Journal of Business Research 57 (2004) 1000 – 1011 Just what the doctor ordered The role of information sensitivity and trust in reducing medical information privacy concern Andrew J. Rohma,*, George R. Milneb a Marketing Group, College of Business Administration, Northeastern University, Boston, MA 02115, USA b University of Massachusetts Amherst, Amherst, MA, USA Abstract This paper examines consumer concern regarding the collection and use of personal medical information. The authors investigate consumer concern in the context of information sensitivity and consumer trust in the organization involved in the collection and/or use of personal information. Data from a national survey suggest that consumers are most concerned with the collection and use of personal medical information, such as medical history or medical records. The data also indicate that consumers are less concerned with certain retail organizations involved in healthcare delivery (i.e., drug stores and grocery stores) using personal information in their marketing efforts, as compared with other organizations such as insurance firms, employers, and political organizations. D 2002 Elsevier Inc. All rights reserved. Keywords: Privacy; Trust; Healthcare; Information 1. Introduction The Internet is fast becoming an important vehicle for the delivery of healthcare products and services. Healthcarerelated websites now provide a wide range of information and opportunities for communication among consumers and healthcare providers. The online integration of healthcare records facilitates broad access to patient information and can potentially provide timesaving or even lifesaving benefits to consumers (Carter, 2000; Pendrak et al., 1998). In addition, the ability for consumers to order prescriptions through direct channels is an added convenience that often saves them money. Recent studies indicate that the online healthcare industry is expected to expand dramatically over the next several years. Revenues from online retail sales of healthcare products, such as prescription and nonprescription over-the-counter drugs, are expected to reach US$18 billion by 2004, with 80% of revenues coming from online sales of prescription drugs (Enos, 2000). While online health services afford consumers many opportunities, broad access to electronic patient information has already resulted in numerous abuses of patient privacy * Corresponding author. Tel.: +1-617-3733549. E-mail address: [email protected] (A.J. Rohm). 0148-2963/$ – see front matter D 2002 Elsevier Inc. All rights reserved. doi:10.1016/S0148-2963(02)00345-4 in the healthcare field. Several of these abuses and violations, involving drug and grocery retailers, employers, health maintenance organizations (HMOs), individuals, doctors, and manufacturers of healthcare products, are summarized in Table 1 and illustrate the sensitive nature of personal medical information. These issues illustrate how unwanted or unwarranted disclosure and exchange of sensitive medical information can result in situations ranging from unsolicited direct mailings from medical products or service marketers to damaged careers and reputations. Against the background of the mishandling of consumers’ personal medical information, research has shown that consumers do not feel in control. The 1993 Harris – Equifax survey (Harris, 1993) found that 8 out of 10 respondents believed consumers had lost control over how their personal medical information is distributed and used. A recent survey conducted by the California Healthcare Foundation (2000) found that 75% of consumers indicated concern about healthcare firms sharing their personal medical information with third-party organizations. Additionally, the recent Health Privacy Project (Goldman et al., 2000) concluded that online healthcare-related websites do not meet the minimum fair information practices of providing adequate notice and consumer control over personal information. Coincident with the Internet’s growth and growing consumer privacy concerns is the increased regulatory scrutiny A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 1001 Table 1 Personal medical information privacy issues Type of organization Medical privacy issue Drug/grocery stores A national drug store chain and a national supermarket chain provided patients’ medical information to an outside database marketing firm in order to send prescription reminders and promotional literature for new drugs. Even though the drug companies never received access to these consumer files, widespread consumer complaints suggested privacy concerns about the use of their personal medical information (O’Harrow, 1998). An HIV-positive man sued a drug store chain based on the West Coast for privacy invasion when a pharmacist revealed his HIV status to the man’s unknowing ex-wife and two sons (Goodyear, 1998). According to a recent study, 35% of Fortune 500 companies admitted to using personal medical information to make employment decisions (Linowes, 1996; cf. Pendrak et al., 1998). In Maryland, 16 state employees sold confidential patient information from the state’s medical database to HMOs (Valentine, 1995). A college medical student copied confidential health records and sold them to medical malpractice attorneys (Zitner, 1997). A patient who underwent psychiatric therapy for sexual dysfunction subsequently received numerous unsolicited mailings from vitamin and penile implant manufacturers (Silberner, 1997). A pharmaceutical firm compiled a list of 5 million elderly women who had responded to an advertisement for a bladder control undergarment. The firm then sold this list to third-party firms who were also interested in reaching elderly consumers. Although the firm subsequently apologized for its actions, it reiterated that its actions were consistent with current direct marketing practices (Mowery, 1998). Employers HMOs Individuals Doctors/medical firms Pharmaceutical firms of direct markers’ collection and use of consumers’ personal information. A recent Federal Trade Commission (FTC) inquiry into the information practices of commercial websites suggested that although there has been improvement in online posting of privacy policies, only 20% of sites surveyed that collect personally identifiable information conduct fair information practices (Federal Trade Commission [FTC], 2000). The 1998 FTC Report to Congress regarding online privacy also revealed that 88% of healthrelated commercial websites collected personal information, while only 14% of these sites disclosed their information practices (FTC, 1998). In a related effort, the Clinton administration proposed a plan that would limit healthcare organizations’ ability to share personal medical information without consumers’ explicit permission (Abreu, 2000). The plan suggested federal standards that would limit disclosures of individuals’ medical records by doctors, hospitals, pharmacists, and insurance companies (Pear, 2000). In such an environment with legislative action imminent, healthcare marketers’ ability to build and maintain consumer trust is an important step to reducing consumer perceptions of risk and concern. Consumers’ sensitivity towards personal information being collected and used by direct marketing firms, as well as their trust in these firms, may well determine the level of consumer concern, and ultimately, the efficacy of future healthcare delivery. It is important for direct marketers in the