[Med-privacy] "Virtually Exposed"
Peter Marshall
pwm@comcast.net
Fri, 31 Dec 2004 16:01:58 -0800
Virtually Exposed: Privacy And E-Health
Privacy concerns are keeping consumers from reaping the full benefit of
online health information.
by Janlori Goldman and Zoe Hudson
The united states is embroiled in a longstanding,
contentious debate over how and
to what extent individual privacy should be
protected in the health care arena.1 Against
this backdrop e-health enters the fray, bringing
with it a universe of undefined, unregulated
ventures. This paper addresses consumer-
focused Internet services=97that is,
services that target consumers who are accessing
information and services. Some of
these activities are traditional health care activities
that are migrating to the Internet,
such as recruitment for clinical trials, fulfillment
of prescription drugs, applications for
health insurance, and even consultations with
medical care providers.2 Other activities appear
to be unique to the Internet and strain
our current understanding of health care.
In the past two years the number of American
adults accessing health information online
has doubled, to ninety-eight million.3
Many health care consumers are attracted to
the Internet because it appears to offer anonymity
and a safe place to seek and share information.
It is ironic that this is most likely
an illusion: Many e-health business models
depend on identifying and tracking users for a
variety of purposes, often without the person=92s
knowledge or consent.4 One privacy advocate
notes:
The trail of transactional data left behind as
individuals use the Internet is a rich source of
information about their habits of association,
speech, and commerce. When aggregated,
these digital fingerprints could reveal a great
deal about an individual=92s life.5
As many e-health companies continue to
amass detailed consumer profiles=97including
health status, insurance information, and purchasing
patterns=97the temptation to use this
information for purposes beyond those for
which the information was initially gathered
will be irresistible.
If we as a society desire the Internet to be
used as a force for positive, egalitarian
changes in health care, we must first remedy
one of the most intransigent barriers to people=92s
full participation in e-health and health
generally: fear that their privacy will be violated
and their health information will be
used to hurt them. Without ubiquitous and
strong privacy rules, the true promise of ehealth
to transform the quality of health care
and open doors to care may become just another
failed venture that further disempowers
people in their health care.
Landmark federal health privacy regulations
are set to be finalized in the fall of 2000.
The new regulations are to cover only a limited
number of health care entities: some
providers, insurers, and clearinghouses. As
such, some online activity will be covered.
However, it is clear that many of the burgeoning
e-health activities will continue to be beyond
current privacy law, since they operate
in the nascent gray zone beyond =93traditional=94
health care and what the new law will cover.
=A92000 Project HOPE=96The People-to-PeopleHealth Foundation, Inc.
Janlori Goldman and Zoe Hudson are director and senior policy analyst,=20=
respectively, of the Health Privacy
Project at GeorgetownUniversity=92s Institute for Health Care Research=20=
and Policy inWashington, D.C. Their
e-mail addresses are <goldmajl@georgetown.edu> and=20
<hudsonz@georgetown.edu>.
Individual Privacy And Its
Impact On Health
Without trust that their most sensitive health
information will be safeguarded, patients are
reticent to fully and honestly disclose personal
information and may avoid seeking care
altogether=97both online and off. A national
survey released in January 1999 found that one
in five persons believe that their offline personal
health information has
been used inappropriately,
without their knowledge or
consent.6 More striking is that
one in six engage in some form
of privacy-protective behavior
to shield themselves from
what they consider to be
harmful and intrusive uses of
their health information. Examples
include withholding
information from their health care providers,
providing inaccurate information, doctorhopping
to avoid a consolidated medical record,
paying out of pocket for care that is covered
by insurance, and, in the most extreme
cases, avoiding care altogether.
This behavior is replicated in the online
environment. A January 2000 survey of Internet
users found that (1) 75 percent of people
are concerned about health Web sites
sharing information without their permission;
(2) a significant percentage do not and
will not engage in certain health-related activities
online because of their privacy and security
concerns: 40 percent will not give a
doctor online access to their medical records;
25 percent will not buy or refill prescriptions
online; and 16 percent will not register atWeb
sites; and (3) 17 percent do not go online even
to seek health information because of their
concerns about privacy.7 At the same time,
consumers=92 fears can be greatly assuaged.
