confidentiality.
Let me briefly go over the enrollment process. Physicians will request a credential from us. This is will require sometimes face-to-face interaction. They can get the credential via Web browser, email, VPN connection, what have you. The AMA delivers the physician-specific request to a registration authority gateway. The gateway passes this information over to a request manager.
The management system checks the request for validity and completeness of the data. The identity confirmation matches request data with known data, and the RA manages all of the policies. Going to the point you were making, you will be able to build policies into this credential for handling requests.
Physicians will request a service, or we are hoping that they will. We are in extended beta right now. Websites will activate the client side wallet. Physicians will use a PIN number to access this wallet. The wallet will deliver a signed access request, so a lot of verification and authentication is going on here. Websites will make the authentication request back to Intel. The authentication authority will approve the request, and then the Website will provide access to those services.
The Internet, as has been discussed today, is one of the fastest developing consumer mediums in US history, and should bring revolutionary changes to the health care industry similar to the changes that we've seen the past few years across banking, retailing, and financial service industries. That's both a blessing, and as we have also discussed today, it can also be a curse.
Electronic communications are drastically changing how patient information is stored and transmitted. However, electronic patient records should be no different other medical records in that they contain privileged information that may not be divulged without permission from the patient. Patients truly worry about their loss of confidentiality and privacy as health care increasingly moves from a paper-based information system, to one that is electronic-based.
According to a survey conducted by Cyber Dialogue, 75 percent of those seeking health care information are concerned or very concerned about registering personal health care information on a Website. The survey results however do suggest that consumers would be more comfortable sharing their own health care information online under the following circumstances.
These are: if a Website is recommended by their physician; if the Website has published privacy statements and policies; and that the information will not be shared with advertisers, other sites, or marketing partners; the Website gives users the opportunity to see who has access to users' profiles; also if the Website allows users to make choices about the use of the information.
There are four issues that AMA and Intel have spent considerable time discussing and addressing, and we believe we have given serious consideration for any health care Internet security system as a result. These are:
1. Identity confirmation. There should be some type of process to insure that certificates are not issued erroneously to impostors. We do not believe that this always needs to be face-to-face with the use of a notary. There should be multiple levels of certifications, and the identification requirements should be consistent with the application or use of the certificates.
2. Liability allocation is a function of the trust models upon which the system is based. Trust models should be consistent with the application of the certificates. With respective to interoperability, the current industry policies and procedures, as well as the liability associated with the use of the digital certificates are not yet aligned. Therefore, we are committed to working with the industry to sort out the issues associated with interoperability.
3. Work flow integration. This means it is important to understand how health care professionals work on a typical day, and then provide solutions to meet their needs.
4. Finally, physician education. We believe this is necessary, and we are prepared to do our part in educating physicians on the importance of these credentials.
The AMA and Intel share a vision for the improvements in quality, the reductions in cost and gains in efficiencies that personal computers along with the Internet can deliver to health care. We share a vision of physicians and patients using Internet health information, Internet-based commerce, and health-related commerce to deliver care with the efficiency that the Internet has brought to stocks, to books buying, and a number of other industries.
The AMA/Intel project comes at a time when there is a growing awareness of the threat to breaches of medical privacy, confidentiality, and security of the medical record in the digital age. We believe that the digital credential will resolve some of these fears. AMA and Intel have created a real live solution that serves the needs of patients and those who provide care to them. This is a good start in certainly what will be a long road to insuring the integrity of medical information transmitted during this digital age.
Thank you again for the opportunity to present an overview of this project, and of course I'll be pleased to answer any questions.
MS. FRAWLEY: Thank you. Christine.
MS. VARNEY: Thank you so much for inviting me here today. I am relatively new to the health issues, but as some of you around the table know, I have been involved in the Internet and electronic commerce since the late eighties. And I've been involved in privacy since at least the end of 1994, when I first met Bob, when I was at the Federal Trade Commission, and we began examining privacy issues.
Now at Hogan and Hartson, where I chair the Internet practice group, I advise a number of clients, both in the health space and others, as well as chair a coalition called the Online Privacy Alliance, which has dealt with privacy in the commercial sector online.
Recently I was asked by a group of companies in the health Internet space to help them develop best practices. In the autumn of 1999, more than a dozen leading e-health care companies began a dialogue to address consumer concerns about the ethics and integrity of Internet health sites. HI Ethics(?), that's Health Internet Ethics members, agree that Internet users deserve high quality content, responsible advertising, and the protection of personal health information.
In response to these needs, the HI Ethics Coalition is developing a set of ethics principles for information on the Internet in the areas of content, privacy, advertising, and commerce. HI Ethics is chaired by Healthwise president and CEO Don Kemper, and includes representation from: Adam.com, Allhealth.com, IVillages Health Channel, America On Line, Americasdoctors.com, Care Insight, Discoveryhealth.com, Drkoop.com, Healthcentral.com, Healthion and WebMD, Healthgate, Healthwise, Intelihealth, Laurashealth, Medscape, Onhealth, Planetrx, Wellmed, and Women.com. I believe we have also had some additional members sine this was publicly announced.
