November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 2: The New Federal Health Privacy Regulation

Introduction

Until the release of the federal health privacy regulation, there was little legal protection for health information – online or offline.  Unlike financial records, credit reports and even video rental records, there is no comprehensive federal law that protects the privacy of medical records.  For online activities, the FTC has the authority to prosecute Web sites that engage in unfair or deceptive practices, such as noncompliance with their own privacy policies.28  It remains to be seen whether the FTC will take action to challenge sites that say nothing or post poorly drafted privacy policies.29

HIPAA required HHS to issue health privacy regulations because Congress failed to enact such legislation by a legislative deadline.  After substantial public comment, the Department released the final regulation on December 20, 2000.  The privacy regulation was originally scheduled to go into effect on February 26, 2001, but was delayed due to an administrative oversight.30  On April 14, the Bush Administration allowed the regulation to go into effect but stated that future modifications were likely.  The compliance deadline is April 2003 for most of those covered by the regulation.

Who and What Are Covered

The privacy regulation is part of a package of regulations mandated by HIPAA that covers privacy, security and electronic transaction standards.  Taken together, these regulations are designed to facilitate the development of a uniform computer-based health information system.  HIPAA, however, imposed constraints on HHS’ rulemaking authority, limiting the scope of the privacy regulation.  The regulation does not apply to all persons or entities that have access to personal health information.  It only directly covers three different kinds of health care entities:

  • Providers, such as doctors, hospitals and pharmacists, who electronically transmit health claims related information31 in “standard format;”32
  • Health plans, such as traditional insurers and HMOs; and
  • “Clearinghouses,” entities that process health claims information in a uniform format for providers and insurers, such as WebMD Office.33

A person or organization that falls within one of these categories is considered to be a “covered entity.”34

This is a critical factor in determining whether health information is protected under the regulation.  Only individually identifiable health information35 that is transmitted or maintained by a covered entity is protected by the regulation (i.e., “protected health information”).  This is true regardless of the format of the information – electronic, paper or oral.

Most health Web sites are pitched publicly as tools that give consumers greater control over their lives and their health care.  However, many sites require users to provide a great deal of sensitive health information, and they also may collect information on users without the users’ knowledge or consent. 

The central issue addressed by this report is whether such activities are covered by HIPAA or not.  Our finding is that a significant portion of activities at health-related Web sites are not covered for several reasons.  The major reason is that a great many Web sites are run by organizations that are not “covered entities.”

In effect, the most popular Web sites, such as eDiets.com36 and drkoop.com,37 will remain uncovered by the privacy rule because they are not run by health plans (such as health insurers or HMOs) or covered health care providers.

The result is that the same activities conducted at different Web sites will be subject to different legal treatment.  Specific activities – ordering a prescription, getting a second opinion, consulting with a doctor, or even maintaining a medical record – may be covered by the new regulation at one Web site and unregulated at another. 

Additionally, even Web sites that are run by covered entities engage in diverse activities, many of which are not covered by HIPAA.  On these sites it will be difficult for consumers to know what activities are covered by HIPAA and what activities are not.

New Requirements

The federal health privacy rule creates new rights for individuals.  These rights translate into new responsibilities for some health Web sites that are required to comply with the rule.

1.         Access

The privacy regulation gives individuals a new federal legal right to see, copy and correct their own health information.  People will also have a right to an accounting of disclosures that have been made to others.  Covered entities will be required to respond to an individual’s request for access or amendment by a specific deadline (generally 30 days).  If the entity denies an individual’s requests, there are procedures for reviewing the denial.  Because of this new right, online consumers may notice changes in a covered health Web site’s privacy policy since these sites may need to develop new policies and procedures for handling requests. 

2.         Notice

The privacy regulation gives individuals a right to receive notice from covered Web sites as to how their health information is going to be used and shared.  Such notices will allow people to make informed, meaningful choices about the uses and disclosures of the health information they provide to Web sites.  Under the regulation, consumers must be informed of their rights with respect to their health information and how they may exercise these rights.  The notice must include information on anticipated uses and disclosures of personal health information without the individual’s written permission as well as the legal duties of the covered entity.  Individuals also must be given the name of a contact person at the Web site who will answer queries and provide information on how they can file complaints with the covered entity and HHS.