Nearly 80 percent of respondents said that a
privacy policy enabling them to make choices
about whether and how their information is
shared would increase their willingness to engage
in online health activities.
Justification for concern. The public=92s
concern about the lack of privacy online is
justified. A recent study of twenty-one leading
health-related Web sites found that the
policies and practices of many fell short of
consumers=92 expectations for privacy.8 While
nineteen sites had privacy policies posted on
their home pages, most of these policies did
not meet minimum fair-information practices=97
such as providing adequate notice, giving
users some control over
their information, and holding
the sites=92 business partners to
the same privacy standards.
Most disturbingly, there was
inconsistency between the
privacy policies and the actual
practices of these health Web
sites. For example, on a
number of sites information
was collected by third parties
through the use of cookies and banner advertisements,
even though the privacy policy
would indicate otherwise.9 This transfer of information
is particularly troubling because
few sites held their business partners to the
same privacy standards that they espoused. In
effect, much personal information shared at
Web sites is not protected at all by the privacy
policy.
Recent news stories also have highlighted
the lax security for information shared and
maintained online. For example, Global-
Healthtrax, which sells health products online,
inadvertently revealed names, home
phone numbers, and bank account and credit
card information of thousands of customers
on its Web site.10 Kaiser Permanente mistakenly
sent responses to members=92 e-mail to the
wrong recipients. The e-mail messages, some
of which contained sensitive information, affected
858 members who use Kaiser=92s online
services.11 Finally, thousands of patient records
were accidently made available to the
public on the University of Michigan Medical
Center=92s Web site.12
The volatility of Internet companies also
makes users especially vulnerable to privacy
breaches. There is no guarantee that information
will remain confidential when a business
goes bankrupt or is sold or merged.13 Many of
the recent mergers of health Web sites seek to
network disparate players in the health care
delivery system: patients, insurers, providers,
and data processors. The impact of these
mergers on consumers=97especially those
seeking to shield information from certain
parties=97could be dire. As one reporter notes,
=93Most of these [business] strategies position
the Web companies as partners to companies
that, at least occasionally, have not always
had the best interests of patients at heart=97
pharmaceutical companies and hospital corporations,
for example.=9414
The Regulatory Scheme
E-health occupies a space in and between the
two worlds of the Internet and health care,
neither of which operates under clear privacy
rules.While there are efforts to establish such
rules, many e-health companies appear likely
to continue to elude federal and state regulation
in the near future.
Health Insurance Portability and Accountability
Act.
There is no comprehensive
federal law that protects the privacy of medical
records. However, the Health Insurance
Portability and Accountability Act (HIPAA)
of 1996 required the U.S. Department of
Health and Human Services (HHS) to issue
regulations if Congress failed to enact such a
law by 21 August 1999.15 The Clinton administration
issued proposed health privacy rules
in November 1999, and the final regulation is
to be released in fall 2000.16
Among its many provisions, the draft regulation
gives consumers the right to inspect
and copy their own medical records; requires
that consumers be given notice about the use
and disclosure of their health information;
and gives consumers the right to limit disclosures
in many circumstances. As required in
HIPAA, the regulation does not preempt state
law that is stronger than the federal standard=97
that is, more protective of consumer
privacy.
Once finalized, the regulation will likely
help to establish greater privacy rights for
health care consumers than they enjoy today.
The draft regulation, however, still falls short
of the expectations ofmany consumer groups.
For example, it allows covered entities to use
and disclose a patient=92s =93protected health information=94
without a patient=92s authorization
for treatment, payment, and =93health care operations=94
(a new term that includes a variety
of activities such as quality assessment, performance
review, training programs, licensing,
and audits).17
The draft regulation also falls short in that
it only covers a small portion of those who
collect,maintain, and disclose health information.
As outlined in HIPAA, the regulation
will only cover certain health care providers,
insurance companies, and health care clearinghouses.
Once a company is deemed a =93covered
entity,=94 it is covered whether it is doing
business online or off. The question here is
how many Web site owners will be =93covered
entities.=94
(1) Health care providers: Not all providers
are covered. To be covered, the provider must
transmit claims electronically. Therefore,
providers who submit paper claims or those
whose patients pay for care out of pocket are
not covered. On the other hand, once =93covered=94
under the regulation, the provider is
covered for all activities. (2) Insurance companies:
Insurance companies are covered for
all of their activities. They are, therefore, covered
whether they do business online or off.
