Health Information Compliance Alert

The company responsible for one of the most high profile unauthorized disclosures of health information has agreed to settle charges brought by the Federal Trade Commission — and the agency’s chief says other companies should turn to the settlement in crafting their own privacy policies.

Pharmaceutical giant Eli Lilly, through its Prozac.com Web site, offered consumers the Medi- Messenger e-mail medication reminder service. Patients who signed up for the service received email notifications reminding them to take their medications or refill prescriptions. On June 27, 2001 a Lilly employee sent an e-mail message to all Medi-Messenger subscribers to announce the termination of the service. Unfortunately, that message contained the e-mail addresses of all recipients in the “To:” field.

That e-mail launched a petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action against Lilly.

Following an investigation, the FTC filed a complaint alleging that Lilly’s claims of privacy and security — reflected in online statements such as “Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests’ privacy as they take advantage of this resource” — were deceptive.

Specifically, according to the complaint, Lilly failed to: provide training for employees on consumer privacy and information security; provide oversight of or assistance for the employee who sent the offending e-mail; and implement “appropriate checks and controls” on the process such as reviewing and pretesting computer programs with experienced personnel. Furthermore, by sending the e-mail, Lilly violated several of its own written security protocols.

“Even the unintentional release of sensitive medical information is a serious breach of consumers’ trust,” says J. Howard Beales, III, director of the FTC’s Bureau of Consumer Protection. “Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information.”

The proposed settlement agreement announced Jan. 18 would bar Lilly from making misrepresentations about the extent to which the company protects the privacy of personal information collected from consumers. Lilly would also be required to implement a “four-stage information security program” to protect consumers’ information.

Specifically, Lilly would be required to:

• designate appropriate personnel to oversee and coordinate the program;
• identify reasonably foreseeable internaland external risks to the security, confidentiality, and integrity of personal information, includingany such risks posed by lack of training, and toaddress these risks in each relevant area of itsoperations, including: (1) management and trainingof personnel; (2) information systems for theprocessing, storage, transmission or disposal ofpersonal information;  and (3) prevention and responseto attacks, intrusions, unauthorized accessor other information systems failures;
• conduct an annual written review by qualifiedperson, within 90 days after the date of theservice of the order and yearly thereafter, whichshall monitor and document compliance with theprogram, evaluate the program’s effectiveness andrecommend changes to it; and
• adjust the program in light of any findingsand recommendations resulting from reviews or ongoing monitoring, and in light of any materialchanges to Lilly’s operations that affect the program.

The FTC voted unanimously to accept the settlement agreement which will soon be published in the Federal Register. The agreement will then be subject to public comment for 30 days, after which the FTC will decide whether to make it final.

FTC Commissioner Orson Swindle was soft in his criticism of the company and noted that the plan could serve as guidance for other organizations that handle sensitive health information: “Lilly’s responsiveness and its efforts to improve corporate privacy practices can be a model for others to follow.”