PROD #: 305.013
Psychotherapy: Theory. Research. Practice. Training 2003, Vol. 40, No. 1/2, 77-85
Copyright 2003 by the Educational Publishing Foundation 0033-3204/03/S12.00 DOI 10.1037/0033-3204.40.1/2.77
METHODOLOGICAL RIGOR AND ETHICAL CONSIDERATIONS IN INTERNET-MEDIATED RESEARCH ROBIN M. MATHY University of Oxford, University of Cambridge, and University of Minnesota Medical School This article reviews the methodological and ethical challenges of undertaking research using the Internet. The authors review methodological issues that may compromise the internal and external validity of Internet research, such as representativeness of samples, sample bias, and respondent bias. In addition to reviewing fundamental ethical problems associated with Internet research, the authors review new constraints imposed by Health Insurance Portability and Accountability Act legislation. They provide an overview of minimal safeguards needed to maintain the confidentiality of Internet-mediated research. Robin M. Mathy, Kellogg College and Evidence-Based Health Care, University of Oxford. Oxford, England; Wolfson College and International Relations, University of Cambridge, Cambridge, England; and University of Minnesota Medical School. Deborah L. Kerr, Department of Radiology, Medical School, Washington University, St. Louis. Brian M. Haydin, Departments of Computer Science and Mathematics, Washington University, St. Louis. Authors are listed in the order of their contribution. This work was supported, in part, by a National Institute of Mental Health Supplemental Grant for an Individual With a Disability (5R01MH063328) to Robin M. Mathy. Thanks to Abe Wolf for his excellent feedback and support in the development of this article. Correspondence regarding this article should be addressed to Robin M. Mathy, MA, PgC, PgD, via e-mail: Robin
[email protected]
DEBORAH L. KERR AND BRIAN M. HAYDIN Washington University, St. Louis Factors unique to using the Internet for survey research affect the external and internal validity of findings. To the extent that a sample is not representative of a population, the generalizability of results is limited. Research findings may also be confounded by how participants respond to an Internet-based protocol versus a mailing or telephone interview, personality factors, and sampling biases. To what extent are there differences between the data gathered via the Internet and other methods of administering research instruments? How similar or different are the personalities of participants who complete research instruments using various methodologies of administration? In the following sections, we discuss the rigor of Internet-mediated research, including a review of the response rates of surveys administered via the Internet versus other media as well as personality research that has examined variations in Internet usage.
Methodological Considerations Representativeness Representativeness of samples is a critical issue in Internet research. To the extent that one's sample is not representative of a population, generalizability of results is limited. The following section reviews the demographics of Internet users internationally and nationally and discusses how this affects the ability to generalize findings. More than half of the U.S. population is now online (U.S. Department of Commerce [DOC], 2002). The University of California, Los Angeles Center for Communication Policy (CCP; 2003) recently reported that more than 70% of Americans were online in 2001 and 2002, and nearly 60% of the American population accessed the Internet from home. Internet usage has expanded 77
Mathy, Kerr, and Haydin rapidly in the wealthy, industrialized, and technologically innovative countries of the global North, but abject poverty, underdevelopment, and limitations in technology transfer have impeded its growth in the countries of the global South (American Association for the Advancement of Science, 2003). About 91% of the world's Internet users live in the United States and other countries that comprise the Organization for Economic Cooperation and Development, though only 19% of the globe's population lives in these advanced industrialized nation-states (Kegley & Wittkopf, 2001). International demographic changes correspond to technological innovation and global Internet usage. As of March 2002 (Schrnidley, 2003), 32.5 million foreign-born individuals were living in the United States, accounting for 11.5% of the total U.S. population. Over half of these individuals (52.2%) are from Latin American countries in the global South. Although more than half of the population in most states was online by September 2001 (DOC, 2002), there are important geographic and social disparities associated with Internet usage in the United States. The DOC indicated that as of August 2000, Internet usage in the United States was heavily concentrated in the upper Northwest, Midwest, and far East Coast, as well as Alaska. With the exception of a few southeastern states and West Virginia, more than half of each state's population was online by September 2001. Low-income families constitute the fastest growing segment of Internet users. However, DOC and CCP (2003) data reveal that Internet usage among ethnic minorities and individuals in economically disenfranchised groups is still significantly lower than the rest of the U.S. population. As with immigrants, refugees, and asylum seekers, this disparity results in their potential underrepresentation in Internet-mediated research relative to the rest of the U.S. population. Factors affecting the expansion of the Internet, including affordability, accessibility, and availability (Cooper, 1998), may make online clinical services feasible for clients who otherwise would not pursue treatment (Alleman. 2002). Similar characteristics have increased the viability of obtaining samples of difficult-to-reach participants via the Internet (Mathy, Schillace, Coleman, & Berquist, 2002). However, sampling from the population of all U.S. Internet users cannot yet be considered representative of the U.S. population. At a minimum, oversampling of economically