healthcare field, as well as policymakers, to understand consumer attitudes towards personal medical information used in direct marketing efforts. Such an understanding is essential to complying with proposed federal standards and maintaining consumer trust. The purpose of this paper is to investigate how situations of varying levels of trust and information sensitivity affect consumer medical privacy concerns. In this research, we develop a theoretically grounded medical privacy framework based on trust and information sensitivity levels, and test hypotheses that suggest when consumers are more concerned and what types of information or transactions concern them most. The balance of this paper is organized in seven sections. In the next section, we present the personal medical information framework. As part of this discussion, we review the theoretical basis for individual privacy and the role of trust and information sensitivity in affecting consumer privacy concerns. In the following section, we develop a set of research hypotheses. In the fourth section, we describe the methodology used in a national survey of direct marketing consumers. We then present the study results in Section 5 and discuss the findings in Section 6. In Sections 7 and 8, we discuss the implications and future research directions as well as conclusions to be drawn from this study. 2. Personal medical information privacy framework In Fig. 1, we present a framework that examines the potential for consumer concern with regard to the collection, use, and exchange of personal medical information. This framework portrays consumer privacy concern and perceived risk towards information collection along two dimensions: sensitivity of personal information and trust in specific organizations to use the personal information they collect in a fair manner. The framework suggests that consumers will indicate greater concern and perceived risk in instances where personal information (such as personal medical records and medical history) is deemed highly sensitive and the consumer does not trust the organization to use their personal information fairly. Conversely, the figure also suggests that consumers will indicate less concern and perceived risk in instances where personal information is deemed less sensitive and the consumer highly trusts the organization. The potential for concern and perceived risk is present when the organization is highly trusted yet the personal information is deemed 1002 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 Fig. 1. Personal medical information framework. highly sensitive, or when the information is considered less sensitive yet the organization is not trusted. We elaborate on both of the factors proposed to affect consumer concern and risk perception, namely, sensitivity of personal information and trust in the organization. 2.1. Privacy concern Theoretical research that addresses consumer privacy concerns has attempted to define ideal conditions where privacy exists. The idea of consumers having control over their privacy was first strongly advocated by Alan Westin (1967), who suggested privacy was the ability to control personal information acquisition and use. Marketing scholars studying privacy incorporated these ideas. Goodwin (1991) depicted consumer privacy as a two-dimensional construct, involving physical space and information. She defined privacy in terms of consumer control over personal information disclosure, where information disclosure addresses how and when consumer information is captured and stored in databases, as well as the environment in which the transaction takes place. Foxman and Kilcoyne (1993) proposed an alternative privacy framework based upon who controls consumers’ personal information (i.e., the organization or the consumer) and whether or not the consumer is aware of the actual data collection. Culnan (1995) emphasized that awareness of the collection and reuse of personal information was important, as well as the ability to exercise control over reuse of the data by direct marketers. Caudill and Murphy (2000), in their review of online privacy issues, similarly suggested that knowledge of data collection and control of information reuse were central to maintaining privacy. In both the direct and online marketing contexts, empirical research suggests that two expressions of control— awareness of information collection and usage beyond the original and intended transaction—are the primary influences on consumer privacy concern (e.g., Sheehan and Hoy, 2000). These expressions of control are the basis for the FTC’s fair information practices of notice, choice, access, and security. For example, regarding notice and choice, privacy may be a concern when people are aware that direct marketers, without their permission, are collecting personal information and/or they do not know how that information is being used (Nowak and Phelps, 1995). In the online context, Cranor et al. (1999) found that whether information was going to be shared with other entities was the most important factor influencing consumers’ decision to disclose personal information. The privacy frameworks that address consumer control of personal information (e.g., Foxman and Kilcoyne, 1993; Goodwin, 1991) have been used to support empirical work investigating consumers’ privacy concern (e.g., Milne and Boza, 1999; Phelps et al., 2000; Sheehan and Hoy, 2000) and willingness to provide marketers with personal information (e.g., Milne, 1997; Milne and Gordon, 1993; Phelps et al., 2000). Additional research has shown that consumers are unaware of organizations collecting personal information (Culnan, 1995) and organizations’ usage of this information (Nowak and Phelps, 1992). Indeed, much of the efforts of the direct marketing community have been focused on providing consumers with control of their personal information. The rationale is that consumer concern will subside by making consumers aware of information practices and giving them the ability to remove their name from direct lists. However, research has suggested that reducing concern through increasing control might not be as effective as increasing trust (Milne and Boza, 1999) and understanding when consumers are willing to provide personal information (Phelps et al., 2000). A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 In the case of medical information, understanding the role of trust and information sensitivity is important. 