Home » Blogs » Tom Goddard's blog

URAC WS 4 - Disclosure: Personally Identifiable Information

Submitted by Tom Goddard on Thu, 2008-06-19 14:34

Health Web Site standard 4 provides:

The Web site discloses to users: (Primary)
(a) What information is collected about users after the user opts-in to the information collection
and how it is used (including the use of passive tracking mechanisms); (Primary)
(b) The use of passive tracking mechanisms to users and the purpose(s) for which the passive
tracking mechanism will be used; (Primary)
(c) To whom personally-identifiable information may be disclosed, and for what purpose;
(Primary)
(d) How long personally-identifiable information is retained; (Primary)
(e) The rights of users with respect to their personally-identifiable information, including all the
rights enumerated in section IV of these standards; (Primary)
(f) The entity that maintains personally-identifiable information; (Primary)
(g) How users can access, supplement, and amend user-provided personally-identifiable
information and personal health information; and (Primary)
(h) Any limitations on amendment, deletion, or removal of information. (Primary)

The standard, like all of URAC's privacy/confidentiality-related standards, is a mandatory standard.  

It's important to note that Personally Identifiable Information ("PII") is defined as "Any information that can be tied to an individual identifier."

This disclosure requirement is a prerequisite for WS 24, the opt-in requirement for personally-identifiable information PII).  The notion underlying this pair of standards, of course, is that full disclosure is required for true choice.

The disclosures required by this standard are usually on a page called "Privacy Policy," and must be obviously displayed.  We recommend that this be a persistent link in the overall template of the Web site.

Another important issue in connection with this standard has to do with the use of 3rd parties that might collect and use PII, such as a health risk assessment tool.  URAC provides guidance for this scenario in its "Points to Remember" section of the Program Guide.  The essence of that guidance is that the applicant Web site is held to a high standard regarding privacy disclosure, and does not get off the hook by delegating PII-collection to a contractor.

The submission for this standard has the same form as most: a P&P that clearly describes the PII policy, coupled with an easily-locatable link to a comprehensive disclosure page.  

»