This group of dedicated health information service providers on the Internet has been working very hard over the last couple of months to come up with a comprehensive set of ethics and standards for delivering health care and health information online. There are a lot of tough questions that they have to address including privacy, but we have started with taking a look at who is a health care provider online and who is not.
In the offline world we have plenty of resources people can go to for health information, and they may not be considered a health care provider. In the online world those distinctions definitely begin to blur, as you can be interactive and begin having conversations and dialogues with health professionals.
We are also looking at what ought to be the rules around content. When is content editorial? When is it advertising? What's the relationship between the content and the sponsors or others who have a pecuniary interest in the site?
We're looking at various commerce issues. When you are on a commerce site, what ought to be the rules about what can be done with the data that is involved in commercial transactions on a health-related site. Planetrx and Drugstore.com both sell health-related products, as well as non-health products.
And finally, and for our purposes today I think most importantly, we are spending a tremendous amount of time on privacy. In the Online Privacy Alliance we have often set the stage, and we have really I think beat the gong of self-regulation for the last four years involving the principles of what we think are fair information practices for the nonsensitive commercial data on the Internet, which include notice, choice, access, security, and redress.
However, I think that many of the commercial entities involved in the online privacy alliance have come to realize that for sensitive data, which we would define as medical or health data, financial data, and data relating to children, there is a different set of rules, and a different set of standards that needs to be in place. In fact, many members of our Online Privacy Alliance were the leading advocates of legislation that was enacted to protect children online. America On Line, the Walt Disney companies, Viacom, several other that are involved in children's content were really big proponents of legislation to protect kids.
What we are finding as we are working through the Health Internet Ethics Coalition is that there are some areas probably that need to be regulated, that are not yet regulated. And we hope to be able to present to you further down the road in the spring what our thoughts on those are.
There are also areas that we believe the regulations that maybe fraud and abuse might be a good example. Some of the fraud and abuse regime which makes perfect sense in an offline environment, may not be as directly applicable in the online environment. The goals are still the same. How you achieve them may be quite different if you have for example, a Website that has several different partners that are providing health information.
Perhaps what you need is a fuller disclosure on who is providing the information, as opposed to prohibitions on financial transfers that could keep the site up, because after all, part of what is so great about the Internet is the consumer's ability to get access directly to information that may be relevant to them so long as they know the source of the information.
Information is coming from drug companies. It may be one set of information. The consumer may want to put a filter on it, or think about it differently if information is coming from medical centers, if information is coming from non-profits, if information is coming from consumer advocacy groups. They all probably connote to a health care consumer specifically different standards of perhaps reliability.
What we are trying to come up with is the framework where across the board we can work with groups like the Internet Health Coalition, which is establishing the highest level in our view, of principles for across the Internet for health care. How do we take those principles and implement them in practice on commerce sites? Now that's the good news.
The bad news is we are not done; we're not nearly done. We would appreciate the opportunity to be able to provide to you the principles as we work them through. I expect that later this spring, perhaps in March or April we will have a pretty good framework that we hope to be able to brief policymakers around the country, here in Washington, and around the country, as well as some of our partners in the non-profit world, consumer advocates, and health consumer advocates in particular.
Before we finalize these principles, we want to get a lot of input. But our timeline is to get them drafted and to get them circulated to groups like you, and many of the people at the table, to take that feedback, and then to finalize them.
I just want to say before we move on, we were greatly influenced by the work of the California HealthCare Foundation on privacy. What we found, and I think that you will see, and those of you -- my copy of the California HealthCare Foundation report is dog-eared, we have spent so much time with it. There were really two types of activities that the California HealthCare Foundation identified.
One was the intentional distribution of data to third parties without disclosure. The other was the unintentional distribution of data to third parties. What Richard said before he left is that their goal is to get companies to be more forthcoming. That's only part of our goal. That deals with the first issue.
We need companies in the Internet health care space to be scrupulously careful, because what saw was there was a lot of unintentional -- I wouldn't call it data transfer, I would call it leakage. Because what I am seeing is that although data was leaving some of these sites, it was not necessarily being captured wherever it was going to, the way their servers were configured on the other end. If it was an ad serving company, they may not have been capturing it. Now that doesn't excuse the leakage.
So we've got to focus not only on being very forthcoming in exactly what we are doing, but we've got to focus on not being sloppy, not being careless. This is people's health care information, along with their financial information and their information about their children. It's the most important information we have. And as health care providers on the Internet we have an extraordinarily obligation to protect it. That's what we will be looking at.
I think it's important to emphasize that the High Ethics Coalition is not about no legislation or legislation. It's about what are the best practices. How do you take the fraud and abuse regimes that exist, and other regimes, and apply them on the Internet space? Where are some holes? Where might we need to some law to protect consumers online so that we can build a medium that is robust, that empowers consumers, and that consumers have confidence in.
