Department of Health Human Services

National Committee on Vital and Health Statistics

Subcommittee on Privacy and Confidentiality

Meeting Minutes

February 25, 2000

The meeting was convened at the Hubert Humphrey Building in Washington, DC, on February 25, 2000. The meeting was open to the public. Present:



Other NCVHS Members Present:

Staff and Liaisons:

Others In Attendance:



Ms. Frawley called the meeting of the Subcommittee on Privacy and Confidentiality for the National Committee on Vital and Health Statistics to order and immediately noted recent articles in the popular press highlighting citizen concern over privacy issues raised by the Internet’s ability to collect and disseminate health data. Articles in USA Today and Newsweek helped to raise questions, that Ms. Frawley hoped the subcommittee could address and make recommendations on after hearing from various panels today. The subcommittee introduced themselves followed by panel members and members of the audience. Then Bob Gellman gave an opening statement.

Mr. Gellman said although a variety of health information services are available on the Internet, his remarks would concentrate on websites collecting identifiable health information from consumers for non-treatment uses. He stressed that while “Not every player in this industry is a bad actor, there are enough to go around.” Many of the Internet websites are trying “to make a buck by trafficking in identifiable health industry that acts through ignorance, indifference, or deception to wheedle health information from consumers to sell for the benefit of shareholders.”

He said HHS is currently preparing privacy regulations under HIPAA, but unless a website is treating patients it will not be covered by these regulations. Consumers must rely on the honesty and integrity of an industry that finances itself by selling consumer data. He pointed to a recent California HealthCare Foundation report that shows some disturbing trends in an unregulated industry. Mr. Gellman said some of the self-policing efforts have been grossly inadequate and pointed to the Health on the Net Foundation’s code which says little about privacy and offers data subjects no protections. Many online companies do not prohibit the buying and selling of personal information; often what codes do exist are designed to dupe the public into thinking privacy is protected when it is not.

Mr. Gellman gave the example of confidential patient/doctor communications. If the patient discloses this information to a website for storage or use, all confidentiality may be lost. He said he had not seen websites that warn patients of this potential loss of privacy. He then went on to critique the company DoubleClick and said it should not be allowed to monitor visitors to health websites. DoubleClick identifies users of health websites and often secretly shares this information with its business partners. Predatory advertisers and others can then make use of this once confidential health data. Lawsuits have been brought against DoubleClick, Amazon, RealNetworks and others, but to little effect, Mr. Gellman said. He said many websites change their privacy policies with little or no warning to users.

Mr. Gellman believes health information websites should operate under the strictest of privacy standards. Notices should identify all risks to consumers that may result from storing health information or from visiting a website. He said complete anonymity should be standard on health websites, and when anonymity is not standard procedure,

complete audit trails should be available to the health consumer and/or data subject. Mr. Gellman also said independent verification that privacy standards are being followed and implemented should be routine, as should disclosure of all uses of the data.

With the Internet currently largely unregulated and in a period of constant flux, Mr. Gellman offered three simple rules as to when to exit a website immediately: If double-click has an ad on the site; if the site asks for your name or other identifying information, and if the site says its privacy policy is subject to change without notice. A good website will have no trouble meeting and surpassing these three rules.

He said the California HealthCare Foundaton report documents a pattern of lies, misrepresentations, inconsistencies and privacy invasions that are all too common in the Internet industry today. Mr. Gelman expressed disappointment that an invitation to the Pharmaceutical Manufacturers and Research Association (PHMRA) to testify at the hearing was refused. He issued a public challenge to the drug industry to come forward and discuss its privacy practices and policies.

Ms. Frawley then turned to the first panel member Janlori Goldman.

Agenda Item: Panel 1 -- Janlori Goldman, J.D., Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University

Ms. Goldman said empirical data garnered from a number of surveys indicates that lack of privacy in the health care setting often acts as a barrier to people seeking care or undermines the kind of diagnosis and followup treatment they get because people don’t trust how the information they share will be used. She said to evaluate the rush to health care on the web and what many call “bricks-and-mortar operations,” the FTC has done a series of investigations into whether websites are protecting personal medical information on line. To this end, her group got together with the California Healthcare Foundation, to evaluate how well stated privacy policies were being implemented or practiced in reality on 21 websites that specifically provided health information. Ms. Goldman’s group used a set of well-established and accepted privacy policies used to create federal legislation some 30 years ago to evaluate privacy policies and practices at these websites.

The study found that universally privacy practices do not match up with stated policies. While 19 of the 21 websites did have a stated privacy policy, they all fell short in two major ways: they failed to address comprehensively fair information practice principles and the stated policies were not matched in actual practice. Some typical policy flaws included: inadequate notice about what was being done with the user’s information; an inability to access their own information at the site; most critical, was the inability in most cases of users to have a say about whether or how their information is disclosed or to limit disclosure. Most disturbing, Ms. Goldman said, was the fact that many sites explicitly disclaim any liability for the actions of third parties and others who might access the site or the user’s information. Banner ads clog many sites and visitors to the site often cannot distinguish between the different companies running them; they might fill out a survey and not understand privacy protections offered elsewhere on the site do not apply.

Many people think they are anonymous if they are just browsing and have not filled out any health assessment or registered at a site. But this is not the case. At many sites,

information about them is being collected whether they click on an icon or an ad or not. Profiling data is also collected at many sites when you register to receive a health newsletter, renew a prescription on-line, participate in a support group, or fill out a brief survey on a mental health or AIDS site. How this data is used and who gets access to it remains a huge, unanswered question, Ms. Goldman said.