78
disadvantaged individuals and members of ethnic minority groups is required to ensure that the Internet sample's demographics approximate those in the general population. Internet-Mediated Versus Other Media Mathy et al. (2002) used a block sampling method to find a small but representative sample of lesbians, and then compared their demographic profiles with a much larger Gallup Poll sample in addition to U.S. population demographics. Overall, they found that their small sample of lesbians was more robust than the Gallup Poll sample. They also found that their block sampling method and those used by the Gallup Poll were equally representative of the U.S. population. Their work demonstrated that careful Internet-mediated sampling could yield surprisingly robust data for hard-to-reach participants. Cooper, Scherer, and Mathy (2001) compared a mutually exclusive selected random sample (every 1,000th visitor) and convenience sample that were drawn simultaneously from the Web site of an international news organization. They found that Minnesota Multiphasic Personality Inventory (MMPI)-like lie-detection items and other a priori criteria could effectively prevent sampling on the dependent variables, consisting of sensitive questions about online sexual behaviors. Their work substantiated the reliability of Internet-mediated research by including experimental controls that increased the integrity of research data. Yoshino et al. (2001) conducted remote video psychiatric interviews using narrow and broad bandwidths. Reliability was significantly lower in the low bandwidth than in the broad bandwidth, with the latter but not the former considered adequate. Their work suggested that the validity of Internet-mediated research varies by the quality of Internet equipment. Thus, it is prudent for authors of articles concerning Internet-mediated research to specify the equipment they used when disseminating the results of their studies. A number of researchers have compared samples of participants who responded to Internet-based surveys with those who answered surveys via other media and found that these different methodologies are comparable. Buchanan (2000) examined the relation between selfmonitoring and romantic attraction and compared participants in an Internet-mediated condition
Special Issue: Methodological Considerations with those in a paper-and-pencil administration. There was no statistically significant difference between high and low self-monitors by method of administration. Ballard and Prine (2002) compared a Web-site-administered and a mailadministered survey about community policing in a small city in Georgia. They found that responses did not differ significantly by method of data collection or sociodemographic variables. Epstein, Klinkenberg, Wiley, and McKinley (2001) randomly assigned undergraduate students to complete ratings of physical and sexual attractiveness via the Internet or via a paper-andpencil condition. They found no statistically significant differences between conditions in students' mean ratings of attractiveness. Reevaluation of the data by gender revealed significantly higher same-gender ratings among participants in the paper-and-pencil condition. Truell, Bartlett, and Alexander (2002) randomly assigned participants to complete a 10-item dummy survey either via the Internet or mail. They found that the survey methods had similar response rates. Pettit (2002) compared volunteers (N = 2,649) who answered a questionnaire online with those who completed the instrument in a paper-and-pencil condition. They found no statistically significant differences on four of five response sets (random, no response, extreme, and acquiescent), though the participants in the paper-and-pencil condition had a significantly greater number of uncodable responses. Knapp and Kirk (2003) randomly assigned undergraduates to complete a survey about personally sensitive information via one of three conditions (paper and pencil, the Internet, or automated touch-tone telephone response system). They found no statistically significant differences in responses among the three methods of survey administration. McCabe, Boyd, Couper, Crawford, and D'Arcy (2002) randomly assigned participants to Web-based survey and mail-based survey conditions addressing alcohol and other drug use. They found that response rates differed by racial and gender characteristics, though Webbased and mail-based groups did not differ significantly in their substantive responses to substance use questions. Hiskey and Troop (2002) studied posttrauma recovery responses. They reported that the characteristics of dropouts at varying time points in their longitudinal, Internetbased research were similar to those in conventional paper-and-pencil surveys. Cronk and West (2002) assigned participants to one of four con-