2.1.1. Trust in the direct marketing organization In the marketing literature, trust has been defined as ‘‘a faith or confidence that the other party will fulfill obligations set forth in an exchange’’ (Gundlach and Murphy, 1993, p. 41). The role and importance of trust has been identified as a central tenet to building long-term relationships with consumers (Doney and Cannon, 1997; Morgan and Hunt, 1994; Smith and Barclay, 1997). Moorman et al. (1992) view trust as a factor in determining overall relationship quality. Within the database marketing literature, trust has been suggested as a mechanism with which to build or strengthen relationships (Campbell, 1997) and as an important mechanism with which to facilitate exchange (Milne and Boza, 1999). Milne and Boza show that building trust is a key element in reducing consumer privacy concerns and improving relationships between consumers and direct marketing organizations. Trust is developed through effective communication of privacy safeguards, market signals such as reputation and credibility, and past consumer experiences. The development of trust between direct marketers and consumers subsequently reduces consumers’ perceived risk. Developing and maintaining trust is indeed important in the healthcare field, primarily because of the benefits and risks associated with the collection of intimate or sensitive personal medical information. Wider access to the Internet and firms’ ability to collect and distribute personal medical information online among third parties has added to consumer concerns regarding the privacy of personal medical information. Risks associated with marketers’ collection and use of personal medical information can include privacy invasion and the risk of alienating customers, as well as the personal information abuses illustrated in Table 1. Recent research has shown that third-party websites that obtain medical information from health-related Internet sites do not follow as rigorous privacy practices (Goldman et al., 2000). On the other hand, short-term benefits to consumers are that information exchanges might provide firms with a deeper understanding of their customers and may lead to further refinements on how products or services are personalized. Long term, these exchanges might lead to longer-lasting relationships characterized by loyalty and trust. Trust in a healthcare organization depends on the subsequent use of the personal information collected. Reasons for organizations’ collection of personal medical information can involve both healthcare delivery as well as commercial benefits. Pharmaceutical companies often seek access to patient information in order to recommend proper treatments. These firms may only be interested in medical information in the aggregate, and not in individual-level information. However, some organizations may use this personal information for direct marketing practices that require individual-level information. 1003 Information technology developments raise important questions about the privacy of highly personal medical information collected online from consumers (Freudenheim, 1998). Recent advances in information technology have facilitated the ease of personal medical information collection and exchange, resulting in broader medical information access and dissemination among healthcare providers. These advances, such as the Internet, have also increased the risk of both inadvertent and intentional disclosure of sensitive information (Mowery, 1998; Rindfleisch, 1997), and may serve to diminish consumer trust. 2.1.2. Information sensitivity The ease with which information can be collected and exchanged using the Internet makes the organization’s use of personal information a very sensitive topic for consumers. Intimate self-disclosures are defined as those that contain high-risk (as opposed to low-risk) information (Moon, 2000). Phelps et al. (2000) find that consumers are more willing to provide direct marketers with demographic and lifestyle information than purchase-related and personal identifying information, which is considered more risky to disclose. The consumer privacy literature suggests that information sensitivity may influence privacy concern (Jones, 1991; Wang and Petrison, 1993) and subsequent risk perception. Phelps et al. (2000) and Milne and Gordon (1993) suggest that the level of consumers’ perceived risk is based upon the type and sensitivity of the information requested by the marketer, how the marketer will use the information, and whether the marketer plans to exchange the information with third-party firms. Regarding personal medical information, the issue of personal privacy takes on greater importance due to the convergence of databases containing personal medical information with the Internet’s collection and distributive capabilities. The distributed and networked nature of the Internet allows organizations to more effectively and efficiently collect, store, use, and disseminate potentially sensitive information. Potentially sensitive individual-level medical information may be of value to a wide array of organizations. Primary benefits managers, insurance companies, and HMOs collect patient information from physicians, hospitals, and pharmacists in order to monitor their patients’ behavior (Mowery, 1998). Other organizations that have access to individuals’ personal medical information may include employers, grocery and drug stores, and pharmaceutical companies. Consumers’ medical information can be collected in many different ways. Sources of medical information can include calls to toll-free numbers, auto registrations, credit reports and histories, insurance applications, medical records, checkout scanners, lists from third-party organizations, Electronic Patient Records, and Internet use. Additionally, longitudinal patient medical records may someday combine several databases into a single record for individual patients, creating a universal patient record accessible to a 1004 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 wide range of parties (Mowery, 1998). Pharmacy Computer Prescription Databases (PCPDs) constitute yet another information collection method. PCPDs document each prescription received by a specific pharmacist. Most PCPDs can be sorted and searched by information contained in the prescription, such as the patient’s name and address, telephone number, city and zip code, prescription number and date, drug type and cost, and insurance provider (if any). On one hand, the benefit of a PCPD is that it enables the pharmacist to screen prescriptions for potential drug contraindications and interactions. On the other hand, there are potentially numerous privacy issues regarding PCPDs, given the sensitive nature and high commercial value, to third-party organizations, of the information contained within PCPDs. The types of medical information commonly found in personal files range from relatively nonsensitive—an individual’s height, weight, blood pressure, past illnesses, and medical treatments such as broken bones—to relatively more sensitive information regarding fertility, abortions, mental illness, sexually transmitted diseases, HIV status, substance abuse, and genetic predisposition to disease (Rindfleisch, 1997). Although many states currently prohibit the disclosure of disease-specific personal information, no matter how strict these states’ guidelines, actual drug prescription records may afford little protection against unwanted disclosure. In other words, it may be relatively easy to piece together a person’s current medical condition through nonrestricted medical information. For example, prescription records for drugs such as AZT may readily be identified as treatments for AIDS (Mowery, 1998). 