Following an analysis of the survey data, Ms. Goldman’s group made four recommendations to the Internet health community, which also dovetailed with the public’s concern for greater privacy. They are:

Ms. Goldman said since the report was issued, some sites have disappeared or merged with others. The Internet Healthcare Coalition has also issued a draft set of e-health ethics policies that includes a privacy policy. She urged everyone to review it and comment on it. Five members of the FTC called for an investigation into privacy on the Internet and Sen. Robert Torricelli (D-New Jersey) introduced an Internet privacy bill. After trying to encourage various Internet providers to come up with a strong way of policing themselves regarding privacy issues and failing, Ms. Goldman said the Department of Health and Human Service now has a draft set of federal regulations on medical privacy which should be finalized by early summer 2000. More than 30,000 consumer groups have filed comments on the proposed HHS regulations, she said. However, she warned, that many of the privacy concerns raised in her report will not be covered by the federal HHS regulations. This is because these Internet sites are not health plans, they are not health providers under the definition used by the HHS, and they are not health care clearinghouses in the traditional sense. So, there are still large, unregulated areas of concern to privacy advocates.

Ms. Goldman closed by saying while the Internet offers fabulous opportunities for connecting, obtaining and sharing health information, the drive to make money from these same services makes privacy issues a very low priority for most website designers or businesses.

(a) Agenda Item: Panel 1 -- Calvin Wiese, CEO, HealthMagic, Inc.

Mr. Wiese explained that his company develops personal medical records and has spent four years and about $10 million creating technology designed to deal with privacy concerns raised before the subcommittee today. He said they have a system that provides consumers with an interactive, personal health management tools that allow them to store and access life long, personal and confidential health information.

He explained that once a consumer authorizes Health Magic to receive their personal health information, all data received is incorporated into their life long health record. Future dissemination and access is then strictly controlled by the consumer. The Internet offers consumers a health records management, storage and retrieval system in an on-line environment that must never be violated. Consumers, not businesses, need to control this information. No further disclosure in individually identifiable form should be permitted without the explicit consent and authorization of the consumer. Health Magic does not permit access to anyone’s records, nor will it package, sell or market health information received to any businesses. If consumers request specific marketing information through a personalized email or other message, HealthMagic will, with permission, evaluate the consumer’s health information and send them targeted information about health services and products, but no other businesses will have access to the identities of the consumers to whom these messages are sent.

He said until the medical Internet providers establish a way to positively link individual identities across enterprise boundaries and information connections, effective integration of individual health information using the Internet will not be achieved. Many thought the logical way to proceed was to create a unique health identifier and to overcome the high risk of errors associated with the current record keeping system. But privacy concerns have overwhelmed the efficiency considerations on this issue. Mr. Wiese believes that any use of a single, unique, individual identifier will result in a serious erosion of health information privacy that will injure consumers.

The answer, according to Mr. Wiese, is for each health care enterprise that is linked to, or is used by the consumer to have its own specific identifier. This mechanism would bind the consumer’s identity across episodes of care, or across various health enterprises without requiring the adoption of a national identity system, or a disruption in the existing record keeping systems used by various health care providers. Granularity is the second dimension of access control demanding attention, he said. Consumers must be given the power and ability to limit access to particular health data for particular entities and we believe consumers must be given the right and the functionality to do that. For example, in a medical emergency consumers may give unlimited access to emergency rooms or urgent care centers. On the other hand, there may be data of sufficient sensitivity that they do not want to disclose it at all, even to their own physician. In summary, Mr. Wiese remains optimistic that with proper controls, and by making Internet health information systems consumer-centric, the new technology has the potential to revolutionize the way health services are delivered, reduce medical errors and make consumers better managers of their health care.

2. AGENDA ITEM: PANEL 1 -- Sam Sugar, MD, F.A.C.P., President,

Dr. Sugar, an internist for 26 years who recently retired as medical director of E&H

Medical Group where he supervised over 500 physicians at three hospitals, said he created his website because he wanted a tool that could enable patients to interact with him over the telephone, in person and across a wider spectrum. His patient-centric company,, started in summer of 1999. Dr. Sugar said concerns over illegible prescriptions, poorly organized medical records and the lack of compliance by hospitals accredited by the Joint Commission on Accreditation for Health Care Organizations motivated its founding.

The website offers customized self-health assessments, but does not sell the information to other on-line businesses. Dr. Sugar says the health data information revolution means that if the emergency room calls him at 3 a.m., he can go to his PC, and with the patient’s permission, access all his/her medical records. The technology allows him to treat a patient with greater speed, efficiency and thoroughness because he does not have to wait for paper records or charts. He said the transition to on-line medical records could be a rough one, but ultimately it will improve the quality of medicine patients receive provided the control of the information remains in the hands of licensed physicians and patients.

Dr. Sugar illustrated through slides what information the website company collects. The 19 categories include a typical medical chart for each client/patient, contacts for emergencies, preventive health information, hospital preferences, a general health questionnaire, insurance and HMO updates, and even health information about pets, to cover times when the patient/client is out of town. offer an optional clinical update service in which the provider can enter lab results, x-rays. EKGs, and MRI results, but only if the patient grants the provider permission to do so.

He then compared electronic medical models being prepared by the CPR Work group and by Peter Wagemann. The electronic medical record is different from the paper model in that it is a permanent, non-modifiable medical document, rather than a fluid one. The electronic model also excludes the patient as the source of control for their own information. To integrate the Internet and the electronic medical models questions about shareability, connectivity, and naming conventions all need to be answered. The HIPAA does not now cover the Internet-based model, but Dr. Sugar hopes eventually the integration of the two systems can take place without spending billions more on a new system. But all these new Internet medical information systems need much stronger ethical financial models.

Agenda Item: Panel 1 -- Thomas Booth, MD, MS, Vice President, Medical Affairs, Editor-in-Chief,

Dr. Booth, a former urgent care and emergency room physician, previewed his company’s medical website, which shares many characteristics with Dr. Sugar’s. Some unique aspects of include the fact that it has a built-in fax option, because not all of the world is wired for the Internet. Patient information like a baseline EKG, an

MRI, current pharmacy or lab records can be faxed to an emergency room, for example.

