More health-related information is being collected and shared about individuals than ever, and until the release of the federal health privacy regulation in December 2000, there were almost no federal legal limits on how this information could be used and disclosed. By focusing on electronic transactions, the privacy regulation required by HIPAA aimed to give consumers confidence that as the health information system moved to a networked, electronic, computer-based system, their most sensitive health information will be protected. However, the HIPAA rule only applies to health plans, health care providers and health care clearinghouses, so it may create an illusion of legal protection that may lull consumers into a false sense of security when they engage in online health activities. Consumers may believe that the personal information they provide to health Web sites is protected by the new regulation when in fact many Web sites will remain unregulated.
The extent to which the new federal health privacy regulation will impact eHealth will depend largely on whether or not a Web site or Internet service is affiliated with or controlled by a covered entity and whether that site or service collects identifiable health information. Web sites not associated with a provider, plan or clearinghouse and not acting on behalf of these entities will fall outside the scope of the regulation. Personal health information collected and maintained by these sites, therefore, will be left unprotected by the federal regulation.76 Given the wide range of activities on the Internet and the relatively narrow scope of the regulation, it is likely that a great deal of health information collected on health Web sites will not be covered by the new regulation.
Some sites have responded to the public’s concern regarding privacy and security on the Internet through self-regulation. To head off possible federal Internet privacy legislation, several professional organizations and trade associations have developed or are developing standards and seal programs to address privacy, security and quality on the Internet.77 However, compliance is voluntary and there are few, if any, enforcement mechanisms. Furthermore, a survey conducted by Cyber Dialogue and the Institute for the Future shows that the presence of a seal of approval from an Internet trade group, such as TRUSTe, does not have an impact – positive or negative – on consumer willingness to submit health information online,78 although an accreditation seal would increase consumer trust in health Web sites.79
People often believe they are invisible and anonymous online, but they are often exposing their most sensitive health information to online health care sites that are not required by law to protect the information or keep it confidential. The potential for abuse is enormous.