3. Hypotheses Information sensitivity may depend on the type of information being collected, used, or exchanged by marketers (e.g., Phelps et al., 2000). Consumers may be more concerned about disclosing personal or individual-level data (e.g., personal medical information or history). Phelps et al. (2000) found that consumers were more willing to provide marketers with demographic and lifestyle information than with financial and personally identifiable information. Consumers prefer personal identifiers, such as name and address, to be kept confidential when they can be linked to sensitive information. Research suggests that consumers appear to be more concerned about the collection and usage of personal information from medical records than about the collection and usage of information from other sources (Cranor et al., 1999; Nowak and Phelps, 1995). The FTC (1996) also noted that financial and medical information are thought to be more sensitive and therefore in need of special protection. This leads to our first hypothesis: Hypothesis 1: Consumers are more likely to be concerned about organizations obtaining personal information, such as name and address, from their personal medical records than from other types of information sources (e.g., catalogs, auto registration, or insurance applications). Consumers’ willingness to disclose sensitive information is closely related to the degree to which they trust the firm collecting the information (Culnan and Armstrong, 1999; Milne and Boza, 1999; Vidmar and Flaherty, 1985). When trust is established, consumers will be less concerned and perceive less risk, as well as greater benefits, in providing organizations with personal information than in situations where trust does not exist. Thus, trust affects the risk – benefit perception. Milne et al. (1999) showed that experience with and reputation of direct marketing firms were the two strongest antecedents to consumers trusting firms with their personal information. Fig. 1 suggests that consumer concern and risk perception depends upon the type and sensitivity of information exchanged, as well as the degree of consumer trust. Consumers are less apt to trust an organization with which they have not transacted business. Moreover, because of this lack of trust, they should be more concerned if unknown organizations acquire more sensitive, as opposed to less sensitive, information about them. This leads to our second hypothesis: Hypothesis 2: Consumers are more likely to be concerned if organizations with which they have not done business purchased a list with their personal medical history rather than a list with other types of information (e.g., name and address or purchase history by product). Many online consumers simply do not trust direct marketers that collect information through websites (GVU WWW User Survey, 1998). This lack of trust in the online setting is especially important in the healthcare industry, in which numerous organizations (including retailers) possess sensitive personal medical information that may be of value to others. However, Sheehan and Hoy (2000) suggest that ongoing and mutually beneficial relationships with online marketers can minimize consumer privacy concerns. This supports Milne and Boza’s (1999) findings that building a reputation for fairness and maintaining communication with consumers is effective towards creating a sense of control and alleviating privacy concern among consumers. These findings suggest that consumers are more likely to trust organizations such as retailers, with whom they have ongoing or frequent buying experiences. This leads to our third hypothesis: Hypothesis 3: Consumers are more likely to be concerned about organizations with whom they have less frequent contact (e.g., insurance companies or political organizations) using their personal information in their marketing efforts than organizations (e.g., drug stores, grocery stores, or employers) with whom they have ongoing relationships. Along with experience and type of information collected, consumers may indicate greater levels of trust A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 with organizations that they believe will keep and use, but not share, their personal information. This leads to our fourth hypothesis: Hypothesis 4: Consumers are more likely to believe it appropriate for organizations with which they have done business to keep and use, rather than share, their personal information (e.g., medical history, name and address, purchase history by product, or income) with third-party organizations. Finally, for organizations with whom a consumer has done business, we would expect that medical information is more sensitive than other types of information; thus the collection, use, and sharing of medical information would be of greater concern to consumers. Hypothesis 5a: Consumers are less likely to find it appropriate for organizations with whom they have done business to keep and use medical information rather than other types of personal information (name and address, product purchase behavior, income). Hypothesis 5b: Consumers are less likely to find it appropriate for organizations with whom they have done business to share medical information with third parties rather than other types of personal information (name and address, product purchase behavior, income). 4. Methodology The data in this study are from a comprehensive consumer privacy survey conducted during the first quarter of 1997. The survey was made possible by a research grant to the second author from the Marketing Science Institute, as well as support from the Direct Marketing Educational Foundation, the Direct Marketing Association, and Metromail. In this section, we discuss the survey development procedure, response rate, and response characteristics. 4.1. Survey development An eight-page survey instrument was developed to survey consumers’ attitudes toward direct marketing practices. Survey questions were based on a review of the literature as well as expert industry opinion. The survey instrument was pretested via expert review (Hunt et al., 1982). Marketing practitioners experienced in survey research filled out the survey and made suggestions. Next, in a regional pretest, 200 surveys were sent to a random sample of households in three New England cities, of which 173 were delivered. The response rate was 37% (64/173). We revised the instrument format and items based on our review of response patterns. 1005 4.2. Survey procedure Our survey population consisted of a mailing list provided by Metromail consisting of 5003 randomly selected individuals from known direct mail households. The sample was selected to reflect US adult age distributions. Following Dillman (1978), we used a prenotification mailing using a 3 5 postcard and a US$1 incentive with the final mailing. 4.3. Response rate characteristics Following a month-long collection period, we received 1508 useable surveys and 112 surveys the post office was not able to deliver. This resulted in a response rate of 31.8%, well within the acceptable ranges of academic research. The response rate was also favorable given the length of the survey and the sensitivity of topics in the questionnaire. The respondent demographics are shown in Table 2. The response profile was 64% male, relatively affluent (with 21% having household incomes greater than or equal to US$75,000), educated (47% college graduates), older (51% over 50 years of age), politically conservative (41%) or Table 2 Respondent demographics N % of Respondents Sex Male Female 917 510 64 36 Household income < US$35,000 US$35,000 – US$75,000 >US$75,000 415 588 269 33 46 21 Education Less than high school graduate High school graduate or equivalent (GED) Some college, but not degree College graduate Postgraduate 57 311 400 427 262 4 21 28 29 18 Age Less than 30 years old 30 – 49 years old 50 years old and over 130 587 738 9 40 51 Political philosophy Conservative Moderate Liberal 579 668 170 41 47 12 Computer usage Use computer at home Do not use computer home 711 797 47 53 Purchase history Purchased by mail in last 6 months Purchased by phone in last 6 months Purchased by Internet in last 6 months 988 818 107 74 63 10 1006 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 moderate (47%), and computer familiar (47% used computers at home). Because our sampling frame was based on one database marketer’s national mailing list, the respondent profile differs from a national profile of direct mail consumers (Direct Marketing Association, 1998). These differences may affect the generalizability of the findings. 