Dr. Booth said access to this kind of information in a timely fashion can help save lives, because patients in the midst of a health crisis often are in pain and cannot recall the names of the drugs they take, their allergies, or even the names and phone numbers of their doctors. A person with a history of coronary illness can have an angiogram or a baseline EKG stored electronically at the hospital and then it is instantly available (with the patient’s permission) if he/she become ill again. The information would not be disclosed or sold to anyone.

Dr. Booth’s system would make use of an emergency card that patient/clients carry in their wallets. The information on the card would include a PIN number and the fax ID number which would grant READ only access to medical information. By giving the emergency room physician the card, the patient would allow the doctor to download his/her emergency summary. The patient can also access the record, using a separate password and ID information not encoded on the card, and update and change their own record. Patients can opt not to have a PIN number encoded on the public card if they so choose. At the time of Dr. Booth’s presentation, more than 100,000 website members were using the electronic medical record system.

A basic website member at creates their own personalized medical page, with medical records and access to medical newsletters or bulletins of various disease topics of interest to them. This information is encrypted and not shared with anyone. Advertisers on the website can display ads to people of certain demographic or medical subgroups, but a patient’s particular disease profile is never disclosed to an advertiser.

Dr. Booth addressed the DoubleClick issue because the site uses this technology to serve up its ads. He said PersonalMD has a specific contract clause with DoubleCick which prohibits them from accessing site information. Patients also receive an automated email whenever their site is accessed as added security. They also use Secure Socket Layer, or SSL, for data encryption during transmission, a VeriSign Certificate, firewall server protection and the data base is encrypted. He said the idea is to give consumers a choice about the amount and the kind of information they enter into their personal medical file, how often they correct and update it, and a choice to opt out of the data base entirely at a later date.

Agenda Item: Panel 1 -- Tanya J. Glazebrook, President and CEO, MedicAlert Foundation

Ms. Glazebrook said her background is in customer-oriented organizations and strategic marketing, and she is a former leader in United Way. She has headed MedicAlert Foundation which has 2.7 million members in the US and another 1.3 members worldwide-for five years. MedicAlert members receive a bracelet and support from a 24-Hour Call Center. The bracelet also includes specific medical information germane to that individual, i.e.: allergies, medications, blood type or if they are insulin dependent. Additional medical facts can be stored at a confidential central data base and accessed by an emergency responder through the Call Center in a medical emergency.

MedicAlert also operates a registry service, which the FDA used in 1989 to locate and notify individuals that might be affected by the defective BSCC heart valve implants.

This is a confidential registry that companies are under court order to maintain; the company is also the official designated provider of repository services for pre-hospital and do not resuscitate orders (DNRs,) and advanced directives for seven states. Members of MedicAlert can opt to store this information about whether they want to receive heroic medical care to keep them alive in their own personal MedicAlert member database file. The group also provides repository services to vulnerable children with high-risk medical needs. Ms Glazebrook said MedicAlert always receives prior written approval for all storage and transfer of information and is taking steps to insure that the information loop between members, MedicAlert, and emergency personnel remain closed.

She said the company’s policies preclude selling, renting or loaning any part of the records including names, addresses, or medical information. Ms.Glazebrook said only under court order will the company release information about a member requested by law enforcement. She said MedicAlert will continue to employ strict privacy and confidentiality protocols as it expands Internet-based services. A secured Web server, secure firewalls on both hardware and software, an uninterruptable power supply, back-up generator and a back up server stored off site are some of the security features the company employs for its Internet services. She said since MedicAlert is a non-profit organization, it made the decision to move cautiously in any expansion of member services. Companies frequently approach MedicAlert with partnership ideas, but most are interested in drilling into their database of 3 million people with medical conditions, and are turned away.

Ms. Glazebrook said technology will soon allow the safe and secure transfer of medical records, but it is not here yet, despite some commercial claims to the contrary. MedicAlert is exploring partnerships with two companies who are developing a secure Internet smart card. She said the company is not a virtual company, but a 24-hour bricks and mortar business, supported by real staff, that has an Internet presence. Many members have emergencies in parts of the world where modems are not available and so MedicAlert’s access by telephone is important.

(There is a break of 5 minutes)

(a) Agenda Item: Panel 1 Discussion/Subcommittee \l

Ms. Frawley invited questions for Sam Sugar because he has another commitment and must leave.

Dr. Cohn asked Dr. Sugar to explain why he thinks HIPAA privacy and security rules should NOT be expanded to include the types of practices discussed by presenters today, including paper-based records.

Dr. Sugar said currently HIPAA rules do not apply to paper-based medical records but they do apply to the 20 percent of medical records in the EMR format. HIPAA is specifically silent as regards Internet-based personal health records and he thinks it should stay that way because these companies and methodologies will evolve over time. He thinks if the medical records are over regulated, people will feel even more insecure. People don’t want the government to have access to their private medical records, right now. Dr. Sugar is not a proponent of HIPAA coverage for IPHRs, because he believes consumers must guarantee this data.

Dr. Booth said has taken steps to become fully HIPAA compliant, including a fully-encrypted data base and having information de-identified. He said his group sees it as being beneficial to be HIPAA compliant.

Ms. Goldman said there are broader issues than those being discussed today and said the scope of the regulations as they apply to health plans, providers and clearinghouses are inadequate, because Secretary Shalala is conscribed by the delegation of authority under HIPAA. New legislation would be needed to broaden the scope of HIPAA. Right now she said medical information that is only in paper form is not covered but IS once it in electronic form as well. She said people’s expectation of privacy should be mirrored in actual practices. She said it is important to make policies that are forward-looking as well as flexible and to do it while the Internet technology-as it applies to record keeping, privacy and security is still in the nascent stage.