ditions in a 2 x 2 design of in-class versus takehome and Web-based versus pencil-and-paper conditions. They found no statistically significant differences in participants' scores, though the take-home, Web-based condition had the lowest response rate. Thus, the reliability of Internetmediated research is similar to data collected in other media, and response rates of Internetmediated surveys appear to most closely approximate the response rates of surveys administered by mail. The Internet and Personality Research If certain personality characteristics are associated with Internet usage, then the results of Internet-based research will be confounded by personality factors. Several studies have addressed this issue. Wolfradt and Doll (2001) examined the relation between a five-factor model of personality traits and personal and social factors theoretically related to Internet usage. They found that personal and social factors explained more variance in adolescents' Internet usage than did their global personality traits. Tuten and Bosnjak (2001) also used the five-factor model with college students. They found that Neuroticism and Openness to Experience varied with type of Internet usage (e.g., e-mail, chat room). Bonebrake (2002) found no personality differences in young adults who did versus did not form new relationships online. Swickert, Hittner. Harris, and Herring (2002) found only modest associations between personality and Internet usage, though personality dimensions appeared to moderate the relation between social support and type of Internet usage. Scealy, Phillips, and Stevenson (2002) reported that shyness and anxiety were unrelated to participants' use of e-mail or chat rooms. However, Amichae-Hamburger, Wainapel, and Fox (2002) found that introverted and neurotic participants were significantly more likely to locate their "real me" on the Internet, whereas extroverted and nonneurotic peers identified their "real me" in conventional social interactions. Hills and Argyle (2003, p. 59) found "remarkably few" associations between personality and Internet usage preferences after controlling for age and gender. In summary, there does not appear to be an association between global personality dimensions and preferences for Internet usage. However, some personality characteristics seem to be 79
Mathy, Kerr, and Haydin associated with various dimensions of Internet usage, particularly with regard to introversion and extroversion. This suggests that Internetmediated research has the potential to confound some areas of personality research, particularly in the domain of introversion and extroversion. However, the personality research reported to date suggests that social and personal factors explain much more of the variance in Internet usage than can be attributed to personality characteristics. More research with standardized instruments is needed to examine the potentially confounding effects of personality in various domains of Internet-mediated research. This may have particular relevance for studying personality disorders. Research Biases Internet-mediated research poses many of the same difficulties as offline research. In addition to representativeness, sampling bias, and respondent bias, editors and reviewers can introduce publishing biases that compromise the integrity of Internet-mediated research. Haphazardly administering a survey via the Internet is, perhaps, a little better than standing on a street corner and interviewing passersby. However, block sampling methods that use strategies conventionally used in offline research can yield a sample that is just as representative of the United States as unweighted samples obtained with random digit dialing conducted by professional polling organizations (Mathy et al., 2002). There are several methods of conducting rigorous online research, including cybersurvey, cyberethnography, and multimethod cyberresearch. Cybersurvey is defined as the administration of surveys via the Internet, including distribution by e-mail or electronic mailing lists, or posting the survey on a Web page. Cyberethnography is defined as online ethnographic research, including participant observation and interactive interviewing, usually in a chat room or via instant messaging. These methods have important conceptual as well as methodological differences. Cybersurvey is asynchronous and nomothetic. Cyberethnography is synchronous and idiographic. Multimethod cyberresearch combines conceptual and methodological approaches to obtain complementary quantitative data and qualitative information (see Mathy et al., 2002, for a more detailed description of these methods). As Mathy et al. (2002) emphasized, these
80
methodologies require the same investment of time and energy as offline research. The relative anonymity of the Internet appears to have provided researchers with a new way of contacting difficult-to-find participants. Moreover, Internetmediated research is more affordable than offline research, and it seems to be able to reach a far greater number of prospective participants in a shorter time period than offline methods. Peer reviewers and editors can introduce publishing bias by reflexively dismissing as unreliable or unscientific any sample obtained via Internet-mediated methods. It is incumbent upon the researcher to demonstrate the representativeness and scientific integrity of the sample. It is incumbent upon reviewers and editors to evaluate the methods objectively, without assuming Internet-mediated samples are unscientific. For example, Mathy et al. (2002) emphasized that their sample facilitated investigation of clinical questions (e.g., suicide attempts) without acquiring participants from a clinical venue. It should be noted that most experimental and laboratory research is not representative, and the scientific integrity of any study must consider the methodology's threats to validity and reliability. Many of the issues of Internet-mediated research extend to offline research. For example, although posing as another identity occurs via the Internet, respondents can readily misidentify themselves as a different age or gender in telephone and paper-and-pencil surveys. Potential misrepresentation of demographic data and unreliable responses is not an uncommon problem in clinical research. Standardized psychological instruments routinely include lie-detection items that help ascertain the probability of subtle and overt misrepresentation. Cooper et al. (2001) found the use of MMPI-like lie-detection items to be effective in Internet-mediated research. Notably, Cooper et al. found the same proportions of unreliable respondents in a sample of volunteers as in a sample of carefully selected participants (i.e., each 1,000th visitor to a Web site). They also found that sampling without replacement via the Internet yielded a response rate that approximated mail surveys (i.e., 25%). However, sampling with replacement via the Internet yielded a response rate that approximated random digit dialing (i.e., > 75%). Response rates provide an important threat to the validity of data. High nonresponse rates are indicative of sampling bias. In Internet-mediated