Notably, insurance brokers are not covered by
the regulation.18 There are many Web sites
that offer consumers the opportunity to get
insurance quotes from multiple companies
that would not be covered by the regulation.19
Also not covered are some new Internet companies
that manage =93defined-contribution=94
health plans.20 (3) Health data clearinghouses:
Entities that process and transmit claims data
are considered clearinghouses. Some Web
sites, such as WebMD, allow physicians to
submit claims on the site. As such, they would
be considered a =93clearinghouse=94 for purposes
of the regulation and be covered. These sites,
however, do more than just process claims. It
is not clear whether all of the information collected
at a particular Web site would be covered,
or only the information collected for
purposes of transmitting claims.
Even if the information is held by a covered
entity, the information still may not be covered.
The draft regulation only applies to information
that identifies the individual, or
where there is a =93reasonable
basis to believe that the information
could be used to identify
the individual.=9421 The draft
specifies a list of identifiers to
remove from the data to create
=93de-identified=94 information, at
which point it is no longer
subject to the regulation.22
Ultimately, the protections
offered by the federal regulation will be
patchy. Web sites such as CVS.com or
PlanetRX will most likely be covered by the
regulation because they are engaged in a =93traditional=94
health care activity (filling prescriptions)
and accept insurance. Providers who
use e-mail or Web sites to communicate with
patients will probably be covered by the regulation.
These are but a small fraction of all
health Web sites.
HIPAA=92s shortcomings.
The regulation has
two key shortcomings with regard to health
Web sites. First, because coverage under the
regulation is so closely tied to insurance,
many of the most common features of health
Web sites probably will not be covered:
health assessments, applications for clinical
trials, chat rooms, and personal health management
tools such as online disease management
and patient-generated =93medical records.=94
For example, drkoop.com, in its current
configuration,will not be covered by the regulation.
Even more traditional health care activities
will not be covered if the Web site
does not accept insurance. For instance, many
sites that offer online physician consultations
may include issuing prescriptions. One site,
24-Hour Viagra and Propecia Clinic, allows
consumers to purchase Viagra after completing
a short survey. Since the site does not accept
insurance, any information shared at the
site would not be covered by the regulation.23
Second, the draft regulation gives little
guidance about where the new privacy protections
begin and end. If an organization is
primarily engaged in a health care activity
covered by the regulation, such as providing
health care or processing health claims, then
the entire entity is a =93covered
entity=94 and is subject to the
use and disclosure restrictions
of the privacy rule. In contrast,
if an organization is primarily
engaged in other, unrelated activities
but has a =93component=94
that is engaged in a covered
health care activity, only that
component is considered to be
a covered entity.24 When a Web site engages
in multiple activities, such as providing general
consumer education, processing health
insurance claims, and selling both prescription
and over-the-counter medications, it is
difficult to determine the site=92s primary activity:
Is it mainly providing information to consumers
or is it processing claims? Is the entire
site a covered entity, or just a portion? At
what point does the site engage in a sufficient
amount of covered activity so that the entire
site becomes a covered entity? These questions
are critical because they determine
where and how protected health information
may flow within, and beyond, the company.
On the flip side, the regulation may
tangentially capture some of the activities at
health Web sites. Once covered by the regulation,
for example, a provider is covered in all
areas of work. Therefore, one might expect
that some providers who work for health
Web sites as a part of their medical practice
will be covered by the regulation. Providers
and insurers who choose to share information
withWeb site owners for a permissible activity
also will have to enter into contracts that extend
the original confidentiality protections.25
Not the final word.
It is important to note that
the federal privacy regulation is not the final
word on consumer protection. HIPAA provides
that the federal regulation will create a
=93floor=94 of protections=97state laws that are
more protective of individual privacy will be
allowed to stand. While few states have comprehensive
health privacy laws, some provide
notable protections that apply to online activities.
California=92s health privacy law, for example,
defines provider more expansively than
does the federal regulation and therefore
would capture more online activities.26
All in all, the new federal health privacy
regulation will not be the cure-all for privacy
threats on the Internet but may create the illusion
of legal protection where none exists.