Because individuals must be given notice of their rights and the new privacy protections, some Web sites will likely have to change their current privacy policies to satisfy federal requirements.  A 1999 study of twenty-one leading health-related Web sites had found that the policies and practices of many of the sites did not meet minimum fair information practices.38  Following the release of the report, several members of Congress requested the FTC to immediately initiate an investigation of whether certain health Web sites may be engaged in “unfair or deceptive acts or practices.”39  Nine months later, the FTC closed its investigation, concluding that the sites had made a number of improvements in their privacy policies, although further steps could be taken to develop meaningful privacy protections for consumers.40  Some of the sites mentioned in the 1999 report, such as drugstore.com,41 will be required to comply with the notice requirements of the privacy rule by April 2003.    

3.         Administrative Requirements

Consumers also benefit from the new regulation’s administrative requirements. Under the privacy rule, a covered entity will be required to designate a privacy official to develop and implement the entity’s policies and procedures;42 train its employees; implement administrative, technical and physical safeguards;43 develop a method for handling complaints; and develop sanctions for members of its workforce who fail to comply with its privacy policies or procedures or with the requirements of the rule.  The regulation imposes such requirements to ensure that the appropriate members of the covered entity are familiar with and comply with the privacy rule, and that covered entities will be held accountable for the actions of their employees.

Restrictions on Use and Disclosure

The new regulation places restrictions on how a covered entity can use and share personal health information with others.  In general, the rule prohibits a covered entity from using or sharing a patient’s health information unless the covered entity either has the patient’s written permission or the regulation specifically allows the use or disclosure.44

1.         Treatment, Payment and Health Care Operations

One of the most significant restrictions on covered health care providers, whether bricks and mortar or Internet-based, is the requirement that they obtain patients’ written permission to use or disclose their health information for treatment, payment, or health care operations.  For example, both the local bricks and mortar CVS drug store and CVS.com45 will be required to obtain written permission to use an individual’s information to fill her prescription.  In contrast, an online pharmacy that fills the same prescription but is not covered by the regulation, such as ABeeWell Pharmacy,46 would not be required to obtain the patient’s written permission since it does not accept insurance.47

2.         Business Associates

Health plans and providers routinely hire other companies and consultants to perform a wide variety of functions for them, such as legal, financial and administrative services (the privacy rule refers to these as “business associates”).  They receive health information on behalf of or from a covered entity.  In general, they are not directly covered by the privacy regulation. 

To ensure that privacy protections follow the data, the privacy rule requires that covered entities enter into contracts with business associates that require the recipients of health information not to use or disclose the information other than as permitted or required by the contract or as required by law, and to implement appropriate safeguards to prevent inappropriate uses and disclosures.  The regulation establishes specific conditions on when and how covered entities may share information with business associates.48  However, the business associate is not directly subject to the privacy rule. Rather, it is the covered entity that is liable for violations of the contract, and then only if it had actual knowledge of the breach yet did nothing to remedy it.49

3.         Marketing

One of the more controversial aspects of the privacy rule is that it permits the use of health information for marketing purposes without the patient’s affirmative, informed permission.50 Once a patient has given written permission to use her health information for “treatment, payment and health care operations” purposes, a provider (such as an online pharmacist) can then use her health information to market its own products and services as well as those of third parties.  There is no requirement that this consent form notify the patient that by signing the form she is giving permission to use her information for marketing purposes.  Furthermore, the provider may condition the provision of treatment, such as filling a prescription, on the patient’s signing this form.  In its initial marketing contact, the provider must give the patient the opportunity to opt out of receiving such materials in the future.  This scheme essentially gives providers “one free shot” at marketing without a patient’s informed permission.