Special Issue: Methodological Considerations research, response rates can be determined by requesting a return receipt for e-mail to which a survey is attached. The response rate is then based on the proportion of returned surveys relative to return receipts. If the survey is proffered via a pop-up window, the response rate may be defined as the number who visited the description and informed consent page of a survey relative to those who replied to it. The latter method permits sampling with replacement. Prospective participants who close the pop-up window reflexively, without responding, are merely replaced by the next visitor in sequence, similar to a busy signal or automatic hang-up in random digit dialing. Systems analysts can readily program pop-up windows to appear at random or fixed intervals.
Ethical Considerations At a minimum, Internet-mediated researchers must pay close attention to the basic ethical principles of respect for autonomy and nonmaleficence (Beauchamp & Childress, 2001). The ethical principle of autonomy takes shape with informed consent, including risks and benefits of participation. A copy of a signed informed consent safeguards participants and researchers. Providing informed consent in Internet-mediated research requires appropriate protocols. Several examples are reviewed here. First, participants who express a willingness to participate in a survey may be asked to submit via e-mail a specific request for the research instrument (Mathy et al., 2002), articulating their understanding of the purpose of the research, its intensity and duration, and the risks and benefits of participation. Receipt of the e-mail request for the survey can then serve as the informed consent. Second, newer cybersurvey procedures permit the research instrument to be hosted on a Web page. This enables researchers to download answers into a database. Informed consent is provided on the first Web page. The Web page can be designed so that authorized participants must enter a unique password that acknowledges that they have read and understand the informed consent. Authorized participants obtain the password from designated professionals affiliated with the study. A third cybersurvey procedure includes nondisclosure of the Web page address containing the survey except to individuals who have been specifically invited to participate in the study. In
this case, the Web page may be programmed to require that a box has been checked, indicating that participants have given their informed consent, before survey questions are presented on subsequent Web pages. However, this is feasible only when the location of the Web page is specifically protected and the host page is not accessible by an Internet search engine. Another important consideration in Internetmediated research includes the rights of participants to rescind agreement to participation. There are no exceptions to the right to refuse participation in research, and the assent of minors and others adjudicated legally incompetent is required if they are able to provide it (World Medical Association, 2002, Helsinki Declaration, B.24). Informed consent is predicated on disclosure sufficient to comprehend the research being conducted. Such disclosure is essential if the participant is to take willful action that is independent of the control of the clinician, including withdrawal from research without reprisal (World Medical Association, 2002, Helsinki Declaration, B.22). Thus, the principle investigator must ensure that participants have valid and reliable ways of notifying them of a decision to rescind their participation. Pragmatically, this requires a receipt linking the participant to a specific case. In cybersurvey research (Mathy et al., 2002), the receipt number becomes the case number. Receipt numbers can be assigned as 16-bit hexadecimal globally unique identifiers (GUIDs) in a Windows operating environment (Cooper et al., 2001). The GUID effectively encrypts the participant's Internet service provider, computer, and username. The encrypted hexadecimal combination of numbers simultaneously provides a receipt, a case number, and precludes the participant from resubmitting a duplicate survey. The ethical principle of nonmaleficence requires researchers to refrain from conducting online research if participants might be harmed. It also requires researchers to take active steps to prevent harm. This would include, at a minimum, ensuring that the participant is using a computer and Internet connection with physical safeguards and password protection locks to prevent unauthorized disclosure of confidential clinical information that can be disseminated via the Internet. Internet-mediated research presents unprecedented risks for unauthorized access to confidential medical information. In part because of the recognition of these increasing risks, and in
81
Mathy, Kerr, and Haydin an attempt to protect the public from unauthorized disclosure of medical information, the 104th U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA; Health Insurance Portability and Accountability Act, 1996).