Ms. Goldman also emphasized government regulation does not mean government access, and said there is nothing in the federal regulations that would require access to identifiable data.

Mr. Weise said entities like HealthMagic will not find it hard to be in compliance with HIPAA. He said consumers should have the right to request that any electronic standardized HIPAA transaction involving them be placed in their personal medical record. He thinks an agency something like FDA should enforce standards and regulate websites to “keep the riff-raff out.”

Ms. Glazebrook said many members of MedicAlert are elderly, vulnerable people with multiple conditions and they need, and seek, some kind of protection when it comes to medical information on the Internet. Many of these same people are not capable of fully understanding privacy statements and worry about inadvertently signing away their rights.

Mr. Gellman stressed the need for ethical business models along the lines of what Dr. Sugar proposed earlier. But he said that some groups that Dr. Sugar’s start-up company uses, like Health on the Net Foundation and Trust-E System, are not very good. In fact, Mr. Gellman said they are insufficient in the privacy area because they allow you to disclose information with an opt out, rather than with an opt in.

Mr. Blair said that he found the briefing book riveting on the issue of privacy and security. The services talked about today and being offered by Internet websites are valuable, but is it really possible to offer ironclad privacy, confidentiality and data security? DoubleClick is the most obvious obstacle to this security right now, he said. He questioned the ability to have advertisers sharing the same website displays with the idea of ironclad security and wondered to what degree advertisers are able to capture information and then piece it together with new bites retrieved at a later time. He said if the Internet business model is used here, it assumes that these websites are all trying to sell and buy information and that raises a lot of troubling issues.

Mr. Wiese said it is not possible to have an ironclad security/privacy agreement, but that it is possible to build in significant safeguards that will minimize breaches of privacy. He does think it is possible to keep information out of the hands of advertisers.

Dr. Booth said Yahoo and some of the biggest names in Internet business have been in collective denial over attacks to their systems. What is needed is to compare the security and privacy that is achievable today on the Internet with the kind of privacy that paper records and charts enjoy today in most hospitals or offices. Nothing prevents someone from walking away with a patient’s records; the same is true for insurance companies’ files: there are lots of security breaches in the paper record systems. He said people today are mobile, they see several doctors a year, not to mention a lifetime and can end up in numerous emergency departments across the world. He said if information is locked up so tight that no one sees it, or doctors can’t learn from one another, it is doing no one any good. But finding ways for information to flow between different health providers, automatically opens the possibility of security holes. He said his company is constantly reviewing its relationship and contracts with all companies and advertisers it deals with, including DoubleClick to make sure they are not using or recombining information.

Ms. Glazebrook said to Mr. Blair: “as long as there is a perception among venture capitalists or wannabes that there is money to be made on medical information,” the business model with all its confidentiality and privacy concerns will continue, which may apply, while HIPAA privacy standards do not. He asked Dr. Booth if he considered his service to be providing treatment to patients. After Dr. Booth responded, “No,”

Mr. Gellman read him what Gellman called a “highly misleading” sentence from the PersonalMD privacy statement: “we regard our relationship with our members as privileged as a doctor-patient relationship.” Dr. Booth said technically it is NOT the same but that the website is trying to rise to that level. Mr. Gellman also criticized the disclosure statement of PersonalMD and said it basically allows disclosure of information to anyone.

Mr. Gellman also questioned the “opt out” policy of PersonalMD and how it is used. Mr. Gellman asked Janlori Goldman if her committee had reviewed the PersonalMD website.

Ms. Goldman said they had reviewed it and she asked Dr. Booth if he was aware the DoubleClick was using cookies to track visitors to PersonalMD. They did this by looking behind what is transparent on the site and that they place the cookies on the DoubleClick site rather than at PersonalMD site. She said that DoubleClick may then be recombining this information on patients to developed a marketing list, in keeping with their stated business goals. In fact, DoubleClick is transmitting the URL and information about the page the consumer is entering, e.g. on diabetes, and then passes on registration and other information. Perhaps the email address of a user is also transmitted using a cookie.

Dr. Zubeldia noted that right now when a user accesses an outside site like DoubleClick, the base page address is always in the URL and cannot prevent it from going out. So you have to be careful what is included in the URL, for example PersonalMD, has a log-in ID of the user, which then automatically gets transmitted to DoubleClick. The email address could also be sent to the server if DoubleClick is using FTP rather than HTTP to serve up its ads. She asked Dr. Booth to clarify DoubleClick’s interest in PersonalMD if it cannot access the information, and to clarify how users can get into their own records to correct or update information there when it is encrypted and therefore not accessible to the PersonalMD technicians.

Dr. Booth said users only use email to contact the site if they cannot figure out how to change their records themselves or if something is wrong with the hardware. In that case, a technician will get back to the user and explain to them how to go into their record and update it, “but the system won’t make the change.” Dr. Booth also described the encryption system used by PersonalMD and Dr. Zubeldia raised questions about the maintenance of domain-specific identifiers that individuals use, saying these are more secure and less a risk to personal privacy than sites where all a person’s records: mental, dental, medical, pharmacy, hospital, etc. are kept in one place.

Mr. Gellman asked Ms. Glazebrook about the practicality of all this electronic medical information. Do doctors actually have the time to access it? Do emergency rooms have Internet access? How realistic is the whole system for long-distance retrieval.

Ms. Glazbrook said MedicAlert takes its counsel from the American Academy of Emergency Physicians and reviews the type and amount of information it retains on a yearly basis, using a panel of doctors. Physicians typically find only a limited amount of information useful in an emergency situation and it is information they need immediately. MedicAlert stores information in a hierarchical pattern, with the most important at the top. Most of the time the hospital will do its own EKG, its own blood work and they will ask for six or seven specific pieces of medical information. The same is true for EMTs. Very few want the entire medical record.

