November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Key Findings and Overview

The new federal health privacy regulation does not apply to most health Web sites.

As part of the Health Insurance Portability and Accountability Act of 1996, Congress included provisions, known as Administrative Simplification, that are intended to facilitate the development of a uniform, computer-based health information system.  Recognizing that privacy is an essential component of that system, Congress included a requirement that if it failed to enact health privacy legislation by a legislative deadline, then the Department of Health and Human Services would be required to issue health privacy regulations.  However, it imposed constraints on the Department’s rulemaking authority, so the federal regulation only applies to three health care entities: health care providers, health plans and health care clearinghouses.  Many health Web sites are not owned or operated by one of these three entities.  Therefore, while online health care activities that are already conducted offline by a “covered” health care provider or plan will likely be covered by the privacy rule, many other types of health Web sites will fall outside the scope of the rule.

Different rules may apply to different Web sites offering the same services.

Because only Web sites that fit within the definition of a “covered entity” are required to comply with the privacy regulation, specific activities like filling a prescription, receiving e-mail alerts or getting a second opinion may be covered by the new regulation at one site and unregulated at another.

Even at Web sites that are owned or operated by organizations covered by the privacy regulation, it is ambiguous which activities at those sites are subject to the privacy rule.  

Many Web sites provide a variety of services, some of which are not considered “health care” functions under the regulation.  It is not clear in many cases what activities, even at “covered” sites, may fall outside the scope of the regulation.  Consumers may engage in online health activities with the expectation that the personal information they provide to specific health Web sites is protected when, in fact, there are no privacy protections afforded by the federal regulation.  The burden will be on consumers and Web site operators to determine which Web sites must comply with the regulation.


Overview

Individuals share a great deal of personal and sensitive health information in the course of obtaining health care, yet there is little legal protection for health information – online or offline.  A substantial barrier to improving the quality of care and access to care is the lack of enforceable privacy rules.  In the absence of federal health privacy laws, people have suffered job loss, loss of dignity, discrimination, and stigma.  To shield themselves from what they consider harmful and intrusive uses of their health information, individuals have engaged in privacy-protective behaviors, such as providing incomplete information, thereby putting themselves at risk from undiagnosed, untreated conditions.  The lack of complete and accurate health information on patients impacts the community as well.  Health care information used for important research and public health initiatives downstream becomes unreliable and incomplete.

Congress recognized the importance of protecting people’s medical records when it passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HIPAA requires the Secretary of the U.S. Department of Health and Human Services (HHS) to issue regulations if Congress failed to enact comprehensive privacy legislation.  HHS issued a landmark federal health privacy regulation in December 2000.  Health care entities have until April 2003 to implement the new rule.  While this regulation is an important step toward boosting the public trust and confidence in our nation’s health care system, its application is limited.  Due to constraints on the Department’s rulemaking authority, the regulation does not cover a significant portion of the health-related activities that take place online.

eHealth is touted as the future of health care, promising to transform the way health care entities conduct business and change the way patients relate to their health care providers.  More than sixty-five million American Internet users have sought health and medical information online, and a study last fall by the Pew Internet & American Life Project showed that a significant number of them use this information to make important decisions about medical care for themselves and loved ones.1 The Internet allows for online communication, and the collection, storage and transfer of consumer health information.  These are important features particularly during national emergencies, such as the recent terrorist attacks in New York City and Washington, D.C., when physicians require immediate access to medical information.  However, while the Internet can be a powerful tool in the delivery of health care, it enables the collection and distribution of highly sensitive information in new ways by online services.  It also can leave such information vulnerable to security breaches.

The HIPAA privacy regulation makes no distinctions between health care online and offline.  Hence, some Web sites will be covered by the regulation, and consumers will benefit from the new privacy protections required of these sites.  Under the first-ever federal privacy regulation, consumers have a right to inspect and copy their own health information (a right that currently exists only in about half of the states).  Consumers will receive notice about how their personal health information will be used and shared with others and what options they have to restrict disclosures.  They will have the right to limit disclosures in many circumstances.  Furthermore, the regulation creates a new “duty of care” with respect to health information, so in addition to the penalties that can be imposed by HHS, it is possible that violations of the regulation may be grounds for state tort actions.

Our analysis of the HIPAA regulation’s impact on eHealth, however, shows that many who engage in online health activities will fall outside the scope of the regulation.  We believe that the application of the regulation on the Internet will be greatly uneven.  Individuals may assume that their health information is protected when it is not.  Continued diligence will be required of those online consumers who value their privacy.  Consumers will need to be educated about the limits of the new regulation and empowered to safeguard their most sensitive health information online.

This report is intended to help consumers, health professionals, and policy makers understand how the new federal regulation covers – and does not cover – consumer-oriented health Web sites and Internet-based health care.  This report also comments on what new standards will be required for those sites covered by the regulation.  The examples used in this report will highlight particular aspects of online health care activities; however, it is important to note that many health Web sites perform numerous functions and therefore do not fit neatly into specific categories.