HIPAA and Safeguarding Internet-Mediated Research
HIPAA is possibly the most sweeping legislation since Medicare. It affects the ways in which the privacy and security of health information is stored and transmitted. Medical practices and business subject to HIPAA regulations are called "covered entities." They include health care providers, health care plans, and employers. Any information a covered entity creates or receives, including the past, present, or future physical or mental health of an individual; the provision of health care to an individual; and the past, present, or future payment of health care provided to an individual, is subject to HIPAA regulations. It applies to any protected health information (PHI), which refers to any health information that could reveal the identity of a patient (or participant), such as medical records or participant identification numbers, claims and payment information, and social security numbers. Civil penalties for violating HIPAA include $100 U.S. per violation. Criminal penalties for misappropriation or unauthorized disclosure can be up to $250,000 U.S. and 10 years incarceration per violation. The three main components to HIPAA legislation include electronic transactions, privacy, and security. These reflect standards for electronic transactions and code sets, the privacy of individually identifiable health information, and security, respectively. This section provides the reader with a general overview of each component as it relates to Internet-mediated research. Standards for Electronic Transactions and Code Sets The purpose of this group of regulations is to provide a uniform selection of diagnostic and service codes and to specify standard transaction formats. This was needed to simplify and streamline electronic communications between covered entities. It is anticipated that these standards will ultimately result in cost savings for most health care organizations. However, for the purposes of Internet-mediated research, the privacy and secu-
82
rity components of HIPAA are the most crucial and therefore receive substantially greater attention here. The Privacy Rule The HIPAA privacy rule is based on the need to protect the privacy of every individual's health information. It applies to health information in written, oral, electronic, and any other form. The term health information is broadly defined in HIPAA. The simplest operational definition for PHI is simply any health information that could reveal the identity of a patient, such as medical records, claims and payment information, or a social security number. In Internet-mediated research, there is substantial concern with granting unauthorized access to current and past clinical records. According to the privacy rule, patient or client PHI (such as treatment records) may not be disclosed to anyone but the patient or client. For example, it is unlawful to acknowledge an electronic request from a significant other about a client's current medication regimen. However, there are exceptions to the privacy rule. PHI can be disclosed if a covered entity's privacy notice explains that it may be disclosed to certain individuals (such as immediate family members) and in what manner such disclosures can take place (e.g., via e-mail). The privacy rule is the most far-reaching and important part of HIPAA regulations. It was enacted to protect individuals from discriminatory or wrongful use of their personal health information. The Security Rule The purpose of the security rule is to protect individual's PHI from destruction, loss, alteration, or unauthorized disclosure. The first goal of the security rule is to make sure that all researchers, employees, employers, and therapists are informed of the privacy rule. The second goal is to establish appropriate physical safeguards for PHI. This includes backup of data, controlling access to data, storage and disposal of data, and other procedures regarding electronic programs. The third goal is to develop technical security services and mechanisms for PHI. The security rule is a crucial part of Internet-mediated research. Failure to abide by both the HIPAA security and privacy rules may lead to catastrophic consequences, such as unauthorized dissemination of PHI via the Internet. Because this is the
Special Issue: Methodological Considerations most important security threat to Internet-mediated research, we provide several examples of instances in which these catastrophes actually have occurred. On June 27. 2001, a computer program created by an Eli Lilly employee e-mailed a notice that it was discontinuing its "Medi-Messenger" e-mail reminder service for Prozac, but the e-mail addresses of all 669 subscribers were listed among the intended recipients (in re. Eli Lilly & Co.. 2002). The University of Michigan Medical Center inadvertently stored the medical records of several thousand patients for 2 months on a publicly accessible Web site ("Black Eye at Med Center," 1999). The problem was discovered by a student searching the Web site for information about providers. The Washington Post ("Thieves Take More Than Laptops," 2000) also reported (on its front page) the theft of a physician's laptop during a medical conference; it contained private patient information. In another front-page incident, an Illinois woman's medical records were released without her authorization and then posted online with her photograph ("Woman Sues Over Posting." 2001). Ranging from inadvertent to malicious, these anecdotes are indicative of the ease with which unauthorized disclosures of confidential medical information can be—and have been—disseminated via the Internet.
