• United States




Patients must know the perils of online medical research

Aug 05, 20156 mins
BrowsersHealthcare IndustryHIPAA

Doing simple medical searches online can leave consumers vulnerable to a wide range of privacy compromises.

Confidentiality and privacy are important components of professional discussions about medical conditions, research and treatment. If a patient seeks information from his physician about erectile dysfunction treatments and drugs, for example, the patient’s request and their conversation are confidential and must be safeguarded. In the digital realm of health information, however, consumers are left to fend for themselves. The inquiry above could be easily collected, leaked by marketing companies and social media sites for advertising and other purposes.

Many of us seek out basic health information online when we develop unfamiliar symptoms or receive a new diagnosis. Worries about moles, lumps, infections or more serious issues can be given context and perspective with photos and in-depth explanations. The promise of the Internet is that answers to our questions are just a Web search and a few clicks away. In many ways, this technology has been a positive development. If people can access and educate themselves with the available information, well-informed, more health-literate patients can take better care of themselves. And, with an increasing shortage of doctors (Washington Post) who have less and less time to spend with those in their care, patients doing their own research may be unavoidable.

But these searches come with side effects. Companies track website visits in ways that may compromise individuals’ private medical information. This data is used most often to tailor advertisements directly to us, but it is also simply amassed by brokers and sold to other institutions. At no point do consumers give consent for their medical inquiries to be accessed, or consent is hidden in the fine print of unilateral terms of service agreements, which raises important ethical questions about how medical data is protected today.

Many websites frequented by consumers for health information transmit their uniform resource identifiers (URIs) to third parties in ways that are invisible to users. These URIs may contain information identifying specific symptoms, diseases, or treatments. The third party, such as Google, could trace this information back to the individual searcher and make inferences about a person’s health status. A recent study by Timothy Libert (UPenn) shows the extent of this type of data collection. Libert wrote a computer program that analyzes how websites share information – the results are troubling.

According to Libert’s findings, the companies collecting the most health data include Google, Facebook, Twitter and Amazon. Eight of the 10 biggest data harvesters use the information for advertising or data brokering. For example, when a user visits a page (e.g., that page may send an information request to a third party. If the search were for erectile dysfunction, the URI would look like this — — and be coupled with identifiable user information. In the case of WebMD, this bundle of information may be sent to 34 different domains seeking this data that would allow them to see that the user is searching for erectile dysfunction treatments. Though some sites use secure requests that cannot be traced back to users, researchers at Microsoft found that sophisticated tracking techniques can identify users 80 percent of the time.

This tracking occurs at sites far beyond medical sites like the CDC or WebMD. Libert identified 80,142 specific Web pages with health information related to 1,986 diseases and conditions. These pages include newspaper articles, research facilities and discussion boards. A total of 70 percent of these pages’ URIs contain information identifying a user’s specific symptoms, diseases or treatments.

Given the lack of transparency, it is very likely that most people are unaware their health-related Web browsing is being harvested in this manner. Google, the biggest collector, owns data collection elements on 78 percent of the pages Libert studied, including non-profit, governmental and educational websites; Facebook owns 31 percent. These companies have a diversified stake in the health information market. Google Ventures, for example, has infused multiple rounds of capital into 23andMe, a personal genomics company that Scientific American described as “a mechanism meant to be a front end for a massive information-gathering operation against an unwitting public.”

This type of data collection is especially problematic because laws exist to protect the privacy of health information, long considered a physician’s sacred trust. However, the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, is inadequate to meet the realities of how and with whom medical information is exchanged. No laws regulate what information companies may collect or how that information is amassed or secured. This lack of regulation leaves individuals vulnerable to a range of consequences—from breaches of privacy to discrimination against those who have (or are merely suspected to have) specific conditions.

In his paper, Libert suggests several remedies. He recommends non-profit, governmental and educational institutions remove data communication elements from their websites. Clear regulations could stipulate a maximum amount of time companies can store personal information. Also, individual software engineers could devote a percentage of their time to devising better safeguards for sensitive data.

These are good ideas, but we need a more proactive approach from the main stakeholders: providers and patients. For better or worse, the Internet is having an effect upon the doctor-patient relationship. The medical community cannot pretend that it doesn’t impact the patient, and the community shouldn’t wait for solutions from non-experts outside the medical profession.Concepts of privacy and confidentiality can be extended to the Web to account for how most people now learn and communicate. These changes would have to be imposed by regulators, since corporations sit outside the provider-patient relationship; however, providers can inform patients of consequences of these types of Internet searches.

Additionally, institutions like Mayo Clinic or Kaiser Permanente can create sources of information and start conversations in controlled, secured environments. For example, Mayo Clinic offers a good example of how medical experts can reach, educate and lead patients beyond the hospital. Their website has a secure login and links. Mayo is active on social media, hosts webinars, broadcasts radio shows and is even sponsoring a short film festival, Social Media in Healthcare.

The bottom line is that healthcare consumers must know the risks they unwittingly take doing Internet medical research and how their information may be compromised. Medical data is not like other data and not all sources of information are equally safe. Medical professionals should inform patients of these risks as a normal part of consultations. Providers, physicians and nurses have special authority and are uniquely positioned to develop ethical standards and practices that meet today’s demands.


Eric S. Swirsky, J.D., M.A., is the director of graduate studies and a clinical assistant professor in the Department of Biomedical and Health Information Sciences at the University of Illinois at Chicago.

Professor Swirsky’s scholarly interests revolve around the ethical conundrums that result from the use of health information technologies. In particular, Eric is interested in impacts upon clinical relationships, the delivery of health services, and end of life decision-making. Ethical issues surrounding the use of information technology in health care are manifold and complex. From the board room to the bedside to the bench, ethical issues flourish in the chasm created by incompatible values.

The opinions expressed in this blog are those of Eric S. Swirsky and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author