November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 5: Web Sites Not Covered

Introduction

Every day people go online to get information about a medical condition or symptom, fill a prescription, get an insurance quote, participate in a chat room, or fill out a health assessment.  All of these activities involve the exchange of information with or without the consent of the individual, and with or without their knowledge.  For users concerned about protecting their privacy, where they go (i.e., what sites they visit) will determine whether there are enforceable rules about how their health information is protected.  More often than not, however, users will be getting health information and services from Web sites that are not covered at all by the new federal health privacy regulation.  Here are some examples of Web sites that are not covered.

Sites Providing General Health Information

Some of the most popular health Web sites are information-based.  In other words, they provide people with information about general fitness and nutrition (e.g., www.foodfit.com), medical conditions (e.g., www.drkoop.com), and treatment options (e.g., www.medigenesis.com).  Some offer a broad range of information, while others specialize in a certain drug or medical condition.  They do not have an offline existence where they engage in covered activities like treating patients.  They only furnish health information – they do not provide “health care,” as it is defined in the federal regulation.64

Some sites offer additional services that require users to provide personal information to the site.  Many Web sites offer a “health assessment” feature where users may enter all sorts of information from height and weight to drug and alcohol use.  The personal health information that consumers provide to many of these sites (e.g., through self-screening questionnaires or registration for e-mail reminders) will not be protected by the privacy regulation.  For example, HealthStatus.com offers free general health assessments as well as disease specific assessments to determine an individual’s risk for some of the leading causes of death.65 Does this constitute health care?  HealthStatus.com’s disclaimer makes clear its belief that the site does “not provide medical advice or treatment.”66  It is not so clear that HHS would agree with this assertion.  However, because HealthStatus.com does not accept any insurance it will not be covered by the privacy rule.

Prozac.com, a Web site owned by the drug company Eli Lilly and Co., provides information about depression.  Until recently, individuals could sign up for an Internet service that would send them e-mail reminders about taking their medication.  Eli Lilly and Co. is not a covered entity so health information consumers provide to prozac.com is not protected by the privacy regulation.67 The key is that the e-mail reminder originates from someone who is not covered by the privacy rule.  If, in contrast, a covered physician sent a patient an e-mail reminder that it was time for her annual mammogram, the e-mail would be covered by the privacy rule.

Users also may give Web sites personal information when they provide an e-mail address to obtain more information about a certain health topic.  For example, users can receive free diet and nutrition-related information from eDiets.com by entering their e-mail address at the site.  This information would not be covered by the privacy rule.

A user might participate in a chat room where her e-mail address is used as well.  Or, a site may have banner advertisers that collect information without users ever knowing.  Many of these sites track users through cookies.68  Cookie files allow a Web site to know when a user has visited a site and each page the user visits to create online user profiles.  User profiles help sites determine what information, products and services are used by the visitors.  They also allow sites to deliver specific content to users based on their previous online activities.  Although cookies are only numbers assigned by a site to each user, personal data can be linked to the number when an individual provides identifiable information to the site (e.g., completing health assessments).  A 1999 study of health-related Web sites found, however, that profiling is not generally disclosed or explained to visitors of a site.69 The end result is that the Web site owner – and possibly third parties – has a great deal of health-related information that can be attached to a particular person without the person’s knowledge or consent.  But the sites are bound by nothing more than their own privacy policies.

Sites for Purchasing Health-related Products

The press has been filled with stories about rogue Web sites selling drugs without a legitimate prescription.70 Many of these “pharmacists” only do business online.  They specialize in drugs that treat sensitive or embarrassing conditions – like Viagra for impotence71 and Propecia for hair-loss72 – that a patient may not ask for from his doctor.  There also are sites that provide online prescriptions for products that are not always easy to obtain, like the “morning after” pill.73  The recent public scare of biological warfare prompted by the September 11 attacks has popularized Web sites that offer Cipro, an antibiotic used to treat bacterial infections, including anthrax.74

The sites allow people to purchase a drug if they fill out a health assessment.  The transaction may include a fee for an online “consultation” with a doctor.  Most importantly, however, the sites require payment for the entire transaction via credit card.  They do not accept health insurance.  It is important to note that the distinguishing factor here is not that the information is being obtained online, but that the pharmacist never processes health claims information in standard format, and therefore, is not a “covered entity” under the regulation.  By refusing insurance, these sites remain outside the scope of the federal privacy regulation.