Security Guidelines As illustrated above, physical safeguards of PHI are essential, including backup of data, controlling access to data, storage and disposal of data, and other procedures regarding electronic programs. First, all clinical participants' information kept on a computer should be encrypted and password protected. Access to the computer itself should be password protected. Patient information stored on personal digital assistants and laptops also should be hidden and password protected. Strong passwords, defined as those that are difficult to identify, are highly recommended. Computer programs can easily check every word in any language, in any combination, in just a few minutes. Strong passwords consist of at least 7 characters, using a combination of upper- and lowercase letters, with two or more numerals or punctuation marks. Examples of strong passwords include "mf*MI2!," "NA6dEJ," or "XX.e.5." Passwords should never be shared, and
they should be changed frequently. The more sensitive the information, the more frequently the password should be changed. In a highly sensitive environment (e.g., national security), the password should be changed at least every day. In a less sensitive environment (e.g., home computer without client information), the password should be changed at least every month. The most effective way to secure confidential client information when providing services online is to use a removable disk drive that is kept in a locked filing cabinet. The information should never be saved on a computer's hard drive, and the e-mail program used to send and receive email should be kept on the removable drive. It should nonetheless be encrypted and password protected, with the decoding password known only to the client or research participant and the clinician. A decryption password should never be used with more than one client or participant. The only way to ensure that confidential clinical participant information has been removed from a computer is to wipe (reformat) the hard drive, removable drive, or disk on which it has been stored. Noncommercially available software and equipment (e.g., that used by the National Security Administration and other intelligence agencies) actually can retrieve information even after the hard drive has been wiped. Therefore, in highly secure environments, such as conducting clinical research with military and civil service personnel, the disk should be crushed and burned after it has been wiped. It is equally important to minimize exposure to computer corruption in the form of viruses, bugs, or hackers. Each year, hundreds of viruses, worms, and Trojan horses are created that are designed to destroy, disable, or corrupt computers, maliciously spreading PHI across the Web or destroying it altogether. To minimize the risks of acquiring or transmitting these viruses, worms, and Trojan horses to clinical research participants, antivirus software and personal or corporate firewalls are essential. A good firewall provided by one's network will also decrease the risk of hackers gaining access to one's system. Indeed, the risks of inadvertently granting access to clinical participant data is so great that conducting clinical research online without these safeguards must be considered an ethical violation of conducting Internet-mediated research. The security of e-mail communication between researchers and participants, as well as clients
83
Mathy, Kerr, and Haydin and clinicians, is of the utmost importance. Email is vulnerable on delivery and storage. An e-mail can be intercepted anonymously, retrieved from a server that archives e-mails, or taken from the client who sent the e-mail or the client who received the e-mail. With due diligence, it is possible to limit risks and communicate privately and securely. By using a program called a "packet sniffer," it is possible to monitor all the information sent or received by one's computer (Posey, 2001). Without the ability to control how that information is sent, this form of vulnerability provides a substantial threat for Internet-mediated clinical research. Another threat to Internet-mediated clinical research exists on the system of either the sender or the receiver. Failure to erase or independently archive sent e-mail can compromise the confidentiality of clinical participant data. Once transmitted, e-mail cannot be retracted. The e-mail recipient may save or forward e-mail, posing another threat to the confidentiality of clinical participant data. In both instances, e-mail is easily accessed if the computer is compromised. Encryption of e-mail is a prudent and essential safeguard. This is typically done from within an e-mail client, and most commercial applications support the use