Dr. Cohn, also a board certified practicing emergency physician, said he would basically like to know if there was a DNR order in the file or drug allergies listed. Sometimes he would request an old EKG if is pertinent.

Mr. Gellman told Ms. Glazebrook he had trouble accessing MedicAlert’s privacy page and said the disclosure statement is really incomplete. Then Mr. Gellman told Calvin Weise of HealthMagic that the most disturbing thing he saw is the site’s connection to because that site is not that sensitive to privacy issues. Mr. Weise responded that the site’s home page and its medical storage systems are hosted and housed by completely different servers. He also said the site doesn’t use DoubleClick and has no plans to service a third party. Mr. Gellman suggested HealthMagic designate a privacy officer in the company because unless this is an important position invested with clout and decision-making power, the privacy people always lose out to the marketing and finance departments.

Mr. Gellman then asks Ms. Janlori Goldman to advise consumers about how or whether to use these sites.

Ms. Goldman said the report speaks for itself, but the keyword is “caution.” She said look for a privacy policy and read it. And then be extremely careful about the information you share. The policy should be enforceable and be part of a chain of trust. She said there should be a system-wide agreement about the basics that must be included in a privacy policy so that a user doesn’t have to read it each time he/she wants to log on to a health website or check their personal medical file. She believes that voluntary compliance is not enough in the industry and that there must be some kind of regulation that weeds out the bad actors.

But that kind of regulatory framework will take at least two years to set up, meanwhile the industry must police itself.

Mr. Gellman raised the question of international privacy standards, noting that MedicAlert has clients in 12 other countries and that the EU has tighter rules governing the Internet. MedicAlert’s Ms. Glazebrook said her company was in compliance with the stricter EU rules and had to conform when they merged Scandinavian operations into the British Isles.

Ms. Goldman said she hoped that the EU’s data protection directive would drive the development of privacy policy in the US, but said she wasn’t sure that had happened. It would certainly help international business to have a standard policy rather than to have to review and comply with literally hundreds of different sets of rules around the world.

Dr. Cohn commented that what bothered him most in all the discussion was the implication by many subcommittee members that there was an inconsistency between privacy policies and actual policies. How does self-policing work in this environment?

Ms. Goldman said this inconsistency is disturbing and may be the trigger for FTC action. Meanwhile, Internet companies can use an outside audit to make sure that business partners are bound to the same rules and actually enforcing them rather than using intentionally deceptive practices. The technology makes certain disclosure possible, but it is not necessarily easy, Goldman said.

Dr. Zubeldia asked Mr. Weise to explain his company’s business plan as it relates to “data mining and analysis” and its effect on privacy.

Mr. Wiese said his site should be able to do aggregated analysis of health information on a non-identifiable basis, but that consumers should have an opt-out right.

Dr. Zubeldia then asked if PersonalMD is maintaining personal health information on the Internet if the company is looking at using “some sort of medical record standard to share or integrate this information with the medical establishment.” This refers to the Holy Grail of Internet integration. Mr. Wiese said although the issue of integration is critical they haven’t figured out how it will work or whether there will be a de facto standard for information transmission.

Dr. Booth said his company currently has no plans to do that. Many physicians dream of a totally-integrated electronic medical record system, but technical barriers continue to stall its becoming a reality.

(The meeting recesses for a one-hour lunch break)

The afternoon session includes the following panelists:


Mr. Smith briefed the subcommittee on his work looking at a study of the privacy policies and practices of 21 different e-health websites, funded by the California HealthCare Foundation. The study focused on the amount of data collection at these websites and how this information is then rented out or transmitted to other sites by way of DoubleClick “cookies,” which are basically customer ID numbers which DoubleClick creates without the knowledge of the site visitor. The private health information is then translated into targeted advertisements, customized emails for smokers, diabetics, asthmatics and other users with specific problems.

He said as of February 1, sites like did not inform users in their privacy policy about what was being done with their personal data. Often, if the user is technical person, they can find out if these cookies are being used, or if the site is being served, by checking in the banner ads or look at the HTML source code for specific language identifying who is capturing or transferring data.

Mr. Smith said “an amazing amount” of sensitive health information gets transferred over the Internet, much of it through personal health surveys or questionnaires or even when people register as a site visitor. DoubleClick also offers contests and surveys as a way to luring people to share sensitive information that can be sold or traded. Mr. Smith said DoubleClick should be required to provide ads from a different domain without a cookie so the information cannot be correlated back to a specific user. That way, Smith said, “If I have chosen to register with their service or with Net Deals, no correlation is possible. This would be one technical way of avoiding identifiable health information leaking all around the Internet.

Mr. Blair said his group has begun an “urgent” discussion about what really IS non-identifiable information and where the boundaries are. He asked Mr. Smith if it would make sense to press websites on a precise definition of identifiable/non-identifiable information. Mr. Smith said yes and said “disclosure” to the user, is key as is having regulations in place regarding limiting data collection and storage practices.

Dr. Zubeldia asked if any of the e-health websites Mr. Smith reviewed are using FTP instead of HTTP to serve the information. Smith said no, most are using a secure (SSL) HTTP, because FTP used to reveal the user’s email address before Netscape 3 fixed the problem. Mr. Smith also said that AltaVista search engine is Doubleclick’s largest customer and there is no discussion in DoubleClick’s privacy information about this relationship with partner AltaVista. Mr. Smith also said that sophisticated computer users can use sleuthing devices called “packet sniffers” or spy and sleuth software to see who is following them from site to site (using a web bug), or spying on their consumer behavior. But, he said, these are tools typically reserved for programmers.