I hope I'll be able to come back when I have something more substantive to say about where we come out.
MS. FRAWLEY: Thank you, Christine. John.
MR. MACK: Hello, my name is John Mack, and I would like to thank you for inviting me here today. I hope everybody has our little folder here. I'm the president of the Internet Healthcare Coalition. That's what I do on the weekends and at night as a volunteer. But in my paid capacity I should disclose that I work for Mediconsult, which is one of the dot-com Websites that is involved with High Ethics.
The Internet Healthcare Coalition is an international and non-partisan and non-profit organization that is dedicated to promoting quality health care resources on the Internet. It was founded in 1997, and the coalition's membership, who are really individuals and not organizations, represent every sector of the Internet health space including: consumers; patient advocates; commercial developers of health information; health professionals; medical librarians; even government officials, some of which may be in the room today.
As I said, it was founded in 1997. We have over 600 individuals as members that we stay in touch with. Our board of directors are also individuals and work on a volunteer basis, and have done so since 1997.
Our mission is really educational, and it involves the constant improvement of the quality of health information on the Internet. We do receive unrestricted grants from foundations, technology corporations like Intel, from the pharmaceutical industry, from the Pan American Health Organization, and so on, who have either donated money or services to our effort.
Today I just wanted to review our code of ethics that we have been involved in developing, and which are actually on our Website today for public commentary. But we have also worked with the California HealthCare Foundation on the privacy and ethics survey. And Sam already went through that.
But the conclusion of that report was that, "The data point to the urgent need for a thoughtful, thorough, and fair discussion of ways to secure individual privacy, foster strong ethical behavior, and harness the incredible power of the Internet to improve the quality of health care for all Americans. By necessity this discussion must include all concerned parties such as: traditional health care organizations such as insurance companies; pharmaceutical manufacturers; hospitals; Internet health care players; appropriate regulatory organizations; and most importantly, the individual consumer."
That is why I think the coalition is in a good position to get involved in this, because that has been our constituency since we came into existence.
And the other reason why we got involved in this was actually a call to action from Dr. George Lumberg(?), who is the former editor-in-chief of JAMA, and who has since moved over to the dark side, and is now editor-in-chief of Medscape, or I think Medicologic or Medscape, something like that.
At our annual meeting in October 1999, he was the keynote speaker, and he didn't charge anything to do this, and he said, "I call upon the Internet Healthcare Coalition to now set international standards that can become commonly accepted." So I think we were more or less forced into this, and we are very glad that George Lumberg really got us involved, and he has been a big supporter of what we have been doing. He is also involved in High Ethics, so there is a lot of cross-pollination, if you will, between the two efforts.
Now just to get into our e-health ethics initiative, again, it is a consensus process by open discussion, and I'll describe a little bit of that in a minute. It has broad participation by a number of different stakeholders that I have mentioned, and you can see in the folder we have a list of the summit members and the participants. And I think you will agree they represent a pretty broad cross-section.
And this, we believe, is going to have to be an ongoing initiative. It just doesn't end when a code of ethics is developed. And the coalition's role in this was actually be educational follow-up to the code of the ethics, and I'll try to get into that in a bit after.
The first thing we did was to convene a summit group, and we have the list of participants here. And I'll talk a little bit about that. The goal was to draft a set of e-health code of ethics. And we have done that. We released that February 18, last week. Then to have a public commentary period, and we are in the middle of that commentary period right now, which will go through April 14th. And finally to launch the more or less final for now, code of ethics that we have gotten together from this process. We will also have to talk about implementation and continued development of this code.
The e-health ethics summit was convened by the coalition on January 31-February 2 right here in Washington, DC. It was hosted by the Pan American Health Organization who donated the space and facilities. We had over 50 participants, and you can see the list in this package here. It also included a number of people representing international governments and organizations, and it included medical ethicists.
The summit in a two day process actually came up and drafted a rough series of areas that the coach should address, and elected a steering group which is working with the Hastings Institute to produce the draft code of ethics, which we have already released.
There were five guiding principles that the summit addressed in the ethics principles, and they had to do with: candor and trustworthiness; quality; informed consent, privacy, and confidentiality; best commercial practices; and best practices for provision of health care on the Internet by health care professionals. So yes, we have a higher view, and it goes beyond privacy, but privacy obviously was a big concern among the summit participants.
As I said, until April 14th the code will be available for public commentary, and we are collecting comments right now. And I just want to say I think this process by which we are doing this, no matter what happens with the code in the end, is very educational and informative, and it brings together a consensus.
And I think this is the kind of process that would have to go on no matter what direction this is going to take for privacy, whether it be regulation by the government, or self-regulation, or whether some accrediting agency is going to be set up. The same process has to be gone through of public commentary and openness. And I think that's what we are trying to provide. So I think we are laying some good groundwork here from getting input from the public already.