of encryption keys. This is a highly effective method of protecting clinical research data. Because the e-mail is generated using the encryption key, even if the recipient's e-mail server archives the file, the integrity of its confidentiality is maintained. Every computer leaves behind a digital footprint of everywhere it has been online. Cookies, temporary files, and history files all give clues to the pages an individual has been viewing. Participants must be coached to clear their computers of this evidence (Mathy et al., 2002). Removing cookies, temporary files, and Web page visit history is easy, though not recommended for novice users. Programs are available that will safely and easily remove these files. Following the guidelines in this section will ensure that one is HIPAA compliant and decrease risks for legal liability in clinical research as well as practice. Moreover, we would argue that the risks inherent to conducting Internet-mediated research and practice suggest that existing ethical guidelines of professional mental health organizations are inadequate for ensuring the maintenance of client confidentiality. The risks inherent in conducting Internet-mediated research and
84
practice are simply not taught as part of the curriculum in psychology, counseling, or social work. Therefore, many (if not most) professional clinicians and clinical researchers will be unaware of the risks to clients' confidentiality when conducting online research and practice. This article, for example, required the collaboration of a clinical researcher with expertise in Internetmediated research, a professional with expertise in HIPAA compliance, and a senior software engineer. Regardless of whether a clinician can log on and reach out to clients via the Internet, the mere ability to send and receive e-mail and navigate the World Wide Web is a grossly insufficient basis on which to decide to provide clinical services or conduct clinical research online. Clinicians who are unable or unwilling to study computer science or computer systems for at least a semester prior to conducting Internet-mediated research (or practicing online) place their clinical participants (or clients) at considerable risk. As a tool to facilitate clinical research and practice, the Internet holds considerable promise. It also has the potential to do considerable harm if the clinical researcher is ill prepared to undertake the training and safeguards needed to ensure the fulfillment of the ethical principles to which they subscribe when conducting research or providing clinical services online. Ethical guidelines specific to Internet-mediated research and practice are needed to protect the public from researchers and clinicians who are unaware of the many risks to confidentiality that are endemic to this venue.
References ALLEMAN. J. R. (2002). Online counseling: The Internet and mental health treatment. Psychology: Theory/Research/ Practice/Training. 39, 199-209. American Association for the Advancement of Science. (2003). Science and technology information. Retrieved March 15, 2003, from http://www.aaas.org/international/ africa/sti.shtml AMICHAE-HAMBUROER, Y., WAINAPEL, G., & Fox, S. (2002). "On the Internet no one knows I'm an introvert": Extroversion, neuroticism, and Internet interaction. CyberPsychology and Behavior, 5, 125-128. BALLARD, C., & PRINE, R. (2002). Citizen perceptions of community policing: Comparing Internet and mail survey responses. Social Science Computer Review, 20, 485-493. BEAUCHAMP, T. L., & CHILDRESS, J. F. (2001). Principles of biomedical ethics (5th ed.). New York: Oxford University Press. Black eye at med center. (1999, February 22). The Washington Post. p. F5. BONEBRAKE, K. (2002). College students' Internet use, rela-
Special Issue: Methodological Considerations tionship formation, and personality correlates. CyberPsychology and Behavior, 5, 551-557. BUCHANAN, T. (2000). Online assessment: Desirable or dangerous? Professional Psychology: Research and Practice, 33, 148-154. Center for Communication Policy, University of California, Los Angeles. (2003). The UCIA Internet report: Surveying the digital future, year three. Retrieved March 15, 2003, from http://www.ccp.ucla.edu COOPER, A. (1998). Sexuality and the Internet: Surfing into the new millennium. CyberPsychology and Behavior, 1, 187-193. COOPER, A., SCHERER, C , & MATHY, R. M. (2001). Overcoming methodological concerns in the investigation of online sexual activities. CyberPsychology and Behavior, 4, 4V-441. CRONK, B. C , & WEST, J. L. (2002). Personality research on the Internet: A comparison of Web-based and traditional instruments in take-home and in-class settings. Behavior Research Methods, Instruments, and Computers, 34, 177-180.
