Whew! Ninety-three--that's the number of pages in the PDF file I downloaded from the Federal Register last week detailing the final rule from the Department of Health and Human Services for privacy standards for health information. That's a lot for health-care and insurance companies to digest, and it's only one component of the Health Insurance Portability and Accountability Act. It's also a lot for consumers to chew over. But Marty Abrahms gives the department a lot of credit. Not only is it providing very detailed specifications, he says, it's also providing a summary that's more palatable. That's a concept that Abrahms, former chief privacy officer at Experian, who now works for law firm Hunton & Williams, and others are trying to convince companies to adopt. Already, the folks at Citigroup, J.P. Morgan Chase, Procter & Gamble, and others are working on shorter, friendlier, less legal mumbo-jumbo types of statements. It needs to be something consumers can glance at and compare with others, he says. I couldn't agree more. Last summer, my mailbox was deluged with privacy statements from banks and credit-card companies (those complying with the Gramm-Leach-Bliley Act), but somehow they always ended up in the "to read later" pile. It's one of those piles that, if it sits there long enough and I haven't touched it, can go into the recycling bin without much thought.

Of course, my reading habits and those of other information-overloaded consumers are a small part of the work with which chief privacy officers need to concern themselves. Once statements are written, agreed upon, and posted, they've got to make sure their actions live up to their words. That's where the real work begins. It's also where technology lends a hand. A growing number of vendors are coming out with software to manage policies, track customer privacy preferences, monitor the flow of customer information, and even tag data to prevent an application from accessing it if it violates a privacy policy or preference. Senior editor Rick Whiting investigates further in "Making Privacy Work".

I applaud companies that are going beyond regulatory compliance and strongly enforcing their policies, even using them as a competitive advantage. But let me end with something disturbing. According to two research studies, almost half of all companies have no privacy policy at all. And many that do have policies don't post them on their Web sites. I can't think of a reason why either statistic should be acceptable. Come on, folks. It's time to make your privacy polices a little less private.

Stephanie Stahl
Editor
[email protected]

To discuss this column with other readers, please visit Stephanie Stahl's forum on the Listening Post.

To find out more about Stephanie Stahl, please visit her page on the Listening Post.