Consumers will face a nearly impossible challenge
to make distinctions between activities
regulated by the new law and those that fall
outside its scope. In the worst-case scenario,
people may disclose information to health
Web sites in the mistaken belief that their
information is protected.
Industry self-regulation.
To defend against proposed state and federal legislation,
e-health companies and industry associations
have sought to promote self-regulation.Many
health Web sites have applied for =93privacy
seals.=94 Two of the most popular are Health on
the Net Foundation (HON) and TRUSTe.27 In
the past year two new industry coalitions=97
the Internet Healthcare Coalition (IHC) and
the Health Internet Ethics Coalition (Hi-
Ethics)=97each addressed privacy concerns in
the form of =93ethical principles.=9428
The separate principles released by the
two groups take slightly different approaches,
but they both aim to incorporate fair information
practice principles. Both would require
Web sites to provide users with notice about
how health information is used and disclosed,
allow users to review and correct information
held by the site, and adequately safeguard
health information.
Both of these efforts are in their early
stages, but the promotion of self-regulatory
measures by an industry under threat of congressional
action is not new. Self-regulation
has proved to have limited efficacy. In a selfregulatory
regime, companies choose whether
to comply with the code or not, and there are
few (or no) enforcement mechanisms beyond
corporate peer pressure.
Nevertheless, from an advocate=92s perspective,
self-regulation can be a useful steppingstone
to legislation. Industry=92s efforts to police
itself in the area of e-health and privacy
send a number of powerful messages. First,
self-regulation is tacit acknowledgment that
there is a problem worthy of addressing. Second,
through a strong set of privacy policies
and practices, industry can convey the willingness
and ability of the =93good guys=94 to do
the right thing, even without the stick of legal
enforcement. As such, it indicates what practices
are both commercially feasible and technically
possible.
Ultimately, if the leading Internet health
companies are willing to bind themselves to a
set of privacy principles, they should be willing
to support a parallel legal standard. Such a
standard can bring the more reticent e-health
entities into compliance and can offer consumers
legal redress when their rights have
been violated.
Calls for legislation.
In addition to the
HIPAA health privacy provisions, legislative
efforts are under way that would protect
health information.29 There are two separate
approaches. The first focuses on establishing
privacy rules for information collected on the
Internet and thus would bring health Web
sites within its ambit. The second seeks to
establish privacy rules for health care entities
and thus would create protections for health
information whether it is gathered on- or offline.
Neither of these approaches, however,
has gained much momentum. Past congressional
efforts have stalled as a result of an impasse
between consumer advocates and the
health care industry. Industry representatives
continue to express fear that a health privacy
law might undermine their access to data
needed for outcomes studies, research, and
public health initiatives.30
In the broader context of Internet privacy,
national policymakers also have stepped up
their attention by holding hearings and introducing
legislation aimed at giving consumers
greater control over their personal information
online.31 Here, too, enacting enforceable
rules has been nearly impossible because of
concerns about dampening the Internet economy
in its nascent stage. To date, Congress
has only passed one law, the Children=92s Online
Privacy Protection Act (COPPA), that establishes
privacy standards for Web sites.32
However, the Federal Trade
Commission (FTC) recently
called on Congress to enact ecommerce
privacy legislation.
33 Specifically, the FTC recommended
that Congress set a
baseline for privacy protection
on consumer-oriented Web
sites that collect personal information,
requiring them to comply
with the four widely accepted fairinformation
practices: notice, choice, access,
and security.34
Recommendations
To engender public trust and confidence in
both traditional health care as well as e-health
activities, policymakers will need to act to
undergird the entire health care arena with
enforceable fair-information practices. National
policy must be crafted that coordinates
two distinct initiatives: health privacy and Internet
privacy. Our changing health care environment
demands it, and health care consumers
need it.
First, the limited scope of HIPAA is unworkable.