The vigilant patient might better protect her privacy by filling her prescription at a site that takes insurance – such as CVS.com or drugstore.com.  Here, even if a person pays out-of-pocket, her information will be protected by the regulation. 

Web sites that sell only non-prescription health products, such as healthandbeautydepot.com, also fall outside the scope of the privacy regulation – they are not covered entities.  The sale of non-prescription health products is not considered “health care,” whether it takes place online or at a local drugstore.  Hence, identifiable health information disclosed when purchasing over-the-counter allergy medicine, for example, is not protected health information.

Sites Providing Health Care “Treatment”

Some Web sites provide health care but still are not covered by the regulation.  Why?  They do not accept health insurance.  Only providers that process health claims electronically in a standard format are covered by the regulation.  What does this mean for consumers?  Simple activities like filling a prescription online may not be covered by the regulation. 

Another example is online counseling.  Some Web sites now allow users to participate in a therapy session online.  These sites also tend to be “credit card only.”  Here2listen.com75 and cyberanalysis.com76 are examples of Web sites that offer online consultations. 

At here2listen.com, individuals can select a participating therapist from the here2listen.com database to conduct sessions online based on the counselor’s education, geographic location or fee level.  The site accepts credit cards as payment for the counseling service.  Insurance is not accepted through the Web site.  This site appears to be acting as a referral service for the counselors.  For some counselors, it appears that the online counseling is an extension of their offline practice.  Although the counselors on this site are clearly “health care providers,” it is unclear whether they are required to comply with the regulation.  A health care provider must meet specific criteria to be covered by HIPAA.  Do they ever accept health insurance (such as in their offline practice)?  If so, do they process claims information electronically?  Is the information transmitted in the required standard format?  If the counselors transmit health claims type data electronically in standard format, they are covered entities and the privacy regulation would apply to their online counseling activities.  The Web site itself would be a business associate, since it receives health information on behalf of the covered providers.

Cyberanalysis.com presents a slightly different format for online counseling services.  At cyberanalysis.com, patients can make arrangements to communicate with participating doctors by cyber chat, e-mail, videophone or telephone.  An important point about this Web site is that it is not a referral service but is actually a virtual counseling center that has analysts on staff.  Thus, the critical question here is whether the Web site itself is a covered entity.  Since it does not accept health insurance, the site and the counseling that takes place on the site, would not be covered by the privacy rule.

In both of these instances, a person’s desire for anonymity may ironically leave her more vulnerable to exposure.  It is important to note that while consumers often lie, withhold information, or mask their identity on the Web to maintain anonymity, in these examples, they may be forced to identify themselves.  To get the service, an individual will be required to provide her name, credit card number and a mailing address.

Another type of online health service that consumers may consider health care is clinical trial recruitment.  At ClinicalTrials.com,77 individuals can register for e-mail updates about clinical trials and learn about current trials by providing their name and address and selecting the medical condition(s) of interest.  ClinicalTrials.com falls outside the scope of the privacy regulation – it is neither a covered entity nor a business associate. 

AmericasDoctor78 engages in slightly different activities – it offers information about clinical trials and recruits patients for its own investigative sites as well as non-AmericasDoctor trial sites.  AmericasDoctor is not a covered entity because it is not engaged in providing health care so the health information collected on its Web site would not be protected by the regulation.  It is not obvious from the site, however, whether or not AmericasDoctor might be considered a business associate when it assists non-AmericasDoctor study sites with patient recruitment.  If the Web site is recruiting patients for a covered entity engaged in clinical research, it might be a business associate and, therefore, identifiable health information collected by the site with respect to that trial would be protected by the regulation under a business associate contract.  If the physicians or hospitals are not covered entities, then the privacy regulation’s restrictions on use and disclosure will not apply to AmericasDoctor.

Patient-driven Sites

Many hope that online health care puts patients in the driver’s seat by giving them access to more information, and indeed many Web sites do give patients more information.  Some even offer health management tools like online medical records.  But sites that are exclusively controlled by patients are not covered by the new privacy regulation.  Individuals may unknowingly make “protected health information” unprotected when they take information from their doctor and give it to a Web site.  For example, sites where the patient acts as the intermediary between providers may not be covered. 

Consider the following two examples: online second opinions and online medical records.  Online second opinions allow patients to obtain expert medical advice in the comfort of their homes.  Cancer patients, for example, can release their medical records to MDExpert.com,79 which has a network of over 200 cancer experts who offer second opinions after reviewing the medical records.  The expert dictates or e-mails her opinion to MDExpert, where it is reviewed by MDExpert’s medical director and a consulting physician.  The opinion is then compiled into a report with clinical trials information, reference information and patient education materials and is sent to the primary physician for review and discussion with his or her patient.  A second opinion from MDExpert.com is payable only by credit card, which suggests that the site is not a covered entity, and therefore that its online activities do not fall within the scope of the privacy regulation.