Obviously, we are seeking as much input into this process as possible, so I urge you to visit our Website and take a look.
I can just give you an overview in my presentation here of some of the code. Obviously, there are more details that I'm not going to talk about right here, but for example in candor and trustworthiness, we say that organizations and individuals providing health information on the Internet have an obligation to candidly disclose those factors that can influence content, potential risk of providing personal information on the Internet.
We have under informed consent, privacy, and confidentiality that these organizations have an obligation to safeguard users' privacy, and obtain users' informed consent when gathering personal information. Obviously, we also talk about things like opting in versus opting out, and so on, which details I think you can get from our Website.
But we are also covering commercial practices and the best practices for provision of health care on the Internet, and I think this is where our cross-pollination with High Ethics is going to pay off. Until this point we have really kept these processes separate. And I thought to begin with we should get together and work together, but actually now that I have seen how this sausage is being made, that the two efforts have reached almost the same point. And that gives us some good groundwork to believe that we are on the right track.
I do believe though in the future we are going to have to make whatever we do a universal code of ethics that bring together organizations like the Internet Healthcare Coalition, the Health on the Net Foundation, High Ethics, and the American Medical Informatics Association, and many others that are working towards the same goal. I think implementation of any code has to involve as many organizations as possible.
I can't say anything else about implementation yet. The summit is still in virtual session, and after the commentary period I think that group is going to move on towards discussing how to implement and make sites aware of the code. And I would appreciate any input from people here about that, or questions to bring back to them.
Thank you very much.
MS. FRAWLEY: Thank you. We are running a little bit behind on the time, and I know a lot of you have planes to catch. What I would like to suggest is that we forego the afternoon break and go right into our panel discussion. Then that way people can get to the airport without worrying about missing flights. So I'll throw it open to the members of the subcommittee for questioning.
DR. ZUBELDIA: You have been talking about the code of ethics for the Internet Coalition. I was looking at this information that went around from the California HealthCare Foundation, and it shows that out of 629 pages retrieved in 50 searches, 99 percent of them don't disclose conflicts of interest. That seems to me like a very basic ethical principle. How are you planning on putting this code of ethics into practice? Are you looking at the seal of approval, another HON type of seal? Are you looking at some accreditation process, or something beyond just having a code of ethics?
MR. MACK: Well, we are exploring possibilities, but I don't think the coalition is not a standards organization. I think the data shows that consumers and others are just not -- the seals do not have one influence over them over another of whether they trust the site or not.
From the coalition's point of view, we are looking at other organizations that have experience in accreditation to perhaps take the code of ethics and create a set of standards from them, and that they will put into their accreditation processes. The coalition would act as the educational component for such practices.
So I don't think we are the accreditation agencies. I don't have a complete solution for that, but the other thing that I thought of that I would like to do, and de facto I already am a new kind of exists in these dot-com sites that I could call the other CEO the chief ethics officer. And I think other people mentioned that you might need somebody like that in these organizations, that has some authority to make ethical decisions that resolve conflicts of interest and so on.
DR. ZUBELDIA: For Bob, you talked about the AMA having access to the master file, and issuing credentials to physicians. That's only part of the equation. But in your initial statements there was also something that said digital credentials would uniquely identify individuals over the Internet. Are you looking at issuing credentials to other than physicians? Maybe nurses, pharmacists, or even patients?
DR. MUSACCHIO: We would not, but the thought is that if this model proves successful, we would approach other professional associations and try to create a health care digital credential; so for nurses, physician assistants, et cetera. We wouldn't be ours. We do not have that database, but certainly we could provide a template and work with them.
DR. ZUBELDIA: And the digital credential, do you envision it on a smart card type of credential?
DR. MUSACCHIO: I think it can be a lot of things. Right now it is software-based, but certainly down the road it can accommodate biometric smart cards, a number of things. But right now it's software-based.
DR. ZUBELDIA: How are you going to protect the privacy of that credential? For instance, the DEA is looking at something similar to issuing digital certificates to all the doctors that have a DEA number. Are you going to put like the license inside the certificate, or the DEA number inside the certificate? What will tell the recipient of the certificate that this is a physician, and still protect identity pieces of that that physician may want to keep private?
DR. MUSACCHIO: That will not be made available. That is just for the purposes of our internal matching.
DR. ZUBELDIA: But if it is published in the certificate, it becomes public domain.
MS. SCOTT: I may not be able to answer that in enough technical detail, but the model that we are using isn't necessarily baking those data variables into the certificate. It's not going to be widely visible or visible to the health site.
DR. ZUBELDIA: And the certificate is only part of the solution. The certificate identifies the physician. Then there has to be a software that uses the certificate for maybe a digital signature or access control or whatever you want to use it for. Is this going to be an open standard, or is it going to require Intel software to be installed at all the places that use the certificate?