A federal law is needed that directly
covers more entities that collect and
maintain health information, including Web
sites that are now beyond the reach of the
regulation. It should, for example, bring in
new Internet entities that are not licensed
health care practitioners but that collect information
for the purposes of evaluation, diagnosis,
monitoring, or the provision of a
health care service.35 In addition, (1) the law
should not distinguish between paper and
electronic records and should cover online
and offline activities equally. (2) The trigger
for coverage should not be based on whether
an insurance claim is submitted. At a minimum,
the law should cover all information
collected in the context of providing and paying
for health care. (3) The coverage should
create a =93chain of trust=94 so that the information
is still protected, even if it is shared for
public health activities, research,
marketing, or law enforcement.
(4) Health privacy
rules must be enforceable, not
only through government
oversight, but by allowing
people to sue for violations of
the law. To achieve these
goals, Congress must either
amend HIPAA or pass a comprehensive
health privacy law.
Once a law is in place, the
standards can be carried over to new and existing
Internet practices. Nevertheless, even if
all of the above were enacted, the law would
still fall short of providing comprehensive
protections. There will always be a gray zone
between =93health=94 and =93nonhealth=94 information.
There also will continue to be new actors that
do not fit the definitions of covered entities.
Therefore, to capture the broadest range of
Internet health activities, Congress should establish
a baseline of Internet privacy protections.
At a minimum, every Web site that collects
information should adhere to core
fair-information practices by providing users
with notice about how and what information
is collected; choices about the use and disclosure
of their information, including the ability
to restrict third parties=92 access; the ability to
see and correct their own information collected
and maintained by the Web site; and
assurances that adequate security is in place
to protect against unauthorized access. Most
importantly, Web site operators must impose
a chain-of-trust requirement on third parties
who conduct business at the site or have access
to information submitted on the site, so
that they are held to the same privacy policies
and standards as the site owner.
On The Horizon
The privacy challenges before us should not
overshadow the potential of the Internet to
offer consumers greater privacy protections
than in the offline world. In fact, e-health
companies have the potential to do better by
privacy than their offline kin have done. In the
offline, paper-based health care world, photocopying
medical records for patients is timeconsuming
and expensive; obtaining patients=92
authorization for specific disclosures (as opposed
to the one-time blanket waivers people
usually sign) is burdensome; and security may
not be much more than a locked file cabinet.
In contrast, e-health companies have the
means, right now, to engage consumers up
front in a meaningful dialogue about the use
and disclosure of their personal information.
Privacy-enhancing technologies such as
encryption, online opt-in buttons, and
anonymizers for e-mail and Web browsing
are readily available.36
Consumers=92 concerns about the loss of
privacy inhibit greater acceptance of all
that the Internet has to offer, and nowhere is
this more stark than in the far-ranging arena
of e-health. In the rush to exploit the potential
of the Internet, individual users=92 privacy has
not yet been built into its architecture and
operation. Consumers will not fully reap the
rewards of improved health, and greater access
to care and resources, until privacy is
treated as an essential element in the design
and operation of e-health enterprises. These
steps can=97and should=97be taken now.
This paper builds on an investigative report conducted
by the authors and Richard Smith for the California
HealthCare Foundation, Privacy: Report on the
Privacy Policies and Practices of Health Web
Sites, published in February 2000. The Health Privacy
Project=92s publications and background materials
are available at <www.healthprivacy.org>. The
authors are grateful to their colleagues, Joy Pritts and
Angela Choy, for their research, insights, and comments;
and summer law clerk Jennifer Yaseen for her
work on this paper. They also thank Richard Smith,
Internet security expert, and Mark Smith and Sam
Karp of the California HealthCare Foundation for
their continued support.
NOTES
1. See J. Goldman, =93Protecting Privacy to Improve
Health Care,=94 Health Affairs (Nov/Dec 1998):
47=9660.
2. See, for example, HopeLink, <www.hopelink.
com>; HIV InSite, <hivinsite.ucsf.edu>; and
ClinicalTrials.gov, <clinicaltrials.gov> (21 August
2000).
3. =93Internet Access: More Adults Look for Health
Information Online,=94 California HealthLine, 14 August
2000, <news.chcf.org>.
4. Transcript of a Federal Trade Commission public
workshop discussing online profiling, 8 November
1998, <www.ftc.gov/bcp/profiling/
index.htm> (18 September 2000). See also J.
