Introduction
Until the release of the federal health privacy regulation, there was little legal protection for health information – online or offline. Unlike financial records, credit reports and even video rental records, there is no comprehensive federal law that protects the privacy of medical records. For online activities, the FTC has the authority to prosecute Web sites that engage in unfair or deceptive practices, such as noncompliance with their own privacy policies.28 It remains to be seen whether the FTC will take action to challenge sites that say nothing or post poorly drafted privacy policies.29
HIPAA required HHS to issue health privacy regulations because Congress failed to enact such legislation by a legislative deadline. After substantial public comment, the Department released the final regulation on December 20, 2000. The privacy regulation was originally scheduled to go into effect on February 26, 2001, but was delayed due to an administrative oversight.30 On April 14, the Bush Administration allowed the regulation to go into effect but stated that future modifications were likely. The compliance deadline is April 2003 for most of those covered by the regulation.
Who and What Are Covered
The privacy regulation is part of a package of regulations mandated by HIPAA that covers privacy, security and electronic transaction standards. Taken together, these regulations are designed to facilitate the development of a uniform computer-based health information system. HIPAA, however, imposed constraints on HHS’ rulemaking authority, limiting the scope of the privacy regulation. The regulation does not apply to all persons or entities that have access to personal health information. It only directly covers three different kinds of health care entities:
- Providers, such as doctors, hospitals and pharmacists, who electronically transmit health claims related information31 in “standard format;”32
- Health plans, such as traditional insurers and HMOs; and
- “Clearinghouses,” entities that process health claims information in a uniform format for providers and insurers, such as WebMD Office.33
A person or organization that falls within one of these categories is considered to be a “covered entity.”34
This is a critical factor in determining whether health information is protected under the regulation. Only individually identifiable health information35 that is transmitted or maintained by a covered entity is protected by the regulation (i.e., “protected health information”). This is true regardless of the format of the information – electronic, paper or oral.
Most health Web sites are pitched publicly as tools that give consumers greater control over their lives and their health care. However, many sites require users to provide a great deal of sensitive health information, and they also may collect information on users without the users’ knowledge or consent.
The central issue addressed by this report is whether such activities are covered by HIPAA or not. Our finding is that a significant portion of activities at health-related Web sites are not covered for several reasons. The major reason is that a great many Web sites are run by organizations that are not “covered entities.”
In effect, the most popular Web sites, such as eDiets.com36 and drkoop.com,37 will remain uncovered by the privacy rule because they are not run by health plans (such as health insurers or HMOs) or covered health care providers.
The result is that the same activities conducted at different Web sites will be subject to different legal treatment. Specific activities – ordering a prescription, getting a second opinion, consulting with a doctor, or even maintaining a medical record – may be covered by the new regulation at one Web site and unregulated at another.
Additionally, even Web sites that are run by covered entities engage in diverse activities, many of which are not covered by HIPAA. On these sites it will be difficult for consumers to know what activities are covered by HIPAA and what activities are not.
New Requirements
The federal health privacy rule creates new rights for individuals. These rights translate into new responsibilities for some health Web sites that are required to comply with the rule.
1. Access
The privacy regulation gives individuals a new federal legal right to see, copy and correct their own health information. People will also have a right to an accounting of disclosures that have been made to others. Covered entities will be required to respond to an individual’s request for access or amendment by a specific deadline (generally 30 days). If the entity denies an individual’s requests, there are procedures for reviewing the denial. Because of this new right, online consumers may notice changes in a covered health Web site’s privacy policy since these sites may need to develop new policies and procedures for handling requests.
2. Notice
The privacy regulation gives individuals a right to receive notice from covered Web sites as to how their health information is going to be used and shared. Such notices will allow people to make informed, meaningful choices about the uses and disclosures of the health information they provide to Web sites. Under the regulation, consumers must be informed of their rights with respect to their health information and how they may exercise these rights. The notice must include information on anticipated uses and disclosures of personal health information without the individual’s written permission as well as the legal duties of the covered entity. Individuals also must be given the name of a contact person at the Web site who will answer queries and provide information on how they can file complaints with the covered entity and HHS.
Because individuals must be given notice of their rights and the new privacy protections, some Web sites will likely have to change their current privacy policies to satisfy federal requirements. A 1999 study of twenty-one leading health-related Web sites had found that the policies and practices of many of the sites did not meet minimum fair information practices.38 Following the release of the report, several members of Congress requested the FTC to immediately initiate an investigation of whether certain health Web sites may be engaged in “unfair or deceptive acts or practices.”39 Nine months later, the FTC closed its investigation, concluding that the sites had made a number of improvements in their privacy policies, although further steps could be taken to develop meaningful privacy protections for consumers.40 Some of the sites mentioned in the 1999 report, such as drugstore.com,41 will be required to comply with the notice requirements of the privacy rule by April 2003.