MS. SCOTT: The technology that we are using is standard digit certificate PKI technology. It's an X509B3 cert. The policy implementation that we are working on with the AMA may be a little bit different in that we are really looking at trying to manage a network. We are very concerned about risk management and setting up a system so that you can allocate risk between all the parties within a system, and you don't end up putting all the liability for example on a physician.
So the policy that we're trying to manage the system under is a little bit different than a typical open PKI kind of infrastructure.
DR. ZUBELDIA: And what kind of applications do you have for it? You mentioned prescriptions. You mentioned access to the Website.
DR. MUSACCHIO: Well, essentially for example if WebMD, Healthion is a customer. The functionality that they offer on their Website, this credential will be used to gain access and to execute those transactions. However, the business rules with remain with Healthion WebMD.
DR. ZUBELDIA: I think it's a fantastic thing that you are doing. I would encourage the other associations to follow your lead, and to have a trusted identity piece that still protects the privacy of the holder of the identity piece. I think it's fantastic.
DR. MUSACCHIO: Thank you.
DR. COHN: I have two comments and then a question. First of all, I was going to ask a couple of questions about PKI. One would observe that after the patients become identified, this may be our national solution for a unique health identifier. It may solve the government from having to do that. So we wish you good luck in this process.
Actually, what I really want to do though, is first of all, Sam, I really want to congratulate you and the California HealthCare Foundation for what I think has been tremendous work in this area. I mean I think the funding of the initiatives that you have done over the last couple of years around privacy, and now around Internet and privacy I think is groundbreaking work. Being in California, I really do appreciate you all doing that for us. So thank you.
Now the one question I had actually was for Christine Varney, and I really did appreciate your discussion. I'm not a lawyer.
MS. VARNEY: That's all right, I'm not a doctor.
DR. COHN: I'm probably going to be legally incorrect, because I was actually very struck with your choice of words because I had been sort of concluding in my own mind that what had been going on was sort of inadvertent and unauthorized disclosure of health care information. And you have now termed it leakage, which I found sort of a groundbreaking choice of words, and may certainly depersonalize the whole issue.
But having said that, a question I asked some people this morning had to do with the issues of these current HIPAA regulations, especially around privacy and security. Now currently the scope is wrong for the Internet e-commerce, e-health situation, but would part of the solution from your view, and the view of the people you represent be to try to extend the scope of that legislation? Would the notices of proposed rules as you understand them, maybe not fit perfectly, but be a close fit for what needs to be happening?
MS. VARNEY: Actually, if I can, Doctor, my colleague Donna Boswell is here. And she has worked extensively on the HIPAA regulations, as well as on this project. Could I call on her to respond to you? She would give you a far more educated response that I would.
MS. BOSWELL: We have looked at that, and we do think that many of the basic structural things that are included within the notice of proposed rulemaking will work within the principles context. But some of the detailed requirements that are appropriate for people who are actually health care providers, just as Richard Smith was saying, they don't really transport into the health information sites in quite the same way.
So I think it's fair to say that you will see a lot of similarity with respect to the goals and the objectives and the principles, the core modes of operating, but some of the detailed requirements don't quite work. So at this point we are not saying that we should ask for the NPRM scope to be broadened up and expanded, but I think you will see a lot of similarity.
MS. VARNEY: There is also a comment that Donna was in large part the author of on the regulations from the Online Privacy Alliance, and you can find that comment at www.privacyalliance.org. And Donna, we need to check and make sure they are up there. I think they are. But we submitted comments last week on the scope of the proposed rules as they related to e-commerce more generally. And that might help inform your thinking, Dr. Cohn.
MS. FRAWLEY: Bob.
MR. GELLMAN: I would like to associate myself with several the comments that Simon made. I also would like to congratulate you, Sam, for the work that you have done. I think it's really very important, and I think it's really been very eye opening.
One of the things that you showed in your slides on the poll is that people are suspicious of the ethics of Websites. Do you think based on the findings of the survey, that people are justified being suspicious?
MR. KARP: Yes, I think it's pretty clear. I wanted to comment on what a couple of other people said, but I'll hold my comments so you can ask your questions.
MR. GELLMAN: What are your views on the prospects for self-regulation being effective in this area, in the e-health area?
MR. KARP: Well, I guess as we look back over the last couple of weeks, we are relatively encouraged by some of the developments. I am encouraged by Christine's remarks and John's remarks today, and I participated in one of the two days of the e-health ethics summit. And the foundation was one of the financial sponsors of that summit, because we believe it's important to bring all these players to talk about it. It's a complex issue. It's a new world, and it requires new solutions. We just apply old rules to it.
I have been encouraged by some of the statements and actions of some of the health Websites that were identified in the report, and others who have contacted us and said that the report actually provided some clarification for them, and some direction about disclosure. And there have been some changes.
Richard mentioned that in going back and looking at some of the privacy policies, they have actually changed. I would like to see some of the practices change as well. It's one thing to disclose a bad practice. It's another thing to hide it. I have been encouraged by the fact that the media has picked up on the issue to the extent that it has, so that consumers are made much more aware of some of the concerns that have been identified, and may be able to take appropriate action themselves. I think that has been particularly important.