4.4. Nonresponse bias In assessing nonresponse bias, we first compared early and late respondents (Armstrong and Overton, 1977) for differences among demographic variables and direct response activity. The first 75% of returned surveys were compared with the last 25% on specific demographics, such as age, gender, education, and computer use, as well as across 40 key constructs. No significant differences between early and late respondent groups were found for all 44 Bonferroni-adjusted comparisons (Hair et al., 1995). In addition to comparing early and late respondents, we were able to compare the differences between respondents and nonrespondents using background information from the original mailing file. To facilitate this comparison, each mailed survey contained a unique identification number that matched up to a data file with selected demographic data (except for name and address). When using this file to compare between respondents, no differences were found for age, gender, or income. Respondents, however, were found to come from households that exhibited a higher propensity to respond to direct mail offers than did nonrespondents. This does not appear to be problematic since it is very likely that this type of bias exists for most mail surveys. 4.5. Survey measures The topics we examine in this paper cover issues pertaining to personal medical information. The descriptive results are presented in the next section. To test our hypotheses, we analyzed respondents’ concern (and per- ceived appropriateness) for specific direct marketing practices involving medical data. A series of questions were asked about marketing practices characterized by varying levels of trust and information sensitivity. The level of trust was influenced by whether the consumer had done business with the organization or not, and how the information collected would be used. The type of information collected differed by the level of sensitivity. The exact wording of the survey questions used to test the hypotheses is shown in Appendix A. 5. Study results In this section, we first report the descriptive results from the study. Then we report the results of the hypothesis tests. 5.1. Descriptive results Table 3 reports respondents’ perceptions and concerns regarding an organization’s ability to obtain ‘‘name and address,’’ ‘‘information regarding products purchased,’’ and ‘‘purchase details like price and date.’’ In contrast to other sources of information reported in this study, most respondents do not believe or are unaware that organizations can obtain personal information from medical records. However, in terms of consumer concern levels, information from medical records is deemed the most sensitive. Note also that personal medical information can be obtained from all other sources (e.g., toll-free calls, auto registration, credit reports and histories, insurance applications, the Internet, and store scanner data). The results in Table 3 indicate moderate concern regarding organizations obtaining information regarding products purchased (44% of total respondents) or purchase details (44% of total respondents) from medical records. Respondents indicated significantly higher levels of concern (88% of total respondents) regarding organizations obtaining their name and address from medical records. Table 3 Consumer beliefs and concerns regarding personal information collection List from other companies Credit reports or histories Internet usage Auto vehicle registration Calls to toll-free numbers Insurance applications Medical records Checkout scanners From the following sources, do you believe organizations can obtain your Would you be very concerned if organizations could obtain the following from these sources Name and address Information regarding products purchased Purchase details like price and date Name and address Information regarding products purchased Purchase details like price and date Base % Base % Base % Base % Base % Base % 1430 1426 1421 1410 1426 1434 1408 1416 91 80 79 71 65 64 41 41 1183 1207 1187 1213 1219 1255 1263 1247 53 38 43 23 28 17 10 35 1046 1098 1075 1131 1132 1178 1221 1179 51 38 42 23 25 15 11 34 1390 1392 1388 1391 1389 1392 1393 1387 68 80 65 78 71 81 88 66 1308 1345 1297 1339 1317 1343 1368 1301 44 50 42 44 44 43 44 43 1298 1337 1280 1333 1308 1338 1362 1287 45 50 43 44 43 42 44 43 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 1007 Table 4 Consumer sensitivity towards personal information collection and use Name and address Purchase behavior by product Medical history % who think that organizations they have done business with have their personal information % very concerned if business they did not do business with previously purchased a list with the following information Base % Base % Base % Base % 1460 1460 1460 99 46 18 1374 1386 1374 33 34 87 1272 1125 1129 83 63 17 900 986 1003 21 19 2 In Table 4, we report consumer sensitivity towards personal information collection and use. Specifically, respondents were asked if they thought ‘‘organizations they have done business with have their personal information,’’ would they be ‘‘concerned if businesses they did not do business with previously had purchased a list with the following information,’’ and ‘‘what type of information is appropriate for organizations with which you have done business to keep and use or share.’’ Less than one fifth of respondents think that organizations they have done business with have information about their medical histories. In contrast, 87% would be very concerned if businesses they had not previously done business with purchased this information. The more concerned respondents are about information sharing, the less likely they are to deem it appropriate for outside organizations (those they had not done business with) to keep or share their information. In Table 5 we asked respondents how ‘‘concerned are you with organizations using personal information they acquire in their marketing efforts’’ and ‘‘do you trust organizations to use personal information fairly.’’ Several types of organizations gather information from which they can make medical inferences. The obvious sources, employers and insurance companies, raise more concern than do nontraditional information collectors such as grocery stores and drug stores. Respondents indicated low levels of trust for all sources, although employers earned relatively higher levels—possibly due to present employment laws and regulations. Table 5 Consumer concern and trust in organizations’ use of personal information % very concerned with organizations using personal information they acquire in their marketing efforts Employers Insurance companies Drug stores Grocery stores What type of information is appropriate for organizations with which you have done business to % who trust organizations to use personal information fairly Base % Base % 1436 1465 63 58 1406 1421 38 17 1441 1450 43 36 1404 1415 21 16 Keep and use Share 5.2. Hypotheses testing To test the hypotheses, we performed a series of z tests. To test Hypothesis 1, we compared concern about obtaining name and address from medical records (88% very concerned) with concern for obtaining name and address from each of the other seven sources listed in Table 3. In support of Hypothesis 1, we found statistically significantly lower percentages of consumers very concerned about the following sources: lists from other companies (z = 12.74, P < .01), credit reports or histories (z = 5.76, P < .01), Internet usage (z = 14.29, P < .01), auto vehicle registration (z = 7.04, P < .01), calls to toll-free numbers (z = 11.11, P < .01), insurance applications (z = 4.93, P < .01), and checkout scanners (z = 13.78, P < .01). To test Hypothesis 2, we compared concern about purchasing a list with personal medical history information (87% very concerned) with concern about purchasing a list with names and addresses (33%) and purchase behavior by product (34%), as shown in Table 4. In support of Hypothesis 2, we found statistically significantly lower percentages of consumers very concerned about name and address (z = 59.93, P < .01) and purchase behavior by product (z = 58.82, P < .01). To test Hypothesis 3, we compared concern for organizations using acquired information, as shown in Table 5. Mixed support was found for Hypothesis 3. While grocery stores (36% very concerned) and drug stores (43% very concerned) have lower concern levels among respondents than insurance companies (58% very concerned), concern about employers was high (63%) and thus contrary to expectations. To test Hypothesis 4, appropriateness of keeping and using information was compared to appropriateness of sharing the information, as shown in Table 4. In support of Hypothesis 4, respondents found it more appropriate for organization to keep and use, rather than share, information for name and address (z = 28.78, P < .01), purchase behavior by product (z = 20.42, P < .01), and medical history information (z = 11.58, P < .01). Finally, to test Hypothesis 5a, the appropriateness of keeping and using medical history information was compared to the appropriateness of keeping and using other types of information. To test Hypothesis 5b, a similar 1008 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 comparison was made for sharing information. These results are also shown in Table 4. Strong support was found for both hypotheses. A significantly statistically higher percentage of concern was found for keeping and using medical history information compared to name and address (z = 32.31, P < .01) and purchase behavior by product (z = 22.29, P < .01). Likewise, a significantly statistically higher percentage of concern was found for sharing medical information compared to name and address (z = 13.23, P < .01) and purchase behavior by product (z = 12.42, P < .01). 6. Discussion This study suggests that a majority of consumers express high levels of concern and low levels of trust when it comes to organizations collecting, using, and sharing these consumers’ personal medical information. Based upon the framework shown in Fig. 1, instances in which highly sensitive information is collected or shared by organizations that consumers do not trust with this information will lead to greater levels of consumer concern and perceived risk in disclosing personal information. On the other hand, instances in which less sensitive information is collected or shared by organizations that possess greater levels of consumer trust will result in lower consumer concern and perceived risk in disclosing this information. The results presented here suggest that consumers’ personal medical history is deemed more sensitive than other types of information typically collected by direct marketers. This finding is based upon significantly higher levels of concern reported in this study for medical history information purchases by third-party organizations, significantly lower percentages of respondents reporting that it is appropriate for firms to both keep and use as well as share personal medical history information, and greater levels of concern regarding direct marketers’ ability to obtain personal information such as name and address from medical records. Several types of organizations gather information with which they can make medical inferences. The results presented here also suggest that certain organizations, such as employers and insurance companies, raise more concern than do information aggregators such as grocery stores and drug stores. Given certain retailers’ (e.g., drug and grocery stores) ability to generate relatively greater trust—possibly because of the frequent patronage and purchase cycles characteristic of these businesses—these firms must also work to maintain this trust through direct marketing practices. These practices may include communicating clear and unambiguous information privacy policies that offer the consumer protection of and control over their personal information. This is particularly true with regards to more sensitive types of personal information. The occurrences depicted in Table 1, notably the issue regarding the national drug store chain, illustrate the implications when retailers violate consumer trust with regards to the privacy of their personal information. An alternative explanation for why consumers may indicate greater levels of concern towards employers’ use of their personal information involves the perceived power of the organization itself. Individuals may perceive their employers as possessing greater power and potential influence within the healthcare context rather than grocery or drug stores (Bodenheimer and Sullivan, 1998). The public’s attitudes towards personal medical information sharing and exchange may indeed be divided between the users of such information and the individual consumer and information provider. As Dr. Margo Goldman, member of the Coalition for Patients’ Rights, stated that ‘‘the American people are being told that to get top-notch healthcare there is something to be given up, (and) that something is privacy’’ (Thurman, 1998). The trade-off and debate regarding the use of personal medical information exists primarily between the rights and privacy concerns of the individual and the interests of the healthcare provider and involved parties. Congress has recently proposed various bills in an effort to balance the needs of healthcare providers (e.g., doctors and HMOs), insurers (e.g., employers and benefits managers), and pharmacies to share and exchange medical information, with the consumer’s need for information privacy. The Clinton administration had made recommendations to Congress regarding personal medical privacy. The former Health and Human Services Secretary had also recently recommended to Congress several personal medical privacy guidelines that attempt to balance the need for individual privacy with external interests such as medical research, public healthcare, cost containment, and law enforcement (Silberner, 1997; Washington Post, 1997). Additionally, the Health Care Personal Information Nondisclosure Act of 1998 was proposed to balance protection from unauthorized use of protected healthcare information with efforts to promote high-quality healthcare through the confidential sharing and exchange of personal medical information. On the other hand, a section of the recent patients’ rights bill introduced by the House of Representatives, known