Report Says HIPAA Privacy Reg Doesn't Offer Much to Internet Users

WASHINGTON, November 19, 2001 -- The Health Privacy Project released a report today funded by the Pew Internet & American Life Project, entitled "Exposed Online:  Why the new federal health privacy regulation doesn’t offer much protection to Internet users."  The report examines how the path-breaking new federal rules designed to protect the medical privacy of Americans will not guard the privacy of Internet users when they are doing the most common e-health actions online.

The HIPAA regulations recently issued by DHHS provide the first-ever legal protections to some kinds of health-related information. However, the rules only apply to Web sites that are run by health care providers such as a hospital or doctor’s office; health insurance plans such as Aetna U.S. Healthcare or Kaiser Permanente; or health care clearinghouses that process health insurance claims information in a uniform format for providers and insurers, such as WebMD Office.

The vast majority of health Web sites are not operated by such firms and that means that there will be no federal protections for those who use them.  Thus, commonplace activities may not be covered by the federal rules. For example, online Americans using these kinds of sites will not have any personal information protected by the federal regulations: 

• Web sites providing information about general fitness and nutrition (e.g., www.foodfit.com), medical conditions (e.g., www.drkoop.com), and treatment options (e.g., www.medigenesis.com).  
  
  
• Web sites selling drugs without a prescription.
  
  
• Online mental health counseling sites that accept only credit card payments.
  
  
• Pharmaceutical company Web sites.

Specific activities like filling a prescription, receiving e-mail alerts, or getting a second opinion may be covered by the new regulation at one site and unregulated at another.  The burden will be on consumers and Web site operators to determine which Web sites must comply with the regulation. 

“Sixty-five million Americans have gone online for health information,” says Susannah Fox, director of research at the Pew Internet Project.  “These Internet users are often more concerned about getting quick and accurate advice than checking a Web site’s privacy policy. They are doing their best to care for their loved ones and just hoping they won’t get burned. Many probably assume that the personal information they provide to health Web sites is covered by the new regulation – and they are wrong.”

More health-related information is being collected and shared about individuals than ever, and until the release of the federal health privacy regulation in December 2000, there were almost no federal legal limits on how this information could be used and disclosed.  By focusing on electronic transactions, the privacy regulation required by HIPAA aimed to give consumers confidence that as the health information system moved to a networked, electronic, computer-based system, their most sensitive health information will be protected.

However, since the HIPAA rule only applies to a narrow group of sites, it may create an illusion of legal protection that may lull consumers into a false sense of security when they engage in online health activities. 

"People often believe they are invisible and anonymous online, but in reality they are exposing their most sensitive health information to Web sites that are not required by law to protect the information or keep it confidential,” says Janlori Goldman, director of the Health Privacy Project.  “The potential for abuse is enormous.”

Read an article on the report: "Report: US Doesn't Protect Most Online Health Info"

Read the full report: "Exposed Online:  Why the new federal health privacy regulation doesn’t offer much protection to Internet users" 

Go to TOP