BY: THOMAS C. LAWRY
Mr. Lawry is president, Verus, Bellevue, WA.
Once upon a time, the Internet was like the American frontier.
It provided lots of opportunities with very few restrictions.
But today things have changed. The Internet continues to offer
great opportunities for health care organizations to connect with consumers
and improve operations. There is, however, a growing set of rules, laws, and
protocols designed to protect both Web users and health care organizations that
create consumer-oriented websites.
Developing and launching a website today involves exposing one's organization
to certain types of risk, most of which can be easily managed with basic planning
and an eye towards risk prevention. Health care leaders should, however, be
aware of the risks associated with owning and managing a website and develop
standards and policies to reduce them.
Following are some of the key website risks, along with recommendations for
Following HIPAA Electronic Data Security Standards
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated
the creation of electronic data security standards. These standards affect certain
types of health information that is transmitted or maintained electronically
by health care providers, health plans, or health care information clearinghouses.
As a health care facility or organization moves to replace its static website
with one providing such interactive and transactional features as online registration
and scheduling, the organization's HIPAA compliance officer should review these
services to ensure that they are in keeping with the same standards used elsewhere
in the organization.
Collecting and Using Non-HIPAA-Protected Information
Hospital websites also collect other types of information. They may, for example,
collect information that users have inadvertently provided when bookmarking
a hospital site or voluntarily provided when registering to receive information,
such as an e-mail newsletter.
Another way in which personal information is automatically collected, without
the user necessarily being aware of it, is through what are known as "cookies."
Cookies are bits of data put on a computer's hard disk when a user happens to
visit certain sites. Cookies can contain virtually any kind of information,
for example, the date the user last visited the site, the user's favorite sites,
and other "customizable" information. Cookies allow a website to be customized
to fit the preferences of the user. With a cookie, one can also track a user's
progress through a series of sites, thereby compiling a set of statistics concerning
the types of sites the user prefers.
Hospitals that create such sites should develop — and publish on these sites — a
policy spelling out the types of information that is being collected and the
uses to which this information will be put. By doing so, the hospital will reduce
its legal risks and increase the confidence of privacy-conscious users.
Misusing Information Found on Websites
Today consumers are going online in record numbers to look for information
about medical conditions that affect themselves or loved ones. Hospitals have
an opportunity to provide credible health content and, at the same time, increase
consumer awareness of their services. But hospitals should make it clear that
any health content found online has limitations and should not be construed
as medical advice. Although this may seem obvious, many hospitals do, in fact,
put health content on their sites without disclaimers concerning how such information
may be used.
All health content placed on a hospital website should include a "Terms of
Use" statement containing appropriate disclaimers about how the information
is used. Such statements should clearly state that the information offered should
never be used in lieu of seeking professional medical care.
Maintaining Chat Rooms and Message Boards
Chat rooms and message boards are "places" on a website where users with common
interests can go to communicate with each other. Although such forums can be
beneficial to users, they can also pose legal risks for their sponsors. A hospital
might subject itself to a liability lawsuit if it should happen to establish
or sponsor a chat room or message board on which erroneous medical information
is disseminated by either hospital staff or ordinary site users.
In fact, a hospital may incur different types of risk depending on whether
or not it moderates or monitors its chat room or message board. Monitoring chat
room content helps to limit inappropriate communications, but it may also cause
the hospital to assume greater responsibility for that content and, as a result,
increase its potential liability.
A hospital that provides or supports online chat groups or other forums should
develop and publish a policy clearly stating the extent to which it assumes
responsibility for content found in the chat room. The policy should also include
internal guidelines for the use and management of such online forums.
Linking to Other Websites
A wealth of health information is available from a variety of online resources.
Many hospitals provide links to other websites providing such content. In this
situation, a user clicks on a part of the hospital's website and is taken to
another, a site neither owned nor controlled by the hospital.
Although linking to other websites is a common practice, it raises several
potential issues for the institution creating the link. Linking to a site without
the formal approval of its owners is a potential infringement of copyright or
trademark laws. Such links also raise the issue of quality control, especially
if the entity doing the linking has not first evaluated the content of the sites
being linked to.
A hospital wishing to link its site to others should begin by establishing
criteria for evaluating the latter's content. One way to play it safe is by
linking to high-quality content in the public domain — for example, resources
provided by the U.S. Centers for Disease Control and Prevention, the National
Cancer Institute, and other federal agencies. A hospital wishing to link to
resources developed or sponsored by private organizations (the American Cancer
Society, for instance) or to a for-profit health portal should first secure
spell out its position on linking to other sites.
If a hospital keeps these caveats in mind, it will find linking to be a low-risk
way to direct its site's users to those of other credible, high-quality health
Aligning Site Content with Hospital Values
A hospital can acquire from content vendors a wide array of high-quality health
information for use on its website. However, it should evaluate this material
for clinical accuracy and the values of the hospital and its sponsors.
Unfortunately, some hospitals have discovered — after signing formal
agreements with vendors — that the licensed content is not in keeping with the
organization's ethical directives. A hospital should review all health content
and information on its website to ensure material is presented in a manner consistent
with the core values of the facility and its sponsors.
Guarding Against Fraud and Abuse
For many hospital websites, providing information about physicians with admitting
privileges is an important function. Posting such information educates users
about the physicians' specialties, thereby increasing the likelihood that the
users will one day enlist the physicians' services.
Federal and state governments have begun to scrutinize the various kinds of
physician information put on hospital websites, trying to decide whether some
links between those sites and physician sites might violate fraud and abuse
statutes. To date, no prosecutions have occurred; the application of state and
federal law prohibiting kickbacks and physician self-referrals is as yet in
its early stages and needs to be closely watched.
Hospitals remain free to develop and maintain physician directories that list
those on staff and provide information about their backgrounds. However, to
ensure that such directories comply with laws or regulations concerning patient
referrals, hospitals should review those that go beyond the provision of background
Protecting Trademarks and Intellectual Property
Every hospital website contains elements that are considered "intellectual
property," including organizational names, logos, domain names, copy and content,
images, and design. But the Web is an open medium that allows anyone to use
a site's content and services. So a hospital that takes certain actions to protect
its online intellectual property reduces the risk of having someone plagiarize
or otherwise misuse its name, reputation, and property.
Placing copyright notices on the website is one such action. Another is registering
the site's content with the U.S. Copyright Office. "Domain names" can also be
registered as a trademark.
Ensuring Accessibility for the Disabled
Application of the American with Disabilities Act (ADA) to the Internet is
another emerging issue. The federal government has ordered all agencies to make
sure their websites comply with ADA standards. Although this mandate applies
only to federal sites, hospitals should also consider implementing basic standards
that allow people with visual and other impairments to use their sites.
A hospital site should, at a minimum, have programming standards allowing
visually impaired visitors to use special devices (rather than relying on the
graphics and images that nonimpaired users employ) to access the site.
Health care leaders, in their hurry to get web services launched, often forget
to develop and enforce standards to guide the management of a website. Leaders
who take the time to be aware of potential issues and to develop standards to
reduce potential operating risks will be more successful than others in ensuring
a high level of quality to those they seek to serve.
Contact Tom Lawry at 4628 175
Ave., SE, Bellevue, WA 98006; phone: 425-643-7117; fax: 206-643-0302.
Copyright © 2001 by the Catholic Health Association of the United States
For reprint permission, contact Betty Crosby or call (314) 253-3477.