Mr. Gellman asked if there were prospects that a privacy friendly browser would soon be developed. Mr. Smith said that Netscape is trying to do just that and others are calling for an international privacy code. But the problem is that MICROSOFT controls about 80 percent of the browser market and no one is sure they are going to tackle this Internet privacy and security problem in a timely and transparent manner.

Mr. Smith said that on some websites, users know information is going to DoubleClick because it is in the URL line, but on other sites, like, the URL doesn’t say DoubleClick but it still goes there. Disclosure of the relationships with DoubleClick and other partners is what’s needed, he said.


The California HealthCare Foundation is a three-year-old philanthropy that resulted from the conversion of Blue Cross of California to a for-profit health plan. Mr. Karp described a study the group did with Consumers Union about Internet privacy concerns and to survey consumer attitudes about confidentiality of their medical records. Among some of the findings:

** One-sixth of all adults admitted taking steps to protect the privacy of their medical records. These steps included: going to a doctor outside their insurance network, paying out-out-of pocket, asking the doctor not to write down certain confidentialities and not seeking care at all.

The foundation also published “Promoting Health, Protecting Privacy Primer,” which they distributed widely to health consumers and practitioners in California. They also contracted with The Institute for the Future to do a five-year forecast on health care and the Internet.

Mr. Karp said the survey by Cyber Dialogue of New York confirmed the privacy concerns of the average American Internet user, underlined the fact that many are suspicious of the ethics of many websites and uncertain whether their information is protected under state or federal laws and confused about how, if anyone, should regulate the collection and distribution of Internet information. Cyber Dialogue estimates that some 34 million Americans currently use health Websites, with the number expected to jump to 52 million by 2003.

He said the three main privacy concerns were that: a site would share confidential health information with a third party without permission (75 %); someone other than the person to whom email is addressed is reading it (65%); a hacker will break into personal information (59 %).

Mr. Karp said these results are very different from those of another survey they conducted. The second survey looked at peoples’ attitudes prior to health activity on the Internet. In fact, 90% of these people would be willing to exchange email addresses, provide their gender, name and even a favorite color to get more personalized services. And while users don’t seem to mind anonymous consumer profiles done to assist personalized shopping, they do not want this personal information shared to a third party in ways that identify them.

On-line users are extremely concerned about health information getting to insurance companies. A full 70 percent said they were afraid that sharing this information would cause an insurer to limit or amend coverage. Similarly, 55 percent did not want health information getting back to employers. They didn’t even want them to know of their on-line activities. This is ironic, Mr. Karp said, because most servers are controlled by employers with dedicated high-speed access and can track every time a worker visits a specific site. Employers can also access email and many do. Eighty percent surveyed said they would trust a health site more if it was recommended by a doctor, by the National Institute of Health or by a trusted name in medicine like the Mayo Clinic.

A majority said that having a seal of approval from one of the trade groups such as HON or Trust-E had no impact on their confidence about how well the site protected health material. In fact, Mr. Karp said of the 21 sites surveyed seven, where serious problems were found, had Trust-E seals on their privacy policies. Mr. Karp discussed the idea of third-party audits to keep information secure and asked if it was possible to find a technological solution that would look not just at health Websites but at how it is being protected in the managed care environment, in the networks of information clearinghouse, where most of the paper and electronic records are being processes and in medical groups, laboratories and pharmacies. That is the real challenge facing the committee and the consumer of medical information, he said.


Dr. Musacchio gave the committee an overview of AMA/Intel digital credentials projects by saying that AMA is working with Intel to deploy a new from of electronic credential that will protect physician and patient privacy and confidentiality. The credential will help authenticate doctors who engage in a health care interaction, whether in an email, an electronic patient consultation, by sending a prescription to pharmacies or by sharing information with other medical providers. He said the AMA is within months of issuing such a digital credential to physicians. He said this credential would function on-line the way a driver’s license, or passport function in the paper world. Dr. Musacchio said such a credential will strengthen patient privacy and unburden both patients and doctors of some of the administrative load of managing health care today.

The decision to issue such an electronic medical passport grew out of an 1998 AMA report as well as out of a survey the same year which found that 93 percent of all doctors have access to the Internet, 96 percent of those physicians had modems, and 76 percent use communications software. The AMA/Intel is using the AMA data base maintained for years on America’s doctors, which includes files on 850,000 AMA members, non-members and all active and inactive doctors in US territories. It has been kept for 50 years. Doctors know the data is being collected and have an opt-out function. Dr. Musacchio said the AMA is using service providers such as Healtheon WebMD, and MedQuest to make the credential an integral part of their operations.

He emphasized that while fast-moving Internet technology offers great promise and has the potential of doing for health care and health access what electronic transactions have done for banking, stocks and book buying there remain great challenges for the medical and e-health sites. Musacchio said the AMA believes digital credentials will resolve some consumer

(a) Agenda Item: Panel 2 -- Christine Varney J.D., Partner, Hogan and Hartson

Ms. Varney chairs the Internet practice group at her law firm, and chairs a coalition called the Online Privacy Alliance which deals with privacy in the commercial sector on-line. Recently, she advised more than a dozen leading e-health care companies about consumer concerns and about the best practices to use regarding ethics and integrity on health sites. This group, Health Internet Ethics, or HI Ethics, all agreed that Internet users deserve high quality content, responsible advertising and protection of personal health information and they are developing a set of ethics principles. Hi Ethics includes representatives from: Healthwise, Adam,com, Allhealth,com, Ivillage’s Health Channel, AOL,, Care Insight,,, Healthcentral,com, Healtheon and WebMD, Healthgate, Healthwise, intellihealth, Laurashealth, Medscape, Onhealth, PlanetRx, Wellmed, and

Besides wrestling with an ethics code, the group is looking at a question that is blurred by the Internet: who is a health provider on-line and who is not? For example, PlanetRx and both sell health products as well as non-health related products.