Harris and J. Schwartz, =93Anti-Drug Web Site
Tracks Visitors,=94 Washington Post, 22 June 2000,
A23; and R. O=92Harrow Jr., =93Firm Tracking Consumers
on Web for Drug Companies,=94 Washington
Post, 14 August 2000, E1.
5. J. Berman, Center for Democracy and Technology,
=93The Federal Trade Commission=92s Report to
Congress=97=91Privacy Online: Fair Information
Practices in the Electronic Marketplace,=92 =94 testimony
before the SenateCommittee onCommerce,
Science, and Transportation, 106th Cong., 2d
sess., 25 May 2000, <www.cdt.org/testimony/
000525berman.shtml> (21 August 2000).
6. California HealthCare Foundation, National Survey:
Confidentiality of Medical Records (Oakland:
CHCF, January 1999).
7. Cyber Dialogue, Ethics Survey of Consumer Attitudes
about Health Web Sites (Oakland: CHCF, January
2000). See also =93A Growing Threat,=94 Business
Week, 20 March 2000, citing a new Harris/Business
Week poll finding that 92 percent of Internet
users expressed discomfort about Web sites
sharing personal information with other sites. In
a 1998 poll, privacy was cited as the number-one
146
P e r s p e c t i v e s
H E A L T H A F F A I R S ~ V o l u m e 1 9 , N u m b e r 6
reason people were choosing to stay off the Internet.
=93A Little Privacy Please,=94 Business Week (16
March 1998).
8. J. Goldman, Z. Hudson, and R. Smith, Privacy:
Report on the Privacy Policies and Practices of Health
Web Sites (Oakland: CHCF, February 2000).
These privacy policies and practices were those
in force during January 2000, when this research
was conducted. Given the degree of change and
volatility in the Internet, some of the policies and
practices may have changed.
9. Cookies are small text files with a unique identifier
placed on the hard disk of a person=92s computer
by a Web site. Web sites often use these
monitoring systems to create =93profiles=94 of their
users. See Goldman et al., Privacy, 26. Banner ads
are the most common form of advertising on
Web sites. Many ads originate from companies
called ad networks, which place their own cookies
on the hard disk of a person=92s computer. As
such, they have the capacity to profile users
across multiple Web sites. See Goldman et al.,
Privacy, 29=9632.
10. B. Sullivan, =93Bank Information Exposed Online,=94
MSNBC, 19 January 2000, <www.zdnet.com> (19
January 2000).
11. B. Brubaker, =93 =91Sensitive=92 Kaiser E-mails Go
Astray,=94 Washington Post, 10 August 2000, E1.
12. D. Wahlberg, =93Patient Records Exposed on
Web,=94 Ann Arbor News, 10 February 1999, 1.
13. See J. Schwartz, =93FTC SuesWeb Store over Plan
to Sell Data,=94 Washington Post, 11 July 2000, A1; S.
Stoughton, =93Judge Disputes FTC Settlement on
Web Store Database,=94 Boston Globe, 17 July 2000,
E5; and =93Judge Shelves Plan for Sale of Online
Customer Database,=94 New York Times, 18 August
2000, C2.
14. C. Stoltz, =93Behind the Screens; Who Are the
Companies behind the Web Sites Competing to
Provide You with Health Information? Can You
Trust Them with...Your Life?=94 Washington Post, 16
May 2000, Z14.
15. Congress did in fact fail to meet the August
deadline, triggering the secretary=92s regulatory
duty. P.L. 104-191 (21 August 1996).
16. 64 Federal Register 59918 (1999). See Administrative
Simplification, <aspe.hhs.gov/admnsimp/index.htm>
(18 September 2000). By the close of the public
comment period, 17 February 2000, the administration
had received more than 52,000 comments,
more than half of them from consumers
and consumer advocates. J. Heinrich, associate
director of health finance and public health issues,
U.S. General Accounting Office, =93Privacy
Standards: Issues in HHS=92 Proposed Rule on
Confidentiality of Personal Health Information,=94
testimony before the Senate Committee on
Health, Education, Labor, and Pensions, 26 April
2000; and J. Goldman, =93Confidentiality of Patient
Records,=94 testimony before the House
Ways and Means Subcommittee on Health, 17
February 2000. After release of the final regulation,
a twenty-four-month implementation period
will follow before the law actually goes into
effect.