For example, CVS or CVS.com could compile a list of Prozac consumers and send them marketing information about an alternative anti-depressant on behalf of a pharmaceutical company, so long as the initial marketing information told patients that they could decline future marketing materials.51 The privacy rule draws the line, however, at sharing information with others for marketing purposes.  It does not permit covered entities to share customer information with other parties for marketing unless the patient has signed another, detailed form stating that she gives permission for her information to be shared in this manner.  For instance, CVS could not sell its list of Prozac users to the pharmaceutical company or to a telemarketer without all of the patients’ specific permission to use and share their information for marketing.  In contrast, an online pharmacy that is not covered by the regulation can compile and sell patient lists, subject only to the restrictions of its own privacy policy.

Enforcement and Penalties

HIPAA establishes civil and criminal penalties for violations of the privacy regulation.  Civil penalties range from $100 to a maximum of $25,000 per year for each standard that is violated.  Criminal penalties are imposed for certain wrongful disclosures of health information with a maximum of 10 years imprisonment and/or a $250,000 penalty, depending on the offense committed. 

There is no federal statutory right for a patient to sue under the regulation but it does create a new federal “duty of care” with respect to health information. That means violations of the privacy rule may be grounds for state tort actions. 

Any person who believes a covered entity is not complying with the privacy rule also may file a complaint with the Secretary of HHS.  Covered Web sites will be required to cooperate with HHS and to provide records and compliance reports to the Department.  The Office for Civil Rights at HHS has been given the authority to enforce the regulation.

  1. The FTC found in its May 2000 study that about 40 percent of commercial Web sites do not have privacy policies or post poorly drafted privacy policies. Privacy Online: Fair Information Practices in the Electronic Marketplace, Federal Trade Commission Report to Congress (May 2000); health Web sites are more likely than non-health related sites to post privacy policies, and indeed many health Web sites do have privacy policies. See Goldman et al., supra note 10.
  2. FTC Chairman Timothy J. Muris recently stated that the FTC plans to abandon pursuit of online privacy bills but will increase funds for agency enforcement by 50% in the next year. See John Schwartz, “F.T.C. Plans to Abandon New Bills on Privacy,” N.Y. Times, Oct. 3, 2001, at C5; Edmund Sanders, “FTC to Drop Push for More Privacy Laws,” L.A. Times, Oct. 2, 2001, at C1.
  3. Before major regulations can take effect, they must be formally submitted to Congress for review, which is usually done at the same time that the regulation is published in the Federal Register. The privacy regulation, however, was not sent to Congress until February 13, about six weeks after the regulation was published, so the effective date was postponed until April. See Robert Pear, “Health Secretary Delays Medical Records Protections,” N.Y. Times, Feb. 27, 2001, at A18.
  4. Some of the electronic transactions that trigger a provider’s classification as a covered entity include: health claims or equivalent encounter information, enrollment or disenrollment in a health plan; determining eligibility for a health plan; health care payment and remittance advice; and referral certification and authorization. HIPAA, Public Law 104-191, Section 1173, available at http://aspe.hhs.gov/admnsimp/pl104191.htm. All of these transactions are related to health insurance-type transactions.
  5. Health care providers and health plans currently use many different formats to conduct administrative and financial health care transactions electronically. To reduce health care costs and administrative burdens on providers and plans, HIPAA requires HHS to adopt national standards for such transactions. “Standard format” is used throughout this report to refer to the national formats for electronic health care data interchange, which health plans, health care clearinghouses and certain health care providers will be required to comply with by October 2002. For more information about the transaction standards, visit the HHS Administrative Simplification Web site at http://aspe.hhs.gov/admnsimp/bannertx.htm.
  6. See http://professional-content.webmd.com/Article.asp?article=article://3834.1081&AuthLevel=2
  7. Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) § 160.103. The Privacy Rule has been codified at Title 45 of the Code of Federal Regulations. It is available at http://www.hhs.gov/ocr/regtext.html.
  8. Individually identifiable health information as defined in the privacy rule is information that is a subset of health information, including demographic information collected from an individual, and:
    (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
    (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and
    (i) that identifies the individual; or
    (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

    Privacy Rule, § 164.501, available at http://www.hhs.gov/ocr/regtext.html.