She said that many commercial entities who once advocated self regulation of their sites, now realize that sensitive data-defined as medical or health data, financial data and data relating to children-need a different set of rules, including tighter privacy and security guarantees. Ms. Varney said they want to come up with a framework so that consumers and providers can cooperate and feel secure in the new technological environment.

She said they were greatly influenced by the work of the California HealthCare Foundation on privacy. Two types of activities they focused on were the intentional and unintentional distribution of data to third parties without disclosure. Ms. Varney said she was disturbed by the amount of unintentional “leakage” or data transfer that seems to be going on, the prevalence of sloppy carelessness. She said the Hi Ethics Coalition is not about proposing or passing legislation, but about identifying the best practices for guaranteeing privacy and Internet site security. Her committee hopes to have these draft regulations by late April and will seek more input from the NCVHS subcommittee at that time.

Agenda Item Panel 2 -- John Mack, MA, MS, MPhil, President Internet Healthcare Coalition

Before proceeding with his comments, Mr. Mack disclosed his work for Mediconsult, a website that is involved with Hi Ethics. He said the Internet Healthcare Coalition was founded in 1997 as a non-partisan international non-profit organization to promote quality health care resources on the Internet. The groups also worked with the

California Healthcare Foundation on the privacy and ethics survey. He agrees with the survey’s conclusion: “the data point to the urgent need for a thoughtful, thorough, and fair discussion of ways to secure individual privacy, foster strong ethical behavior and harness the incredible power of the Internet to improve the quality of health care.”

Mr. Mack said that George Lundberg, the former editor of JAMA, also called for international standards that can be easily and commonly accepted and that the Healthcare Coalition responded with an e-health code of ethics which it released in draft form February 18, 2000 following a summit in Washington, DC. Informed consent, opting in, rather than opting out, and how to get web health organizations to live up to their obligations to safeguard users’ privacy, were all issues that came up. Commercial practices were covered as well.


Dr. Zubeldia observed that in the information from the California HealthCare Foundation, which shows 629 pages retrieved in 50 searches, 99 percent did not disclose conflicts of interest which seems a basic ethical principle. How will this be incorporated into practice?

Mr. Mack said the coalition is not a standards organization, but is looking at other groups with experience in accreditation and will perhaps propose a code of ethics and a set of standards as part of any accreditation process. He also suggested that websites create a chief ethics officer or CEO, to police such matters and to resolve conflicts of interest.

Dr. Zubeldia asked Dr. Musacchio if his group was considering credentialing nurses, pharmacists, even patients with a digital identifier to which Dr. Musacchio responded that if the digital credential technology proves successful the AMA might approach other professional groups to create such credentials.

Dr. Zubeldia asked how the privacy of that credential would be protected? He mentioned that the Drug Enforcement Agency is looking at issuing something similar for all doctors who have DEA number. But would the license be put inside the certificate or the DEA number inside the certificate? What will tell the recipient that this is indeed a physician and still protect identity pieces that the physician may want to keep private?

Dr. Musacchio deferred to Ms Scott who said the model the AMA is using isn’t necessarily taking those data into the certificate. It will not be widely visible to the health site.

Dr. Zubeldia said the certificate is only part of the solution. There also has to be software that uses the certificate for a digital signature or access control. Is this going to be an open standard or will it require Intel software to be installed at all places that use the certificate?

Ms. Scott said the technology we are using is standard digit certificate PKI technology-- an X509v3 certificate. The policy implementation with the AMA is a bit different in that they are trying to manage a network. Concerns about risk management and setting up a system so that you can allocate risk between all parties without putting all liability on the physician is paramount, she said.

Dr. Zubeldia asked for applications, and Dr. Musacchio said if WebMD/Healtheon is a customer, this credential will be used to gain access and to execute those transactions. However, the business rules remain with Healtheon/WebMD. Dr. Zubeldia commended the presenters and urged other associations to follow AMA’s lead, provide they have a trusted identity piece that still protects the privacy of the holder of the identity piece.

Dr. Cohn said the term “leakage” is a good one to describe the inadvertent and unauthorized disclosure of health care information. He asked if part of the solution would be to try and extend or expand current HIPAA regulations.

Ms. Varney defers to her colleague, Donna Boswell, who has worked extensively on HIPAA regulations and on this project. Ms. Boswell said she does believe that many agree that the basic structural things included in the proposed HIPPA rulemaking will work within the principles context. But some of the rules appropriate to providers don’t really carry over to the health information websites. “At this point we are not asking for the NPRM to be broadened and expanded, but we expect to see a lot of similarity,” she said. Ms. Boswell authored in large part the Online Privacy Alliance regulations (www. which might be helpful to the subcommittee.

Mr. Gellman congratulated various presenters and said the slide show and the poll showed people are very suspicious of the ethics of Websites. Are their fears justified?

Mr. Karp said he has been encouraged by a two day e-health ethics summit he attended and by the statements and actions made by some of the health websites identified and in the need to change more. “It’s one thing to disclose a bad practice; it’s another to hide it,” he said, adding that the media has picked up on this difference and is playing an important disclosure role. He said the fact that the FTC is looking at these issues seriously, especially as they pertain to deceptive business practices, is likewise encouraging. The discovery of various security leaks allowed Mr. Karp’s group to notify all the companies before the report came out, so they could address the possibility of databases being accessed (or compromised) without proper authentication. Most leaks were immediately fixed. Mr. Karp said another good development is the number of companies talking with each other to address these security and privacy issues, but he noted the world is changing very fast. There are mergers every week which complicate things.

Mr. Gellman notes that there would seem to be a “dynamite business in developing a privacy browser” and said there would be a tremendous market for a browser that really prevented the disclosure of information, gave people more control or just stopped some things, like “leakage” from happening. Leakage appears to be “wanton indifference” and it happens when companies don’t care what happens with sensitive data. He asked Ms. Varney if she represents DoubleClick.