I have been encouraged by the fact that the FTC is looking at this issue very seriously, and particularly issues that have been raised repeatedly about deceptive business practices may in fact get a fair hearing.
I have been encouraged by the fact that a number of the security leaks that Christine mentioned that were discovered in the report -- and by the way, because Richard Smith who did the investigation and discovered most of the security leaks, we actually notified all of the companies the day before the report was released in detail about the kinds of leaks that we saw, where there was a potential for databases to be accessed without proper authentication. And from our understanding, most of those leaks were fixed immediately. And the response from the companies was quite appreciative.
I have been encouraged by the fact that we have now had a dialogue that has begun with a number of these companies, and I think dialogues amongst a number of players that will begin to address some of these issues. So I don't know if I can speak fully to the issue of whether self-regulation will solve all the problems. I think I'm somewhere in the space that Christine described.
I also have followed the HIPAA regulations, and this is such a changing industry. We have had convergence just in the last couple of weeks between a major information provider on health and the Healthion WebMD world. We have also had the Medscape/Mediconsult convergence merger, which brings together a variety of players that may in fact fall under the definitions under HIPAA that a couple of weeks we said were outside of those definitions.
So the world is changing very fast. At one point we'll all be celebrating removing 'e' from e-health and just go back to health, but right now the 'e' seems to be very active.
MR. GELLMAN: Let me just follow-up. You talked about using some of your resources to develop some other kinds of technology in this area. It seems to me that whether it is you or somebody else, I think there would be a dynamite business in developing a privacy browser. I think there would be a tremendous market for a browser that really acted in a way that prevented the disclosure of information, gave people more control, or just stopped some things from happening. So if you guys want to go in that direction, I certainly encourage it.
I, too, like Simon was struck with the word "leakage." But for me, leakage means wanton indifference. I mean this isn't rocket science here. We know what we're talking about. We know we're dealing with sensitive information. And the truth is that the companies that allowed leakage just didn't give a darn. I think that's what the effort that you produced showed.
I have some questions for you, Christine. Do you represent Doubleclick?
MS. VARNEY: Hogan and Hartson has a number of clients, and as you know, Bob, that's a matter of privilege that I can't disclose. But I do represent the Online Privacy Alliance, which Doubleclick has engaged, 24-7, many other companies are in the Online Privacy Alliance.
There is also a group called the Network Advertising Initiative, which is the ten largest Internet network advertisers that are working on the best practices framework. They are currently actually negotiating with the government, the Department of Commerce and the Federal Trade Commission what that document ought to look like, and Doubleclick is a member of that organization as well.
MR. GELLMAN: Well, my spies tell me that you do represent Doubleclick, and --
MS. VARNEY: That is for any of my clients to disclose, not me.
MR. GELLMAN: Fair enough. I have also heard rumors that there has been some dissention within HI Ethics about your representation of Doubleclick. I don't suppose you would care to comment on that?
MS. VARNEY: I actually haven't heard it. I would be happy to comment on it if you like to share it with me.
MR. GELLMAN: Well, that's pretty much it. It seems to me that you have a problem -- and you don't have to respond to this if you don't want to confirm that you work for Doubleclick -- that working for Doubleclick, and working for the companies that are their customers, when there is a clear concern about the exchange of information between the two, is a serious problem, and I'll leave that for you to resolve.
MS. VARNEY: Well, Bob, I would certainly hope that if any of our clients are in the same as I am, if any of our clients ever had a question of whether or not there was a conflict, they would bring it directly to us. And that in any way that I would doubt your assertion, but I certainly have not heard that, and I'm in regular contact with all of the members of HI Ethics.
MR. GELLMAN: It was a rumor from a source of reasonable quality that I felt was worthwhile passing on.
MS. VARNEY: Oh, great, well, who was it, and I'll follow-up?
MR. GELLMAN: I'm not going to identify my source.
MS. VARNEY: All right, so this is an anonymous allegation.
MR. GELLMAN: Not to me. If you're not going to identify your clients, I'm not going my source.
MS. VARNEY: I'll tell you what. If you would like to have your anonymous source give me a call, I would be happy to address any question they have about Hogan and Hartson's adherence to the ethical canons in both the DC Bar and the American Bar Association.
DR. ZUBELDIA: It's a de-identified source, not anonymous source.
MS. VARNEY: And Bob is the privacy filter.
MR. GELLMAN: I would like to ask you about the HI Ethics group. You went down the list of members, and I think pretty much what I heard were dot-coms.
MS. VARNEY: Yes, I think there are a couple that are not dot-coms, but yes, they are for the most part dot-coms.
MR. GELLMAN: Can you offer us any assurance that this isn't going to be another industry run, industry driven, industry controlled privacy policy generator, ethics, whatever, just like the policies we've gotten out the DMA or the IRSG, or for that matter, the OPA, which is better than some, but not necessarily all that good.
