November 19, 2001

Exposed Online: The federal health privacy regulation and Internet user impacts

Part 7: Conclusion

Conclusion

More health-related information is being collected and shared about individuals than ever, and until the release of the federal health privacy regulation in December 2000, there were almost no federal legal limits on how this information could be used and disclosed.  By focusing on electronic transactions, the privacy regulation required by HIPAA aimed to give consumers confidence that as the health information system moved to a networked, electronic, computer-based system, their most sensitive health information will be protected.  However, the HIPAA rule only applies to health plans, health care providers and health care clearinghouses, so it may create an illusion of legal protection that may lull consumers into a false sense of security when they engage in online health activities.  Consumers may believe that the personal information they provide to health Web sites is protected by the new regulation when in fact many Web sites will remain unregulated. 

The extent to which the new federal health privacy regulation will impact eHealth will depend largely on whether or not a Web site or Internet service is affiliated with or controlled by a covered entity and whether that site or service collects identifiable health information.  Web sites not associated with a provider, plan or clearinghouse and not acting on behalf of these entities will fall outside the scope of the regulation.  Personal health information collected and maintained by these sites, therefore, will be left unprotected by the federal regulation.76 Given the wide range of activities on the Internet and the relatively narrow scope of the regulation, it is likely that a great deal of health information collected on health Web sites will not be covered by the new regulation. 

Some sites have responded to the public’s concern regarding privacy and security on the Internet through self-regulation.  To head off possible federal Internet privacy legislation, several professional organizations and trade associations have developed or are developing standards and seal programs to address privacy, security and quality on the Internet.77  However, compliance is voluntary and there are few, if any, enforcement mechanisms.  Furthermore, a survey conducted by Cyber Dialogue and the Institute for the Future shows that the presence of a seal of approval from an Internet trade group, such as TRUSTe, does not have an impact – positive or negative – on consumer willingness to submit health information online,78 although an accreditation seal would increase consumer trust in health Web sites.79

People often believe they are invisible and anonymous online, but they are often exposing their most sensitive health information to online health care sites that are not required by law to protect the information or keep it confidential.  The potential for abuse is enormous.

  1. State laws do not offer adequate protection of information collected by health Web sites either. Protection varies greatly from state to state, and in general only applies to some of the core players in the health care arena.
  2. Standards and seal programs that are in development or have been developed include: Association of American Health Plans, AAHP Principles for Consumer Information In an E-Health Environment, http://www.aahp.org; American Health Information Management Association, Recommendations to Ensure Privacy and Quality of Personal Health Information on the Internet, http://www.ahima.org/infocenter/guidelines/tenets.html; Health On the Net Foundation, HON Code of Conduct, http://www.hon.ch/HONcode/Conduct.html; Hi-Ethics, Ethical Principles For Offering Internet Health Services to Consumers, http://www.hiethics.org; International Society for Mental Health Online, Suggested Principles for the Online Provision of Mental Health Services, http://www.ismho.org/suggestions.html; Internet Healthcare Coalition, eHealth Ethics Initiative, eHealth Code of Ethics, http://www.ihealthcoalition.org/ethics/ethics.html; National Association of Boards of Pharmacy, Verified Internet Pharmacy Practice Sites program, http://www.nabp.net; National Board for Certified Counselors, Standards for the Ethical Practice of WebCounseling, http://www.nbcc.org/ethics/webethics.htm; TRUSTe and Hi-Ethics, E-Health Seal Program, http://www.truste.org/programs/pub_ehealth.html; URAC and Hi-Ethics, Health Web Site Accreditation, http://www.urac.org/programs/technologyhws.htm; and M.A. Winker et al., Guidelines for Medical and Health Information Sites on the Internet American Medical Association, 283 JAMA 1600 (2000).
  3. Ethics Survey of Consumer Attitudes about Health Web Sites, supra note 6; however, a seal of approval for the quality of the content of a Web site is important to consumers. URAC released a study in May 2001 showing that 78% of consumers said a quality seal on a health Web site was extremely important or very important to them and 74% prefer that a private, nonprofit organization administer a health Web site accreditation program.
  4. Survey of Consumers’ Attitudes Towards Health Web Sites and Accreditation, conducted by Harris Interactive for URAC (May 2001).