November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 6: Putting It All Together

“Horror Stories”

News stories have highlighted various types of privacy violations related to health information.  The new federal privacy regulation will address only some violations of privacy that can occur online.  The following examples are violations previously reported by the press.  None of them are covered by the privacy regulation since compliance with the regulation is not required until April 14, 2003.  They are used to illustrate how the regulation would cover and not cover similar violations after the compliance date.

  • A hacker downloaded medical records, health information and Social Security numbers on more than 5,000 patients at the University of Washington Medical Center.  The hacker claimed to be motivated by a desire to expose the vulnerability of electronic medical records.70

After April 14, 2003, a penalty could be imposed on a covered medical center in similar circumstances if the Secretary of HHS determines that the covered entity failed to comply with the requirements of the privacy regulation.  The regulation requires covered entities to put in place administrative, technical and physical safeguards to protect the privacy of protected health information, and reasonably safeguard such information from intentional or unintentional use or disclosure.  In addition, HIPAA mandates the Secretary of HHS to adopt security standards to protect the confidentiality and integrity of individual health information.  These standards are expected to be issued in final form in 2001.

  • Global Health Trax sells over-the-counter health and nutrition supplements online.  It inadvertently revealed customer names, home phone numbers, and bank account and credit card information of thousands of its customers on its Web site.71

A company like Global Health Trax in all likelihood would not be considered a covered entity or a business associate of a covered entity.  Therefore, the privacy regulation would not apply to any information collected by that company.

  • SelectQuote Insurance Services exposed some of its customers’ personal information, including health information, on its Web site.  Information that was submitted by users to obtain life insurance quotes was not “cleared,” and thus remained on the site and could be viewed by subsequent users.72

Life insurance brokers, like SelectQuote Insurance Services, are not covered entities, so they fall outside the scope of the privacy regulation.  Their customers’ health-related information, therefore, would not be protected by the privacy rule.

  • Eli Lilly and Co. inadvertently revealed 600 patient e-mail addresses when it sent a message to every individual registered to receive reminders about taking Prozac. In the past, the e-mail messages were addressed to individuals.  The message announcing the end of the reminder service, however, was addressed to all of the participants.

A pharmaceutical company, like Eli Lilly and Co., is not a covered entity.  Therefore, a breach of confidentiality would not be covered by the privacy regulation.

  • The hospital records and photograph of an Illinois woman were posted on the Internet without her knowledge or consent a few days after she was treated at St. Elizabeth’s Medical Center in Granite City following complications from an abortion at the Hope Clinic for Women.  The woman has sued the hospital, alleging St. Elizabeth’s released her records without her consent.73

Many hospitals will eventually engage in the type of standard transactions that would bring them within the scope of the federal privacy regulation.  A covered hospital that makes unauthorized disclosures would be in violation of the privacy rule and thus may be subject to penalties under the regulation.  Similarly, it would be a violation of the privacy rule if the covered hospital had lax procedures for storing medical records that facilitated this information’s being improperly disclosed.

Civil fines under HIPAA are $100 per standard violated with a maximum of $25,000 per year.  Furthermore, a person who knowingly discloses individually identifiable health information in violation of HIPAA could be fined as much as $50,000, imprisoned not more than one year, or both.  If HHS determines that the offense was committed with the intent to transfer the information for malicious harm, then greater penalties may be imposed.

  1. This incident is an example of an external security breach. R. O’Harrow, “Hacker Accesses Patients Records,” Wash. Post, December 9, 2000, at E1; a year earlier, at the University of Michigan Medical Center, several thousand patient records inadvertently lingered on public Internet sites for two months – example of an internal security violation. “Black Eye at the Med Center,” Wash. Post, February 22, 1999, at F5; similarly, detailed psychological records concerning visits and diagnoses of at least sixty-two children and teenagers were accidentally posted on the University of Montana Web site for eight days. C. Piller, “Web Mishap: Kids’ Psychological Files Posted,” L.A. Times, November 7, 2001, at A1.
  2. B. Sullivan, “Bank Information Exposed Online,” MSNBC, January 19, 2000.
  3. M. Bunker, “Insurance Site Exposes Personal Data,” MSNBC, March 22, 2000.
  4. R. O’Harrow, “Prozac Maker Reveals Patient E-Mail Addresses,” Wash. Post, July 4, 2001, at E1.