Ms. Varney said that is a matter of lawyer/client privilege, but noted she represents Online Privacy Alliance, which DoubleClick has engaged, as well as 24-7 and many other companies in the alliance.

Mr. Gellman suggested that Ms. Varney does work for DoubleClick and for companies that are DoubleClick’s customers, and that this constitutes a conflict of interest, and is a matter of some concern to members of the Hi Ethics group. He asked Ms. Varney if she could offer any assurance that this isn’t going to be another industry-run, industry-controlled privacy policy generator, just like the policies out of the DMA or the IRSG or OPA, which is better than some but not that good.

Ms. Varney said she could not offer that assurance. This is a group of e-commerce companies that is trying to take the highest ethical standards that are established by groups like the Internet Healthcare Coalition, as well as their own standards, and adopt them to commercial space.

Mr. Gellman said we will wait to see the outcome, but we have yet to see an industry group come out with a privacy policy that meets international practice standards. Dot.coms have an interest that potentially puts them at odds with those people in the broader, more internationally diverse group represented on the Internet Coalition.

Ms. Varney said she does not see a conflict, that the dot.coms’ goal is to create trust and confidence in what they are doing and that means they need to promote the highest ethical standards.

Mr. Mack said he also does not see a conflict. Both groups have special needs and they need to address them before they bring the issues to an open forum. He said, he thinks they are all flying in the same direction and have had some influence on each other by bringing different stakeholders together.

Mr. Gellman said to Mr. Mack: your group has published a draft code for public comment. Will HI Ethics do the same?

Ms. Varney said that is their intention, although they will not accept anonymous comments.

Dr. Zubeldia commented to the entire panel. During the interoperability pilot (on PKI technologies to see what does and does not work) when it came to products like the browsers or the email products, most of them don’t even implement the certificate revocation, and those that do have such a cumbersome process it is impossible to use. Most don’t implement security access integrated with the certificates. It is just a function, but not an integrated one. They couldn’t practice what they were preaching and Dr. Zubeldia sees some parallels now in principles espoused in website privacy statements which are not put into practice in on-line world.

Ms. Varney responded that one of the things they can do to is to prosecute those who do not live up to what they said they would do in their privacy statements. (Ms. Varney is a former FTC commissioner) They can be prosecuted under fraud and deception statutes, by the FTC, the Department of Justice and by 50 state attorney generals. That is one reason to insist that companies post their privacy practices. More enforcement is also needed, along with more federal and state money dedicated towards policing these practices. Passing new laws is never enough without the enforcement tools. Disclosure is the key. The FTC has already brought several prosecutions as have states and private parties. The law is quickly evolving in this area.

Mr. Mack said everyone is thinking about the 20 or so big commercial Websites and it should be pretty easy to monitor them because they get a lot of traffic. You can’t regulate all the sites where consumers go, and it is not a solution to force sites to post a privacy policy. Desperate people will go wherever they feel they need to so as to find information they want. Consumer education has to be a big component of whatever approach is adopted. He noted the example of the World Health Organization’s attempts to regulate the cross border sale of pharmaceutical products. WHO wanted every single website registered with appropriate agencies in the country where the business was being transacted. The WHO didn’t just mean the companies who were selling the products but every site that offered information. We found this to be a violation of free speech, with a very chilling effect. We decided consumer education was a big piece of the puzzle, and that we needed to teach them how to report health fraud on the Internet.

Dr. Musacchio added that not only do you have to educate consumers, but also the people who are running and maintaining the sites so they won’t be guilty of willful disregard, and leakage of sensitive material. People don’t always understand the consequences of their laziness or carelessness. He said eventually there will be trusted brands on the Internet just like there are in the bricks and mortar world. And they will be the ones that adhere to very strict policies and procedures.

Mr. Karp concurred with previous remarks and then remarked that the next “sleeping giant” is probably the issue of content and the blurred line that often occurs between what is scientific or medical information and what may be promotional or marketing. He cited a family illness and his search for health information on the Internet. Even though Mr. Karp described himself as an experienced Internet browser, it was often difficult to discern which site he was on and what the source for the information actually was. So he was pleased HI Ethics is also addressing source content.

Dr. Musacchio added that the guidelines on the need to disclose still need to evolve as does a clear distinction between advertising and scientific content which are often juxtaposed in a deliberately misleading way which tends to give authentication to material on websites. An example would be Nicorette advertising juxtaposed next to a survey that gives credibility or an endorsement of the product. As in the paper world, advertising and content should not be in the same well, he said.

Mr. Gellman thanked Gracie White and Gail Horlick for their outstanding work on the hearing. He commented on actual enforcement vs. threat of enforcement, by saying, “If I had a dollar for every time a business person talked about FTC enforcement of privacy laws, I could fly everyone in the room to Paris First Class. If I had a dollar for every time the FTC actually brought a privacy case, I could buy a hot-dog.” Nevertheless, he said the states have been more aggressive in taking these cases to court. Trial lawyers are doing an important part, and he said he wouldn’t be surprised if as a result of the California HealthCare Foundation report, there are not more lawsuits filed against some of the companies for violating t`heir own privacy policies. Mr. Gellman added that another encouraging development is what happened to DoubleClick on Wall Street, where the stock took a beating, an indication that companies without decent privacy statutes and follow through will be hurt financially. If, on the other hand, Wall Street rewards businesses with bad privacy practices, then legislation will be the only alternative.

Ms. Frawley thanked the panel for a very informative discussion and adjourned the meeting at 3:30 p.m.

I hereby certify that, to the best of my knowledge, the foregoing Summary of minutes is accurate and complete

/s/ Kathleen Frawley 9-11-00
Chair Date