There are also sites that allow consumers to create their own medical records online.  For example, PersonalMD.com80 enables patients to manage all of their medical information on one site, which the patient can access from anywhere in the world.  The site is storing this information on behalf of the patients, not their doctor.81 Personal files can include records of visits to the doctor or hospital, lab reports, medications, allergies, family history and immunizations.  The information is provided by the patient in a variety of ways (such as via fax and direct entry).  The site, however, is not covered by the privacy rule – it is not a provider, a health plan or a health care clearinghouse.  Patients who use these sites essentially are relying on the site’s own privacy policy for protection.

Patients may also authorize their doctor to send health information directly to PersonalMD.com for inclusion in their online medical record.  The fact that the information is transmitted to the site by the doctor does not change the situation—it loses its protection under the privacy regulation once it leaves the doctor’s office.82 In fact, the privacy regulation recognizes that this can occur and requires that authorization forms include a statement that health information released pursuant to the authorization may no longer be protected by the privacy rule.83 PersonalMD.com has strict policies against the sharing of personally identifiable information without an individual’s permission,84 but privacy policies are not required by law and they are subject to change at any time.  Furthermore, PersonalMD.com advertisers or Web sites that have links on PersonalMD.com may collect personally identifiable information about individuals, but these third party sites are not required to comply with PersonalMD.com’s privacy policy.

  1. Privacy Rule, § 160.103, available at http://www.hhs.gov/ocr/regtext.html.
  2. http://www.healthstatus.com/assessments.html.
  3. http://www.healthstatus.com/disclaimer.html.
  4. Because pharmaceutical companies do not sell or distribute drugs pursuant to prescription (unlike drug stores) they do not provide health care and are not covered by the privacy rule. See Privacy Rule, § 160.103 (defining “health care”), available at http://www.hhs.gov/ocr/regtext.html.
  5. Cookies are small text files a Web site places on a computer’s hard drive so the site can collect information about a person’s visit.
  6. Goldman et al., supra note 10.
  7. See e.g., A. Fawcett, “Online Rx,” Atlanta J. & Const., Aug. 7, 2001, at 1C; R.J. Ignelzi, “Risky prescription; Online drug buyers gamble with more than their credit cards,” The San Diego Union-Trib., Aug. 6, 2001, at E1; G. Wheelwright, “Inevitable marketplace for lifestyle drug: Online Viagra Sales,” Fin. Times, Feb. 21, 2001, at 11. S. Coburn, “A Web Bazaar Turns Into a Pharmaceutical Free-for-All,” N.Y. Times, Oct. 25, 2000, at H20; J.A. Karash, “More prescriptions are being filled on the Net. It’s buyer beware when getting medications online,” Kan. City Star, Oct. 22, 2000, at G1.
  8. See, e.g., 57 See, e.g., http://www.propeciapharmacy.com.
  9. See, e.g., http://www.propeciapharmacy.com.
  10. See, e.g., http://www.virtualmedicalgroup.com.
  11. See, e.g., http://www.2-buy-cipro-online-4-anthrax-bacteria-resistance.com; see Julie Appleby, “Web sites market antibiotic to treat anthrax,” USA Today, Oct. 11, 2001, at 1B.
  12. http://www.here2listen.com.
  13. http://www.cyberanalysis.com.
  14. http://www.clinicaltrials.com.
  15. http://www.americasdoctor.com.
  16. http://www.mdexpert.com.
  17. http://www.personalmd.com.
  18. In contrast, some sites store and manage health information on behalf of doctors. These sites are treated differently under the regulation. See discussion under “Business Associates,” supra Part IV.B.
  19. See Privacy Rule, § 164.508(c), available at http://www.hhs.gov/ocr/regtext.html.
  20. See id.
  21. The PersonalMD privacy policy states, “As a general rule, PersonalMD will not disclose any of your personally identifiable information without your permission. The exception shall be under special circumstances, such as when we believe in good faith that the law requires it or under the circumstances described below…. PersonalMD will never rent or sell your health-related information. This site has security measures in place to protect the loss, misuse and alteration of the information under our control.” Available at http://www.personalmd.com/privacypolicy.shtml.