Patient Privacy Provisions of HIPAA Do Not Apply to Many Web Sites

A new report conducted by researchers at the Health Privacy Project at Georgetown University found that federal patient privacy regulations that took effect this year may not protect information shared online, Scripps Howard News Service/Nando Times reports (Bowman, Scripps Howard News Service/Nando Times, 11/19). The rules, which fall under the Health Insurance Portability and Accountability Act of 1996, stipulate that providers and insurers must take several measures to protect the privacy of electronic patient records (California Healthline, 1/31). However, information shared on Web sites, often administered by organizations not covered by the rules, will likely "fall through the regulatory cracks," the report found. According to the report, the regulation only applies to organizations that accept health insurance or affiliate with a health plan (Scripps Howard News Service/Nando Times, 11/19). The regulation, for example, does not apply to most online pharmacies and Web sites that offer mental health services but only accept credit card payments rather than health insurance, the report found (Beauprez, Denver Post, 11/20). "People often believe they are invisible and anonymous online, but in reality, they are exposing their most sensitive health information to Web sites that are not required by law to protect the information," Janlori Goldman, director of the Health Privacy Project, said. Susannah Fox, director of research at the Pew Internet and American Life Project, which sponsored the report, added, "Sixty-five million Americans have gone online for health information. Many probably assume that the personal information they provide to health Web sites is covered by the new regulation, and they are wrong" (Scripps Howard News Service/Nando Times, 11/19). The report found that 85% of patients who use the Internet for health information fear that online companies may sell their information or that the information they share online may affect their health insurance (Denver Post, 11/20).

Meanwhile, the National Committee on Vital Health Statistics, an HHS advisory panel, approved a draft recommendation Friday that urged HHS to "clarify" the medical privacy regulation to allow disclosure of medical information without a patient's consent for medical research, Technology Daily/PM reports. After a series of hearings during the past few months, NCVHS concluded that the health care community has "tremendous confusion" about disclosures allowed under the rule, according to committee member Edward Shortcliffe. Researchers and other health care professionals testified that the language in the regulation may hinder "researchers' ability to pursue their mission." They said that fears about criminal and civil liability may discourage health care providers from sharing medical information with researchers, although the rule allows disclosure for medical research, Mark Rothstein, chair of the NCVHS Privacy and Security Subcommittee, said. NCVHS will offer final recommendations to HHS Secretary Tommy Thompson. The committee will likely recommend that HHS revise a provision in the rule that requires providers to de-identify medical information and provide guidance on standards to determine allowable disclosure of medical information to researchers. Committee members said last week that HHS should make revisions to the rule "as expeditiously as possible" (Sirhal, Technology Daily PM, 11/16).