Consumer Health Privacy and the Internet

HIPAA privacy rules provide important, national standard privacy rules for individual health information; but they also offer an example of how policy can lag behind technology changes.

HIPAA privacy rules provide important, national standard privacy rules for individual health information; but they also offer an example of how policy can lag behind technology changes. HIPAA was drafted about six years ago and its provisions do not necessarily cover recent technological innovations such as the Internet. For example, HIPAA does not cover health related websites that provide health information only. It also does not cover websites that are not directly associated with a covered entity. Websites that are associated with a covered entity but do not engage in the type of electronic transactions of individually identifiable information covered under HIPAA may also not be regulated under HIPAA. These sites are in contrast to sites that do fall squarely under HIPAA rules, such as on-line pharmacies that electronically bill insurers for reimbursement for prescription drug sales. Still other websites fall into grey areas, for example, a website whose developers provide teleconsultations only for credit card payment but bill electronically for services in other parts of their practice. In grey areas like this, future case law may determine the outcome of what privacy rules do and do not cover.

While the subject of consumer privacy and the Internet is beyond the scope of this paper, it is clear that consumers have become increasingly concerned about their privacy on the Internet, especially in three areas: a) industry v. government website regulation, b) recent findings concerning the Internet and consumer health privacy, and c) health privacy legislation.

Industry Self-Regulation

Industry has attempted to address consumer privacy concerns by developing a number of standards for health-related websites. Organizations that promote industry self-regulatory standards include Health on the Net Foundation (HON) (http://www.hon.ch) and TRUSTe, (http://www.TRUSTe.org ) which promote the most widely accepted standards and privacy seals. A new Industry Coalition, the Internet Healthcare Coalition (http://www.ihealthcoalition.org ), promotes ethical principles such as candor, honesty, quality, and informed consent. The Health Internet Ethics Coalition (http://www.hiethics.org), another new Industry Coalition, also promotes ethical principles. These principles include a commitment to adopt a privacy policy, enhanced privacy protection for health related personal information, safeguarding consumer privacy in relationships with third parties, and disclosing ownership and sponsorship information.

Recent Findings Concerning Consumer Health Privacy on the Internet

Despite industry’s efforts to self-regulate their privacy policies and activities, a number of recent reports reveal a troubling disconnect between consumer perception of their privacy on the Internet and actual practices on health websites. For example, the California Healthcare Foundation recently released the Report on the Privacy Policies and Practices of Health Websites, (Goldman, Hudson, & Smith, 2000) which describes the practice of privacy protocols on health related websites. The five major findings are:

• Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.
• Visitors to health websites are not anonymous, even if they think they are.
• Health websites recognize consumers' concern about the privacy of their personal health information and have made efforts to establish privacy policies; however, the policies fall short of truly safeguarding consumers.
• There is inconsistency between the privacy policies and the actual practices of health websites.
• Health websites with privacy policies, that disclaim liability for the actions of third parties on the site, negate those very policies.

Other notable reports that discuss consumer privacy and the Internet include those released by the Federal Trade Commission (FTC) and by Health Affairs (http://www.healthaffairs.org). According to the FTC’s Privacy Online: Fair Information Practices in the Electronic Marketplace (FTC, 2000), only 20% of the busiest websites comply with FTC Information Privacy Principles and only about 41% of all websites comply with at least two FTC privacy principles that are discussed below.

Recently, Health Affairs published a special issue on E-Health:The Next Wave, which offered a series of publications by E-Health experts.

Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.

One of these publications, entitled Virtually Exposed: Privacy and E-Health, (Goldman & Hudson, 2000) is a study of 21 leading health-related websites that found that the polices and practices of many sites fell short of consumers expectations for privacy. The publication also pointed out news stories, highlighting the lax security for information shared and maintained online. Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.

Health Privacy Legislation

Both the states and Congress have responded to these problems by introducing a large number of bills that attempt to protect the privacy of personal information collected from the Internet. Previously, Congress introduced and passed the Children's Online Privacy Protection Act of 1998. This law requires the FTC to develop regulations, protecting the privacy of personal information collected from and about children on the Internet and to provide greater parental control over the collection and use of that information. A comprehensive list of state and congressional privacy bills introduced in 2001 can be found at the Electronic Privacy Information Center Website at: http://www.epic.org.

The FDA, Department of Justice and state governments all have roles in online regulation and enforcement; but the FTC has emerged as a key online consumer protection regulator, overseeing privacy protection and deceptive trade practices on commercial websites. Among other things, the FTC has the authority to regulate personal data collected online, based on Section 5 of the Federal Trade Commission Act and the Children’s Online Privacy Protection Act. However, the FTC still lacks authority to require Web companies to adopt standard information practices such as its Privacy Principles. These four widely accepted information privacy principles are outlined below:

• Notice: Provide consumers clear and conspicuous notice of information practices
• Choice: Offer consumers choices as to how their personal identifying information is used
• Access: Give consumers reasonable access to the information the website has collected about them
• Security: Take reasonable steps to protect the security of the information collected from consumers

While the FTC continues to strongly encourage industry self-regulation, in a departure from the past, the regulator made explicit legislative recommendations to Congress in their 2000 Report that would set a basic level of privacy protection for all visitors to consumer-oriented commercial websites. Specifically, the FTC recommended that websites covered by the Children's Online Privacy Protection Act of 1998 (COPPA) would have to implement all four FTC fair information practice principles outlined above.