November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 4: Partially Covered and Indirectly Covered Web Sites

Sites with Multiple Activities

As covered entities establish an online presence, their online collection and transmission of personal health information will be regulated by the privacy rule.  Even if a company is a covered entity, however, it is not obvious whether all information collected by the entity at its Web site is covered.  Most health-related Web sites engage in a number of different activities, from providing general educational health information to allowing patients to review test results online.  Only some of these activities will be protected by the privacy regulation.  For example, drugstore.com sells both drugs pursuant to a prescription and over-the-counter products.  While information related to the prescription drug will be covered by the privacy regulation, information related to the over-the-counter product will not.  The privacy rule covers only identifiable information related to “health care.”  This term does not include selling or distributing non-prescription health care items.

This scenario could pose serious concerns for some online patients.  Consumers often use the Internet to purchase health items with the belief that their purchase will be anonymous.47 Drugstore.com, for example, sells sexual enhancement items that a customer would find difficult to locate in a bricks and mortar pharmacy.48 Yet, information related to these over-the-counter items is not protected by the privacy rule.  For instance, an HIV/AIDS patient can purchase AZT and condoms at Drugstore.com in one transaction and have them both shipped at the same time.  Yet only information related to the AZT purchase will be protected by the privacy regulation.

The posting of a notice of privacy practices at the Web site, as required by the federal privacy rule, may compound the problem.  A customer may read the notice and believe that it applies to the entire Web site, as opposed to just certain activities.

The issue becomes even more ambiguous when a site operated by a covered entity offers general health information for “educational” purposes.  For example, Cleveland Clinic has a Web site,49 a small portion of which functions as an extension of its offline health care activities.  Patients can request an appointment online, for instance.  Assuming that Cleveland Clinic will be a covered provider under the regulation, these activities would be covered by the privacy rule.  However, a significant component of the site50 is information-based and furnishes information on a wide spectrum of health conditions.  Individuals can sign up at the “health information” component of the site to receive e-mail alerts on specific health topics of interest, including sensitive medical conditions such as AIDS, alcoholism and incontinence.  Is the fact that a person has registered to receive this type of health information from a covered provider protected by the privacy rule?

It is not clear.  The question centers on whether the personal data provided in registering to receive information on a specific health topic would be considered “individually identifiable health information” under the privacy rule, since this is the only type of information that is protected.  To be protected, identifiable information must relate either to the health or condition of a person or to the provision of health care to a person.51 The Cleveland Clinic takes the position that it does not provide health care by furnishing health information via e-mail.52 And it is unclear when a person merely asks for information on a health topic whether they are relating health information about themselves.

Why would signing up to receive health information on a medical topic, however, be any different from a trip to the library to obtain information on a specific disorder?  The privacy rule itself is ambiguous, and HHS has not issued any guidance on this topic.

In short, a health care consumer should not assume that all information that she provides at a Web site run by a covered entity will be protected by the privacy rule.

Business Associates

Health plans and providers routinely hire business associates.  Business associates receive health information on behalf of or from a covered entity, but they are not directly covered by the privacy rule.  Rather, the burden is on the covered entity to ensure through contracts that the business associates protect the health information that they receive.

Some of the most promoted and publicized Web sites, such as MedicaLogic,53 which recently merged with Medscape, may be considered “business associates” by the new regulation.  MedicaLogic allows physicians to create online medical records. MedicaLogic would be a business associate of covered health care providers that use its online services.  And information stored at MedicaLogic’s site would only be indirectly protected by the privacy rule.

As a general matter, health information collected by a business associate should receive some indirect protection under the privacy rule.  If the business associate does anything improper with the health information, the covered entity would be expected to cancel its contract, if possible.  However, HHS does not have the ability to impose any civil or criminal fines directly against a business associate.  The business associate contract should provide adequate protection, but what happens when a Web-based business associate files for bankruptcy and its only valuable asset is the information that it has collected on patients?54

  1. See e.g., C. Frey, “Online Shopper; When Privacy Matters; If buying condoms or adult diapers embarrasses you, try a Web drugstore,” L.A. Times, June 14, 2001, at T-4, which actually encourages consumers to shop for embarrassing products on the Web.
  2. See the Specialty Shops at http://www.drugstore.com.
  3. http://www.clevelandclinic.org.
  4. http://www.clevelandclinic.org/health.
  5. The information also must be created or received by a covered entity.
  6. The privacy policy at the health information portion of Cleveland Clinic’s Web site states in part: “please remember that medical information provided by The Cleveland Clinic Foundation, in the absence of a visit with a health care professional, must be considered as an educational service only. The information sent through e-mail should not be relied upon as a medical consultation.” Available at http://www.clevelandclinic.org/health/popupprivacy.htm.
  7. http://www.medicalogic.com/.
  8. There is no definitive answer to this question, since the issue of selling customer data lists when a company goes bankrupt has only been addressed outside of the courtroom. For example, when Toysmart.com, an online toy seller, went bankrupt, the company advertised an asset auction that included its customer database as an auction item, even though its privacy policy had promised not to disclose customers’ data to outside parties. The Federal Trade Commission filed a lawsuit against Toysmart, and ultimately Walt Disney, a major investor in Toysmart, agreed to buy and destroy the information. Similarly, when the online furniture seller Living.com went bankrupt, the Texas Attorney General sued the company to prevent it from selling customer data. On the same day, Living.com agreed to destroy all customers’ financial records. Kim Peterson, “Don’t count on privacy if you’re on the Internet,” San Diego Union Trib., Jan. 13, 2001, at A1.