Net Gains — Recognizing and Managing Website Risks

November-December 2001


Mr. Lawry is president, Verus, Bellevue, WA.

Once upon a time, the Internet was like the American frontier. It provided lots of opportunities with very few restrictions.

But today things have changed. The Internet continues to offer great opportunities for health care organizations to connect with consumers and improve operations. There is, however, a growing set of rules, laws, and protocols designed to protect both Web users and health care organizations that create consumer-oriented websites.

Developing and launching a website today involves exposing one's organization to certain types of risk, most of which can be easily managed with basic planning and an eye towards risk prevention. Health care leaders should, however, be aware of the risks associated with owning and managing a website and develop standards and policies to reduce them.

Following are some of the key website risks, along with recommendations for managing them.

Following HIPAA Electronic Data Security Standards
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the creation of electronic data security standards. These standards affect certain types of health information that is transmitted or maintained electronically by health care providers, health plans, or health care information clearinghouses.

As a health care facility or organization moves to replace its static website with one providing such interactive and transactional features as online registration and scheduling, the organization's HIPAA compliance officer should review these services to ensure that they are in keeping with the same standards used elsewhere in the organization.

Collecting and Using Non-HIPAA-Protected Information
Hospital websites also collect other types of information. They may, for example, collect information that users have inadvertently provided when bookmarking a hospital site or voluntarily provided when registering to receive information, such as an e-mail newsletter.

Another way in which personal information is automatically collected, without the user necessarily being aware of it, is through what are known as "cookies." Cookies are bits of data put on a computer's hard disk when a user happens to visit certain sites. Cookies can contain virtually any kind of information, for example, the date the user last visited the site, the user's favorite sites, and other "customizable" information. Cookies allow a website to be customized to fit the preferences of the user. With a cookie, one can also track a user's progress through a series of sites, thereby compiling a set of statistics concerning the types of sites the user prefers.

Hospitals that create such sites should develop — and publish on these sites — a policy spelling out the types of information that is being collected and the uses to which this information will be put. By doing so, the hospital will reduce its legal risks and increase the confidence of privacy-conscious users.

Misusing Information Found on Websites
Today consumers are going online in record numbers to look for information about medical conditions that affect themselves or loved ones. Hospitals have an opportunity to provide credible health content and, at the same time, increase consumer awareness of their services. But hospitals should make it clear that any health content found online has limitations and should not be construed as medical advice. Although this may seem obvious, many hospitals do, in fact, put health content on their sites without disclaimers concerning how such information may be used.

All health content placed on a hospital website should include a "Terms of Use" statement containing appropriate disclaimers about how the information is used. Such statements should clearly state that the information offered should never be used in lieu of seeking professional medical care.

Maintaining Chat Rooms and Message Boards
Chat rooms and message boards are "places" on a website where users with common interests can go to communicate with each other. Although such forums can be beneficial to users, they can also pose legal risks for their sponsors. A hospital might subject itself to a liability lawsuit if it should happen to establish or sponsor a chat room or message board on which erroneous medical information is disseminated by either hospital staff or ordinary site users.

In fact, a hospital may incur different types of risk depending on whether or not it moderates or monitors its chat room or message board. Monitoring chat room content helps to limit inappropriate communications, but it may also cause the hospital to assume greater responsibility for that content and, as a result, increase its potential liability.

A hospital that provides or supports online chat groups or other forums should develop and publish a policy clearly stating the extent to which it assumes responsibility for content found in the chat room. The policy should also include internal guidelines for the use and management of such online forums.

Linking to Other Websites
A wealth of health information is available from a variety of online resources. Many hospitals provide links to other websites providing such content. In this situation, a user clicks on a part of the hospital's website and is taken to another, a site neither owned nor controlled by the hospital.

Although linking to other websites is a common practice, it raises several potential issues for the institution creating the link. Linking to a site without the formal approval of its owners is a potential infringement of copyright or trademark laws. Such links also raise the issue of quality control, especially if the entity doing the linking has not first evaluated the content of the sites being linked to.

A hospital wishing to link its site to others should begin by establishing criteria for evaluating the latter's content. One way to play it safe is by linking to high-quality content in the public domain — for example, resources provided by the U.S. Centers for Disease Control and Prevention, the National Cancer Institute, and other federal agencies. A hospital wishing to link to resources developed or sponsored by private organizations (the American Cancer Society, for instance) or to a for-profit health portal should first secure written permission. In any case, the hospital site's "Terms of Use" policy should spell out its position on linking to other sites.

If a hospital keeps these caveats in mind, it will find linking to be a low-risk way to direct its site's users to those of other credible, high-quality health information providers.

Aligning Site Content with Hospital Values
A hospital can acquire from content vendors a wide array of high-quality health information for use on its website. However, it should evaluate this material for clinical accuracy and the values of the hospital and its sponsors.

Unfortunately, some hospitals have discovered — after signing formal agreements with vendors — that the licensed content is not in keeping with the organization's ethical directives. A hospital should review all health content and information on its website to ensure material is presented in a manner consistent with the core values of the facility and its sponsors.

Guarding Against Fraud and Abuse
For many hospital websites, providing information about physicians with admitting privileges is an important function. Posting such information educates users about the physicians' specialties, thereby increasing the likelihood that the users will one day enlist the physicians' services.

Federal and state governments have begun to scrutinize the various kinds of physician information put on hospital websites, trying to decide whether some links between those sites and physician sites might violate fraud and abuse statutes. To date, no prosecutions have occurred; the application of state and federal law prohibiting kickbacks and physician self-referrals is as yet in its early stages and needs to be closely watched.

Hospitals remain free to develop and maintain physician directories that list those on staff and provide information about their backgrounds. However, to ensure that such directories comply with laws or regulations concerning patient referrals, hospitals should review those that go beyond the provision of background information.

Protecting Trademarks and Intellectual Property
Every hospital website contains elements that are considered "intellectual property," including organizational names, logos, domain names, copy and content, images, and design. But the Web is an open medium that allows anyone to use a site's content and services. So a hospital that takes certain actions to protect its online intellectual property reduces the risk of having someone plagiarize or otherwise misuse its name, reputation, and property.

Placing copyright notices on the website is one such action. Another is registering the site's content with the U.S. Copyright Office. "Domain names" can also be registered as a trademark.

Ensuring Accessibility for the Disabled
Application of the American with Disabilities Act (ADA) to the Internet is another emerging issue. The federal government has ordered all agencies to make sure their websites comply with ADA standards. Although this mandate applies only to federal sites, hospitals should also consider implementing basic standards that allow people with visual and other impairments to use their sites.

A hospital site should, at a minimum, have programming standards allowing visually impaired visitors to use special devices (rather than relying on the graphics and images that nonimpaired users employ) to access the site.

Health care leaders, in their hurry to get web services launched, often forget to develop and enforce standards to guide the management of a website. Leaders who take the time to be aware of potential issues and to develop standards to reduce potential operating risks will be more successful than others in ensuring a high level of quality to those they seek to serve.

Contact Tom Lawry at 4628 175 Ave., SE, Bellevue, WA 98006; phone: 425-643-7117; fax: 206-643-0302.


Copyright © 2001 by the Catholic Health Association of the United States
For reprint permission, contact Betty Crosby or call (314) 253-3477.

Net Gains - Recognizing and Managing Website Risks

Copyright © 2001 by the Catholic Health Association of the United States

For reprint permission, contact Betty Crosby or call (314) 253-3490.