Privacy Issues related to H'I'P'A'A'

1
Privacy Issues related to H.I.P.A.A.

• George R. Milne
• University of Massachusetts Amherst

2
Privacy issues discussed

• HIPAA ensures that sensitive private information
  can be shared among health care providers, while
  at same time attempts to limit inappropriate data
  sharing.
• Provisions for information sharing are controlled
  through opt out mechanisms. Privacy notices are
  used to communicate these options.
• However, notices are often not read or understood

3
Outline

• Background on medical information and privacy
• Present results of a study that examines
  consumers willingness and ability to read the
  online privacy notices.
• Present data results that examine readability
  levels of online privacy notices

4
Consumer reactions to third party use of medical
information
5
Personal Medical Information Framework
High Information Sensitivity
Low Information Sensitivity
Potential for Risk and Concern
Low Risk and Concern
HighTrust
Potential for Risk and Concern
High Risk and Concern
LowTrust
Rohm and Milne, JBR (2002)
6
Consumers Reactions to Reading Online Privacy
Notices
7
Study 1 Why Consumers Read or Dont Read
Online Privacy Notices

• Privacy notices are an important means for
  reducing risk of the second exchange.
• The notice helps consumers decide if they want to
  disclose information, or whether to engage on a
  website.
• It behooves marketers to create a trusted
  environment to facilitate data exchanges.

8
Method

• Study was funded by research grant from Metromail
  law suit
• Harris online-a stratified random sample of 2468
  US adults from multimillion member panel
• Survey pretested with online study of faculty and
  staff at two universities
• Demographics match US online population

9
Conceptual Framework

• Consumers perform a simple risk-benefit
  calculation in deciding whether or not to
  disclose their personal information
• Reading a notice is related to trust of a notice
• Both reading and trust are influenced by
• Level of Privacy concern
• Perception of whether notices are comprehensible
• Alternatives to reduce risk
• Experience

10
Why Consumers Read or Dont Read Online Privacy
Notices
Read online privacy notices

--
Alternatives for Reading
Privacy Concern

Notice Comprehension
Privacy Protection Experience

--


Trust of privacy notices
Demographics
Milne and Culnan, JIM 2004
11
Quantitative Results
Reasons for Reading
Trust of Notice
--
Concern


Comprehension of Notice

Alternatives for Reading
--

Protection Experience

12
Qualitative Results

• Privacy notices are deliberately made too long
  and verbose. How about the Privacy Notices for
  Dummies version?
• Get real, no one in their right mind WANTS to
  read that mumbo jumbo verbiage
• I wish they would just simplify the basic points
  and have a long wordy version as an option and to
  cover their bums in case of some stupid money
  grubber suing them.
• I dont have a law degree

13
Study 2 Analysis of Online Privacy and
H.I.P.P.A. Notices in 2003

• Sample of 316 top websites Privacy Notices
• Sample of 25 H.I.P.A.A. Notices
• Various readability indexes
• Dale-Chall 8-8.911th,12th grade,
  9.0-9.9college
• Flesh Reading Ease 0-100, below 30 difficult,
  above 70 easy
• Fog (reading age to understand grade5years)
• Smog (grade level)

14
Online Privacy Notices
HIPAA
Dale-Chall
9.01
9.2
Flesch Reading Ease
41.41
43.68
Fog
24.8
25.9
SMOG
13.5
13.7
College level reading material
15
Conclusions

• Comprehension important factor in reading notices
• H.I.P.A.A. notices, like online privacy notices,
  require a college education to read.
• The notices seem to be written more for
  compliance than for helping consumers make
  decisions.