November 19, 2001

Federal health privacy regulation does not cover most Internet medical searches, services, or purchases

65 million Americans have sought health care information on the Internet
Most online health activities are not covered by HIPAA

WASHINGTON-Path-breaking new federal rules designed to protect the medical privacy of Americans will not guard the privacy of Internet users when they are doing the most common e-health actions online.

The Health Insurance Portability and Accountability Act (HIPAA) regulations recently issued by the U.S. Department of Health and Human Services provide the first-ever legal protections to some kinds of health-related information. However, the rules only apply to Web sites that are run by health care providers such as a hospital or doctor”s office; health insurance plans such as Aetna U.S. Healthcare or Kaiser Permanente; or health care clearinghouses that process health insurance claims information in a uniform format for providers and insurers, such as WebMD Office.

The vast majority of health Web sites are not operated by such firms and that means that there will be no federal protections for those who use them. Thus, commonplace activities may not be covered by the federal rules. For example, online Americans using these kinds of sites will not have any personal information protected by the federal regulations:

  • Web sites providing information about general fitness and nutrition (e.g., www.foodfit.com), medical conditions (e.g., www.drkoop.com), and treatment options (e.g., www.medigenesis.com).
  • Web sites selling drugs without a prescription.
  • Online mental health counseling sites that accept only credit card payments.
  • Pharmaceutical company Web sites.

    The Health Privacy Project conducted analysis of the new regulations, with funding and research assistance from the Pew Internet & American Life Project. The report is entitled, “Exposed Online: Why the new federal health privacy regulation doesn”t offer much protection to Internet users.”

    Specific activities like filling a prescription, receiving e-mail alerts, or getting a second opinion may be covered by the new regulation at one site and unregulated at another. The burden will be on consumers and Web site operators to determine which Web sites must comply with the regulation.

    “Sixty-five million Americans have gone online for health information,” says Susannah Fox, director of research at the Pew Internet Project. “These Internet users are often more concerned about getting quick and accurate advice than checking a Web site”s privacy policy. They are doing their best to care for their loved ones and just hoping they won”t get burned. Many probably assume that the personal information they provide to health Web sites is covered by the new regulation – and they are wrong.”

    More health-related information is being collected and shared about individuals than ever, and until the release of the federal health privacy regulation in December 2000, there were almost no federal legal limits on how this information could be used and disclosed. By focusing on electronic transactions, the privacy regulation required by HIPAA aimed to give consumers confidence that as the health information system moved to a networked, electronic, computer-based system, their most sensitive health information will be protected.

    However, since the HIPAA rule only applies to a narrow group of sites, it may create an illusion of legal protection that may lull consumers into a false sense of security when they engage in online health activities.

    “People often believe they are invisible and anonymous online, but in reality they are exposing their most sensitive health information to Web sites that are not required by law to protect the information or keep it confidential,” says Janlori Goldman, director of the Health Privacy Project. “The potential for abuse is enormous.”

    About the Pew Internet & American Life Project

    The Pew Internet & American Life Project is a non-profit initiative fully funded by The Pew Charitable Trusts. The Project creates original research that explores the impact of the Internet on children, families, communities, health care, schools, the work place, and civic/political life. The Pew Internet & American Life Project aims to be an authoritative source for timely information on the Internet”s growth and societal impact, through research that strive to be impartial. For more information, please visit our Web site: http://www.pewinternet.org/.

    About the Health Privacy Project

    The Health Privacy Project is a part of the Institute for Health Care Research and Policy at Georgetown University. The Health Privacy Project is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level. It is funded primarily by the Open Society Institute, the W.K. Kellogg Foundation, the California HealthCare Foundation, the Trellis Fund, the Pew Internet & American Life Project, the Robert Wood Johnson Foundation and the Deer Creek Foundation. For more information, please visit our Web site: http://www.healthprivacy.org.