MS. VARNEY: No, Bob, I would not offer you that assurance. That's exactly what this is. This is a group of dot-com e-commerce companies that are trying to take the highest ethical standards that are established by groups like the Internet Healthcare Coalition, as well as their own ethical standards representing whatever professions they come from, and adopt them to the commerce space. That's exactly what it is about.
MR. GELLMAN: Well, of course we'll all see what comes out the other end. But we have yet to see an industry group come out a privacy policy that meets international fair information practices standards. I'm curious. We have two different efforts here. There is some talk from both of you about -- I don't know how to describe it -- some degree of flying in formation or working together or whatever.
But it is interesting to see the list of the Internet Healthcare Coalition. There is a long diverse list, including ethicists and foreigners, and lots of others, individuals. So there is clearly a broader-based activity. And I just wonder if either of you see the likelihood of conflict down the road, because it seems to me that the dot-coms have an interest that has the potential to be significantly different than the interests of everybody else.
MS. VARNEY: Well, I'll let them speak for themselves. I don't see any potential conflict. The dot-com space, I think their goal is to create trust and confidence in what they are doing. In order to do that, they need to promote the highest ethical standards. So I certainly wouldn't see a conflict.
MR. MACK: Well, I don't think I see a conflict either. I think they have special needs, and they want to address those needs before they bring it to a more open forum, which I think will eventually happen. That's why we are keeping the lines of communication open. I don't know if we are flying in formation -- is that what you said? I think we are all flying towards the same goal, let's put it that way. And I think we have had influence on each other.
And I hope that the coalition, because it has brought together a number of different stakeholders and very talented people, has made some impression upon the whole industry. If we have done that, then I think we have accomplished a lot.
MR. GELLMAN: Well, you have published a draft code for public comment. Will HI Ethics do the same thing?
MS. VARNEY: Yes, that's our intention, although we will not be accepting anonymous comments. We would like to know who makes the comments.
MR. GELLMAN: Fair enough. I might point out, however, that HHS did accept anonymous comments on its privacy regulations, but you are not required to do so.
DR. ZUBELDIA: I have a question for the entire panel. During the interoperability pilot, it was a pilot of PKI technologies to see what works together, and what doesn't work. One of the surprises at the very beginning was that the security industry had been talking for years about PKIs and about some certificates and certification revocation.
Then you go to the products like the browsers or the email products and most of them don't even implement the certificate revocation. Those that implement the certificate revocation, it is so cumbersome that it is impossible to use. Most of them don't implement security access integrated with the certificates. It is just a function. The certificate is there, but it's not integrated. So you can't really put into practice what they are preaching.
I'm seeing here the same thing happening. Even those that do have a privacy statement in their Website, don't comply with it. It's just words. How can we make sure that this code of ethics, that these privacy statements are actually in practice?
MS. VARNEY: One of the things that we can do -- I think there are a lot of parts to this puzzle, but to go to your last point, as a former federal trade commissioner, I can tell you that whenever an entity posts a privacy statement and says this is what we do, if they are not doing that, they are susceptible to be prosecuted under fraud and deception statutes both by the Federal Trade Commission, by the Department of Justice, by the 50 state attorney generals, and indeed there may be a basis for private actions, depending on the resulting harm.
So one of the things that we have worked very hard on in the commercial sector for online privacy is to get companies to adopt privacy practices, and to post them. Because the moment you post them, you are able to be prosecuted for violating those policies.
Now clearly from my perspective, we need more enforcement resources. We need more federal dollars and more state dollars frankly, dedicated towards enforcing and policing these practices. You know one of the things I learned when I was at the Federal Trade Commission is passing new laws doesn't stop bad actors from doing bad things. It does give the government more tools to apprehend criminals and wrong doers.
So one of the questions that I always think about when I'm looking at this space is where is law enforcement currently lacking? And what additional tools do we need to prosecute? So in this instance, if you can get somebody to post a privacy policy, which is not compelled, and that may go to part of your question perhaps. Particularly with sensitive information, we need to think about compelling people to disclose exactly what they do.
Disclosure is a great cure all, because if people don't want to tell you what they are doing, they shouldn't be doing it. So it's a complicated mosaic, but there are some tools in place today. The FTC has brought several prosecutions, the state attorneys general have brought prosecutions. There are a number of private plaintiffs actions pending right now against a number of companies, and I think we are seeing the evolution of law in this space.
MR. MACK: I think what everybody has in their mind are the 20 or so big commercial Website, and it's going to be pretty easy to monitor those, and they get a lot of traffic. But, however, consumers just don't go to the 20 big Websites. They can go anywhere they want, anywhere in the world on the Internet. I personally believe it is impossible to regulate or to police that if you had the regulations.
So it can't be a solution. I just don't believe it's a solution. It's not a solution just to force sites to have a privacy policy, because desperate people will take desperate measures to go anywhere in the world, to maybe even find information they want to find. The point is I think anything that you do, there has to be a component of education of the consumer.