as the Medical Information Protection Act of 1998, provides healthcare organizations the right to disclose or sell patient information. This provision would allow hospitals, HMOs, pharmacies, doctors, and insurers to disclose patient information to health plan providers in order to manage patient cases and determine ratings for healthcare plans. The critics of more stringent information privacy guidelines argue that these guidelines add unnecessary complexity to the prescription dispensing and patient communication process. Critics also argue that these guidelines may potentially reduce a pharmacy’s ability to identify and target specific patients with pharmacy care follow-up efforts. Further, they state that stricter guidelines could potentially A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 reduce the ability of physicians, insurers, and other healthcare providers to coordinate treatments through patient information sharing (Frederick, 1998). Resulting time delays and excessive privacy-protection hurdles to information access and sharing could be to the detriment of the patient (Rindfleisch, 1997). The challenge remains to overcome consumer concern regarding certain direct marketing practices, including unauthorized exchange of personal information with third-party entities. Privacy concern levels and perceptions regarding proper information disclosure seem dependent on the specific interests and motives of the entity or organization involved. From the consumer’s view, an individual may face several threats to his or her medical information privacy, including insider abuse, accidental disclosure, insider curiosity, insider subornation, secondary users, and outsider intrusion. These perceived threats may lead to heightened concern regarding personal medical information privacy. Developing a policy that balances marketers’ information needs and consumers’ privacy concerns requires taking into account marketers’ information gathering practices and specific information contexts as well as being cognizant of the trade-offs that occur in marketing transactions (Milne and Gordon, 1993; Phelps et al., 2000). The optimal balance between consumer information privacy and the organization’s need to collect personal medical information may ultimately be affected by several factors, including consumer privacy interests, healthcare provider and research interests, government policy, and increasingly sophisticated information collection and exchange mediums, such as the Internet. The underlying issue is that many of these factors may in the end prove to be both beneficial and detrimental to consumers’ medical information privacy. 1009 as antecedents influencing perceived risk and concern regarding information disclosure. The framework presented in Fig. 1 illustrates four risk and concern states that are based upon organizational trust and information sensitivity. It is important for researchers to consider these two factors in association with consumers’ privacy concerns. Managerially, these results highlight the importance of trust in the organization and personal information sensitivity in influencing consumer concern regarding medical information collection and use. This study is also important because it suggests that certain types of retailers (e.g., drug stores) represent important links in the healthcare delivery system in terms of over-the-counter sales of medical products as well as prescription fulfillment. In interpreting these results, it is important to realize that this survey represents respondents from the database of a national list marketer. Because of differences in the demographic profiles, the overall response may not fully project to the entire US population. Participants’ health, which was not included as a variable in this study, may have influenced sensitivity and concern regarding personal medical information privacy. Future research examining individuals’ concerns regarding the privacy of their personal medical information could consider participant health as a study variable. Also, in fairness to the issue of consumer concern, this study did not require consumers to consider the tradeoff of privacy protection versus healthcare quality and efficacy. Future research could take this potential trade-off into account as well. Moreover, the measurement of phenomena relied upon single items. Nevertheless, despite these limitations, the data do provide an important representation of the consumers’ perspective on personal medical information and privacy as marketers and policymakers evaluate the effectiveness of current information control and privacy practices. 7. Implications and future research directions 8. Conclusion This research makes two primary contributions to the direct marketing literature. First, this study is one of the first to investigate consumer privacy concerns regarding personal medical information collection, use, and exchange. These findings are particularly important given the current and potential future influence of the Internet and database marketing on individual privacy concerns in the healthcare industry. Second, this research examines consumer concern in the context of two dimensions, information sensitivity and trust in the organization collecting personal medical information, where privacy concern is a function of both information sensitivity and trust. The findings suggest that consumers are less apt to be concerned when personal information perceived as sensitive, such as personal medical information, is collected by organizations that they trust, such as grocery stores and drug stores. Theoretically, this research is important because it links personal information sensitivity and trust in the organization This study reported data from a national survey that examined consumer concern towards the collection, use, and exchange of personal medical information used in direct marketing efforts. Consumer concern levels were based upon a framework involving sensitivity of information collected as well as the trust in the organization itself. The results indicate that consumers are most concerned with the collection and use of personal medical information (i.e., from medical histories or records) as compared to other types of information collected by direct marketers. These results also suggest that a majority of consumers indicate high levels of concern and low levels of trust with regard to organizations collecting, using, and sharing their personal medical information. Instances in which sensitive information is collected or shared by organizations that consumers do not trust with this information leads to greater levels of consumer concern and perceived risk in disclosing informa- 1010 A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 tion. Instances in which less sensitive information is collected or shared by organizations that consumers do, to a greater degree, trust leads to lower consumer concern and perceived risk in disclosing information. Appendix A. Survey questions to test study hypotheses (Hypothesis 1) Would you be very concerned if a company could obtain your name and address, type of products purchased, and purchase details from the following sources? (Hypothesis 2) If a company you did not previously do business with purchased a customer list, how concerned would you be if the list contained the following information about you? (Hypothesis 3) How concerned are you with different organizations