3. Administrative Requirements
Consumers also benefit from the new regulation’s administrative requirements. Under the privacy rule, a covered entity will be required to designate a privacy official to develop and implement the entity’s policies and procedures;42 train its employees; implement administrative, technical and physical safeguards;43 develop a method for handling complaints; and develop sanctions for members of its workforce who fail to comply with its privacy policies or procedures or with the requirements of the rule. The regulation imposes such requirements to ensure that the appropriate members of the covered entity are familiar with and comply with the privacy rule, and that covered entities will be held accountable for the actions of their employees.
Restrictions on Use and Disclosure
The new regulation places restrictions on how a covered entity can use and share personal health information with others. In general, the rule prohibits a covered entity from using or sharing a patient’s health information unless the covered entity either has the patient’s written permission or the regulation specifically allows the use or disclosure.44
1. Treatment, Payment and Health Care Operations
One of the most significant restrictions on covered health care providers, whether bricks and mortar or Internet-based, is the requirement that they obtain patients’ written permission to use or disclose their health information for treatment, payment, or health care operations. For example, both the local bricks and mortar CVS drug store and CVS.com45 will be required to obtain written permission to use an individual’s information to fill her prescription. In contrast, an online pharmacy that fills the same prescription but is not covered by the regulation, such as ABeeWell Pharmacy,46 would not be required to obtain the patient’s written permission since it does not accept insurance.47
Health plans and providers routinely hire other companies and consultants to perform a wide variety of functions for them, such as legal, financial and administrative services (the privacy rule refers to these as “business associates”). They receive health information on behalf of or from a covered entity. In general, they are not directly covered by the privacy regulation.
To ensure that privacy protections follow the data, the privacy rule requires that covered entities enter into contracts with business associates that require the recipients of health information not to use or disclose the information other than as permitted or required by the contract or as required by law, and to implement appropriate safeguards to prevent inappropriate uses and disclosures. The regulation establishes specific conditions on when and how covered entities may share information with business associates.48 However, the business associate is not directly subject to the privacy rule. Rather, it is the covered entity that is liable for violations of the contract, and then only if it had actual knowledge of the breach yet did nothing to remedy it.49
One of the more controversial aspects of the privacy rule is that it permits the use of health information for marketing purposes without the patient’s affirmative, informed permission.50 Once a patient has given written permission to use her health information for “treatment, payment and health care operations” purposes, a provider (such as an online pharmacist) can then use her health information to market its own products and services as well as those of third parties. There is no requirement that this consent form notify the patient that by signing the form she is giving permission to use her information for marketing purposes. Furthermore, the provider may condition the provision of treatment, such as filling a prescription, on the patient’s signing this form. In its initial marketing contact, the provider must give the patient the opportunity to opt out of receiving such materials in the future. This scheme essentially gives providers “one free shot” at marketing without a patient’s informed permission.
For example, CVS or CVS.com could compile a list of Prozac consumers and send them marketing information about an alternative anti-depressant on behalf of a pharmaceutical company, so long as the initial marketing information told patients that they could decline future marketing materials.51 The privacy rule draws the line, however, at sharing information with others for marketing purposes. It does not permit covered entities to share customer information with other parties for marketing unless the patient has signed another, detailed form stating that she gives permission for her information to be shared in this manner. For instance, CVS could not sell its list of Prozac users to the pharmaceutical company or to a telemarketer without all of the patients’ specific permission to use and share their information for marketing. In contrast, an online pharmacy that is not covered by the regulation can compile and sell patient lists, subject only to the restrictions of its own privacy policy.
Enforcement and Penalties
HIPAA establishes civil and criminal penalties for violations of the privacy regulation. Civil penalties range from $100 to a maximum of $25,000 per year for each standard that is violated. Criminal penalties are imposed for certain wrongful disclosures of health information with a maximum of 10 years imprisonment and/or a $250,000 penalty, depending on the offense committed.
There is no federal statutory right for a patient to sue under the regulation but it does create a new federal “duty of care” with respect to health information. That means violations of the privacy rule may be grounds for state tort actions.
Any person who believes a covered entity is not complying with the privacy rule also may file a complaint with the Secretary of HHS. Covered Web sites will be required to cooperate with HHS and to provide records and compliance reports to the Department. The Office for Civil Rights at HHS has been given the authority to enforce the regulation.