I think we went through this with the World Health Organization in which they were trying to come up with a policy to regulate the cross border sale of pharmaceutical products. And the suggested that every single health Website -- this is a trial balloon they had -- every single health Website should be registered with the appropriate agencies in the country where they do business.
They didn't mean just the sites that were selling stuff. They meant every site that offered information. And we found that would be very chilling on the freedom of speech, not to mention the other kinds of freedoms that we take for granted here. Therefore we issued at statement that said we need to do more in terms of educating the consumer.
And eventually that's what the World Health Organization did recommend, as does the Federal Trade Commission, because we are also working with the Federal Trade Commission, and trying to do some things with them to help consumers report health fraud on the Internet for example. So really I believe it comes down to the users themselves.
DR. MUSACCHIO: I have to piggy-back on that, education, but I would go one step further. I think not only do you have to educate, and continue to educate the end user, but also the people who are deploying these sites as well. Mr. Gellman's comment about reckless indifference regarding the leakage, I think that's probably true. But I think that also things are happening so fast that people don't understand the consequences.
To your point, Christine, if people understood the repercussions of posting a policy statement about privacy, if they understood the consequences of that, they would change their behavior. So it is about education. It is about disclosure. And it's basically about eventually this is a new market.
In the medical publishing business there are trusted brands, the New England Journal, to name a competitor, the Journal of the American Association. Those have evolved over 100 years. They are trusted. I think the same thing will happen in this space. The trusted brands will evolve, and they will be the ones that are adhered to strict policies and procedures. They will do what they say they are going to do.
MR. KARP: I concur with what's been said, but I want to highlight something that Christine said earlier, because I think it's probably the next sleeping giant. And that is the issue of content. And the blurred line that often occurs between what is scientific or medical information and what may be promotional or marketing information.
I've had personal experience in the last couple of months with illnesses in my own immediate family of wanting to go to the Internet and look at medical information so that I could understand just what does a pacemaker do. And I did a few searches, and I'm a pretty experienced Web user, and it was very difficult one, for me to differentiate what site I was actually on, and two, where was the source of the information that I was reading.
So I'm pleased to here -- and I know that the Internet Healthcare Coalition is addressing it -- that HI Ethics is also addressing this issue of source content and differentiating what is actual scientific and medical content from promotional information. I think it's a critically, critically important issue.
DR. MUSACCHIO: I just want to add to that. There are guidelines regarding the need to disclose or differentiate between them. They still need to evolve. But in addition to that what needs to be clearly understood is the juxtaposition of advertising to content. Even though you may know the difference between the scientific content, if you juxtapose an advertisement about that, it tends to be misleading, because it tends to give authentication.
In fact, the Nicorette advertising that is juxtaposed to the survey there would give credibility to take Nicorette. It's almost an endorsement of that product. So those things have to be very carefully delineated. In the paper world that is. Advertising and content cannot be in the same well.
MR. GELLMAN: I just have three quick comments. First, I would like to thank Gail and Gracie for the work they did in putting the hearing materials together. I think they really did an outstanding job, and we're all grateful.
Second, there were a number of comments made here about the evolving nature of activities here, and I think those are perfectly fair, and I think that's true. And I'm not sure that's an excuse for everything that has happen, but I mean I think the fact that this is a changing environment, and there are lots of new things happening, and hopefully things will get better.
Finally, I want to make a comment on enforcement. If I had a dollar for every time someone in the business community talked about the FTC enforcing privacy laws, I could fly everybody in this room to Paris, first class. If I had a dollar for every time the FTC actually brought a privacy case, I couldn't buy myself a hotdog.
Nevertheless, I think that Christine was right, there is more action at the state level. I think there are two other developments here that I find encouraging as enforcement methods for privacy. One of them is the trial lawyers. The trial lawyers are suing everybody that violates their privacy policy, and I think this is actually very helpful.
You may not like the trial lawyers. I may not like the trial lawyers. But I think they are very important in enforcing these policies that are put up, and I have no knowledge of this at all, but I wouldn't be surprised if as a result of this California HealthCare Foundation report, if there aren't some lawsuits filed against some of the companies for violating their own privacy policies.
I think the other encouraging development is what happened to Doubleclick on Wall Street. Doubleclick has clearly gotten into a lot of trouble on Wall Street, and their stock has gotten killed. And I think that the valuations of some of these companies that don't have decent approaches to privacy, if that affects what happens on Wall Street, that will affect what happens in the companies and on the Websites. And I think that if Wall Street rewards companies with bad privacy policies, then we are really going to have to see legislation in this area, because there won't be any alternative.
MS. FRAWLEY: Well, I would like to thank our panel very much for a very informative discussion. And again, I would like to thank Gail Horlick, who put this entire hearing together. She did a wonderful job in bringing all of you and our morning panel to us.
With that, I will adjourn the meeting.
[Whereupon, the meeting was recessed at 3:30 p.m.]