  9. http://www.ediets.com
  10. http://www.drkoop.com
  11. Goldman et al., supra note 10.
  12. Letter from members of Congress to the Honorable Robert Pitofsky, Chairman of the FTC (Feb. 2, 2000), available at http://www.house.gov/commerce_democrats/press/106ltr84.htm.
  13. See letter from C. Lee Peeler, Associate Director, FTC, to Benham Dayanim, Esq., Paul, Hastings, Janofsky & Walker LLP, regarding investigation of HealthCentral.com (Nov. 17, 2000); letter from C. Lee Peeler, Associate Director, FTC, to Sharis A. Pozen, Esq., Hogan & Hartson LLP, regarding the investigation of Healtheon/WebMD (Nov. 17, 2000); letter from C. Lee Peeler, Associate Director, FTC, to Sharis A. Pozen, Esq., Hogan & Hartson LLP, regarding the investigation of OnHealth Network Company (Nov. 17, 2000); letter from C. Lee Peeler, Associate Director, FTC, to Sharis A. Pozen, Esq., Hogan & Hartson LLP, regarding the investigation of WellMed, Inc. (Nov. 17, 2000); letter from C. Lee Peeler, Associate Director, FTC, to Mary Ellen Callahan, Esq., Hogan & Hartson LLP, regarding the investigation of iVillage, Inc. (allHealth.com) (Nov. 17, 2000); and letter from C. Lee Peeler, Associate Director, FTC, to Susan P. Crawford, Esq., Wilmer, Cutler & Pickering, regarding the investigation of Yahoo! Inc. (Nov. 17, 2000). The letters are available on the FTC Web site at http://www.ftc.gov/os/closings/staff/index.htm.
  14. http://www.drugstore.com.
  15. Privacy Rule, § 164.530(a), available at http://www.hhs.gov/ocr/regtext.html.
  16. For example, to protect identifiable information maintained at a Web site, a covered entity might develop a secure password system and encrypt data to protect the information transmitted from one computer to another or through a network.
  17. The regulation provides for two distinct types of patient permission – “consent” and “authorization.” A health care provider (such as a doctor, hospital or pharmacist) must obtain a patient’s consent before using or disclosing her health information for treatment, payment or health care operations. A provider may condition providing treatment on a patient’s signing the consent form. In contrast, any covered entity must obtain a patient’s authorization (a more detailed, specific permission form) to use or disclose health information for a purpose other than treatment, payment, and health care operations that is not otherwise specifically permitted by the privacy rule. For instance, a provider would need a patient’s authorization to disclose health information to a life insurer. See Privacy Rule, §§ 164.506 and 164.508, available at http://www.hhs.gov/ocr/regtext.html.
  18. http://www.cvs.com
  19. http://www.abeewell.com.
  20. Because these online pharmacies do not accept any insurance, it is unlikely that they engage in the type of HIPAA standard transaction that would trigger application of the privacy regulation to its online activities. See discussion on covered Web sites infra Part III.
  21. Privacy Rule, § 164.504(e)(2), available at http://www.hhs.gov/ocr/regtext.html.
  22. While health care clearinghouses are directly covered by the privacy regulation, in many cases they will be acting on behalf of a provider or insurer, and therefore would be considered business associates of that provider or insurer as well. However, they will be directly liable for violations of the business associate contract and thus violations of the regulation.
  23. “Marketing” is a communication about a product or service that is intended to encourage recipients of the communication to purchase or use the product or service. The definition generally excludes communications that are part of the normal treatment activities of a health care provider. Marketing generally excludes communications that are made to individuals to describe health plans or health benefits. It also excludes communications that are made within the context of treating the individual for the purpose of treatment or for directing or recommending to the individual alternative treatments, providers or settings. However, if such a communication is in writing and the provider receives remuneration it is considered to be a marketing activity. Privacy Rule, § 164.501, available at http://www.hhs.gov/ocr/regtext.html.
  24. There are also other requirements, such as the communication must identify the source of the marketing material. Privacy Rule, § 164.514(e), available at http://www.hhs.gov/ocr/regtext.html.