using personal information they acquire from you in their marketing efforts? (Hypotheses 4, 5a, and 5b) What type of information is appropriate for organizations with which you have done business to: (1) keep and use to further its relationship with you, (2) not keep at all, (3) share with other organizations, (4) not share with other organization? References Abreu E. Keep your hands off my data. Ind Stand 2000;65 (May 15). Armstrong JS, Overton TS. Estimating nonresponse bias in mail surveys. J Mark Res 1977;396 – 402 (August). Bodenheimer T, Sullivan K. How large employers are shaping the health care marketplace. N Engl J Med 1998;1003 – 7 (April 2). California Healthcare Foundation. Ethics survey of consumer attitudes about health web sites 2000. Available at: http://www.chcf.org/press/ viewpress.cfm?itemID=1015 (January). Campbell AJ. Relationship marketing in consumer markets: a comparison of managerial and consumer attitudes about information. J Direct Mark 1997;11:44 – 57 (August). Carter M. Integrated electronic health records and patient privacy: possible benefits but real dangers. Med J Aust 2000;172(1):28 – 30. Caudill EM, Murphy PE. Consumer online privacy: legal and ethical issues. J Public Policy Mark 2000;19:7 – 19 (Spring). Cranor LF, Reagle J, Ackerman MS. Beyond concern: understanding net users’ attitudes about online privacy. AT&T Labs—Research Technical Report TR 99.4.3, April 14, 1999. Culnan MJ. Consumer awareness of name removal procedures: implications for direct marketing. J Direct Mark 1995;9:10 – 9 (Spring). Culnan MJ, Armstrong PK. Information privacy concerns, procedural fairness, and impersonal trust: an empirical investigation. Organ Sci 1999;10:104 – 15 (January/February). Dillman D. Mail and telephone surveys: the total design method. New York (NY): Wiley, 1978. Direct Marketing Association. Direct Marketing Association’s statistical factbook ’98. New York: Direct Marketing Association, 1998. Doney PM, Cannon JP. An examination of the nature of trust in buyer – seller relationships. J Mark 1997;61:35 – 51 (April). Enos L. Drug sales to drive $18B Net health market. E-Commerce Times 2000. (June 27) Available at: http://www.ecommercetimes.com/news/ articles2000/000627-6.shtml. Federal Trade Commission. Consumer information privacy hearings 1996. Available at: http://www.ftc.gov. Federal Trade Commission. Privacy online: a report to Congress 1998. Available at: http://www.ftc.gov/reports/privacy3/toc.htm (June). Federal Trade Commission. Privacy online: fair information practices in the electronic marketplace: a report to Congress 2000. Available at: http://www.ftc.gov/reports/privacy2000/privacy2000text.pdf (May). Frederick J. Chain pharmacy: patient privacy debate raises pharmacy concerns among state and federal legislatures. Drug Store News. 1998;CP1 (April 27). Foxman ER, Kilcoyne P. Information technology, marketing practice, and consumer privacy: ethical issues. J Public Policy Mark 1993;12:106 – 19. Freudenheim M. New York Times 1998;D1 (August 12). Goldman J, Hudson Z, Smith RM. Report on the privacy policies and practices of health web sites. Health Privacy Project2000. Available at: http:// ehealth.chcf.org/priv_pol3/index_show.cfm?do_id = 33 (January). Goodwin C. Privacy: recognition of a consumer right. J Public Policy Mark 1991;10:149 – 66 (Spring). Goodyear C. San Franc Chron 1998;A17 (February 5). Gundlach GT, Murphy PE. Ethical and legal foundations in relational and marketing exchanges. J Mark 1993;57:35 – 46 (October). GVU WWW User Survey. GVU 10th Annual Survey, 1998. Available at: http://www.gvu.gatech.edu/user _ surveys/survey-1998-10/graphs/ privacy/q02.htm. Hair JF, Anderson RE, Tillman RL, Black WC. Multivariate data analysis. Upper Saddle River, NJ: Prentice-Hall, 1995. Harris, Louis & Associates. Health information privacy survey. Atlanta (GA): Equifax, 1993. Hunt SD, Sparkman RD, Wilcox JB. The pretest in survey research: issues and preliminary findings. J Mark Res 1982;19:269 – 73 (May). Jones MG. Privacy: a significant marketing issue for the 1990s. J Public Policy Mark 1991;10(1):133 – 48. Linowes DF. Privacy in the workplace in perspective. Hum Resour Manage Rev 1996;165 – 81 (Fall). Milne GR. Consumer participation in mailing lists: a field experiment. J Public Policy Mark 1997;16(2):298 – 309. Milne GR, Boza M-E. Trust and concern in consumers’ perceptions of marketers’ information management practices. J Interact Mark 1999; 13:5 – 24 (Winter). Milne GR, Gordon ME. Direct mail privacy-efficiency tradeoffs within an implied social contract framework. J Public Policy Mark 1993;12(2): 206 – 15. Milne GR, Rohm AJ, Boza M-E. Trust has to be earned: an exploration into the antecedents of trust in database marketing. In: Phelps J, editor. Frontiers in direct marketing research. New York (NY): Direct Marketing Educational Foundation; 1999. p. 31 – 41. Moon Y. Intimate exchanges: using computers to elicit self-disclosure from consumers. J Consum Res 2000;26:323 – 39 (March). Moorman C, Zaltman G, Deshpande R. Relationships between providers and users of market research: the dynamics of trust within and between organizations. J Mark Res 1992;29:314 – 29 (August). Morgan RM, Hunt SD. The commitment – trust theory of relationship marketing. J Mark 1994;58:20 – 38 (July). Mowery G-M. A patient’s right of privacy in computerized pharmacy records. Univ Cincinnati Law Rev 1998;697 (Winter). Nowak GJ, Phelps J. Understanding privacy concerns: an assessment of consumers’ information-related knowledge and beliefs. J Direct Mark 1992;6(4):28 – 39. Nowak GJ, Phelps J. Direct marketing and the use of individual-level consumer information: determining how and when ‘privacy’ matters. J Direct Mark 1995;9(3):46 – 60. O’Harrow R. CVS also cuts ties to marketing service: like giant, firm cites privacy on prescriptions. Washington Post 1998;E01 (February 19). Pear R. U.S. plans tighter rules on medical files’ privacy. New York Times 2000;A14 (August 14). Pendrak RF, Dfashrm A, Ericson PR. Information technologies need to protect patient confidentiality. Healthc Financ Manage. 1998;66 – 8 (October). A.J. Rohm, G.R. Milne / Journal of Business Research 57 (2004) 1000–1011 Phelps J, Nowak G, Ferrell E. Privacy concerns and consumer willingness to provide personal information. J Public Policy Mark 2000;19:27 – 41 (Spring). Rindfleisch T. Privacy, information technology, and health care. Commun ACM 1997;8:93 – 100 (August). Sheehan KB, Hoy MG. Dimensions of privacy concern among online consumers. J Public Policy Mark 2000;19:62 – 73 (Spring). Silberner J. Hastings Cent Rep 1997;27(6) (November). Smith JB, Barclay DW. The effects of organizational differences and trust on the effectiveness of selling partner relationships. J Mark 1997;61: 3 – 21 (January). Thurman JN. The Christian Science Monitor 1998. Available at: http:// www.csmonitor.com/durable/199810723//fp3s2-csm.htm (July 23). 1011 Valentine PW. Medicaid bribery is alleged. Washington Post 1995;B1 (June 14). Vidmar N, Flaherty DH. Concern for personal privacy in an electronic age. J Commun 1985;91 – 103 (Spring). Wang P, Petrison LA. Direct marketing activities and personal privacy: a consumer survey. J Direct Mark 1993;7(1):7 – 19. Washington Post: Medical Files, or Fishbowls? Editorial 1997;A16 (September 23). Westin A. Privacy and freedom. Atheneum, NY: Atheneum; 1967. Zitner A. Patient Privacy Standards Sought. Boston Globe 1997;C1 (August 1).
© Copyright 2024 Paperzz