other drug use data: Web and U.S. mail. Journal of Studies on Alcohol, 63, 755-761. PETTIT, F. A. (2002). A comparison of World-Wide Web and paper-and-pencil personality questionnaires. Behavior Research Methods, Instruments, and Computers, 34, 50-54. POSEY, B. M. (2001, May 15). Sniffing out packet sniffers. Earthweb. Retrieved April 29, 2003, from http:// networking.earthweb.com/netsecur/article.php/766671
L. (2001). Insuring sample equivalence across Internet and paper-and-pencil assessments. Computers in Human Behavior, 17, 339-346. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, August 21, 1996. Retrieved April 14, 2003, from http://aspe.hhs.gov/admnsimp/pll04191.htm HILLS, P., & ARGYLE, M . (2003). Uses of the Internet and their relationships with individual differences in personality. Computers in Human Behavior, 19, 59-70. HISKEY, S., & TROOP, N. A . (2002). Online longitudinal survey research: Viability and participation. Social Science Computer Review, 20, 250-259. In re. Eli Lilley & Co., No. 012-3214 (7th Cir., July 2002). KEGLEY, C . W., & WITTKOPF, E. R. (2001). World politics: Trend and transformation (8th ed.). Boston: Bedford/St. Martin's. KNAPP, H., & KIRK, S. A . (2003). Using pencil and paper, Internet and touch-tone phones for self-administered surveys: Does methodology matter? Computers in Human Behavior, 19, 117-134.
TRUELL, A., BARTLETT. J. E., & ALEXANDER, M. W. (2002).
SCEALY, M., PHILLIPS. J. G., & STEVENSON, R. (2002). Shy-
ness and anxiety as predictors of patterns of Internet usage. CyberPsychology and Behavior, 5, 507-515. SCHRNIDLEY, D. (2003). The foreign-born population in the United States, March 2002. In Current Population Reports (U. S. Census Bureau Publication No. P20-539). Washington, DC: U.S. Census Bureau.
SWICKERT, R. J.. HITTNER, .1. B„ HARRIS, J. L., & HERRING,
EPSTEIN, J., KLINKENBERG, W. D., WILEY, D., & MCKINLEY,
J. A. (2002). Relationship among Internet use, personality, and social support. Computers in Human Behavior, 18, 437-451. Thieves take more than laptops: Computers often hold irreplaceable, private data. (2000, November 5). The Washington Post, p. Al.
MATHY, R. M., SCHILLACE, M., COLEMAN, S. M., & BERQUIST,
Response rate, speed, and completeness: A comparison of Internet-based and mail surveys. Behavior Research Methods, Instruments, and Computers, 34, 46-49. TUTEN, T. L., & BOSNJAK, M. (2001). Understanding differences in Web usage: The role of need for cognition and the five factor model of personality. Social Behavior and Personality, 29, 391-398. U. S. Department of Commerce. (2002). A nation online: How Americans are expanding their use of the Internet. Retrieved March 15, 2003, from http://www. ntia.doc.gov/ ntiahome/dn WOLFRADT, U., & DOLL, J. (2001). Motives of adolescents to use the Internet as a function of personality traits, personal and social factors. Journal of Educational Computing Research. 24, 13-27. Woman sues over posting of abortion details. (2001, July 3). St. Louis Post-Dispatch, p. Al. World Medical Association. (2002). World Medical Association Declaration of Helsinki. Ethical principles for medical research involving human subjects. Ferney-Voltaire Cedex, France: Author.
B. E. (2002). Methodological rigor with Internet samples: New ways to reach underrepresented populations. CyberPsychology and Behavior, 5, 253-266.
MCCABE, S. E., BOYD, C. J., COUPER, M. P., CRAWFORD, S., &
D'ARCY. H. (2002). Mode effects for collecting alcohol and
YOSHINO, A., SHIGERMURA, J., KOBAYASHI, Y., NOMURA, S.,
SHISHIKURA, K„ DEN, R., et al. (2001). Telepsychiatry: Assessment of televideo psychiatric interview reliability with present- and next-generation internet infrastructures. Acta Psychiatrica Scandinavica, 104, 223-226.
85