17. For a more complete discussion, see the comments
submitted by the Health Privacy Project, 17
February 2000, <www.healthprivacy.org/latest/
comments.shtml> (21 August 2000).
18. In the draft regulation a =93health plan=94 is defined
as =93an individual plan or group health plan that
provides, or pays the cost of, medical care.=94 64
Federal Register 59931 (1999).
19. See CHCF, Health Insurance: Purchasing and Privacy
Online for Individuals and Small Groups, 2000, <admin.
chcf.org/documents/ehealth/insurancesitesreport.
pdf> (21 August 2000).
20. One company, myhealthbank, has launched in
two Oregon markets. Under this model, employers
deposit a fixed amount into each employee=92s
individual account. The employee then provides
some information to the company and is allowed
to choose a health plan from a set of options.
=93Employer Marketwatch=97Defined Contribution:
Oregon Company Gets in on Trend,=94 American
HealthLine, 21 July 2000, <nationaljournal.
com> (2 September 2000). Because it is the employee
sharing information with myhealthbank,
the information is not covered by the regulation.
21. 64 Federal Register 60053 (1999).
22. There is some controversy over whether =93deidentified=94
data are truly anonymous. See L.
Sweeney, =93Weaving Technology and Policy Together
to Maintain Confidentiality,=94 Journal of
Law, Medicine, and Ethics (Summer/Fall 1997):
98=96110.
23. See <www.24houronlinedrugs.com> (2 July
2000). Users are required to fill out a medical
survey and to promise to see a physician after
receiving the Viagra. There is no privacy policy at
the Web site, and the site is not secure. Therefore,
the site owner has no obligation to keep
information confidential, and information
shared at the site could be intercepted in transmission.
24. See discussion of a school with an on-site health
clinic at 64 Federal Register 59951 (1999).
25. 64 Federal Register 60054 (1999).
26. The California Confidentiality of Medical Information
Act appears to cover some Internet sites
that store medical information for people. If the
information is stored in order to make it available
for the purposes of diagnosis or treatment of
the patient, then the corporation is deemed a
=93provider=94 just for the purposes of the act and is
subject to all of the use and disclosure restric-
147
P e r s p e c t i v e s : E - H e a l t h
H E A L T H A F F A I R S ~ N o v e m b e r / D e c e m b e r 2 0 0 0
tions imposed on traditional providers and
plans. California Civil Code, sec. 56.06. For a
comprehensive survey of state health privacy
laws, see J. Pritts et al., The State ofHealthPrivacy:An
Uneven Terrain, August 1999, <www.healthprivacy.
org/resources/statereports/contents.html> (21 August
2000).
27. Their standards can be found at <www.hon.ch>
and <www.truste.org>, respectively. Both have
been criticized for their weak enforcement of the
standards. See Electronic Privacy Information
Center, =93Surfer Beware III: Privacy Policies without
Privacy Protection,=94 December 1999,
<www.epic.org/reports/surfer-beware3.html> (18
August 2000).
28. IHC, eHealth Code of Ethics, 24 May 2000, <www.
ihealthcoalition.org/ethics/ehcode.html> (2 September
2000). As of 22 June 2000 thirty-two
organizations endorsed the code. The endorsing
organizations are primarily dot-com healthWeb
sites, including MedicaLogic/Medscape and
drkoop.com. Health Internet Ethics: Ethical Principles
for Offering Internet Health Services to Consumers,
<www.hiethics.org/Principles/index.asp> (22 June
2000). Hi-Ethics includes America Online and
PlanetRX as members.
29. Legislation introduced in the 106th Congress includes
=93Health Information Privacy Act=94 (H.R.
1941), sponsored by Rep. Gary Condit (D-CA),
Rep. Henry A. Waxman (D-CA), Rep. Edward J.
Markey (D-MA), and Rep. John D. Dingell (DMI);
=93Medical Information Protection and Research
Enhancement Act of 1999=94 (H.R. 2470),
sponsored by Rep. Jim Greenwood (R-PA), Rep.
Christopher Shays (R-CT), and Rep. Charles
Norwood (R-GA); =93Medical Information Privacy
and Security Act=94 (S. 573), sponsored by Sen.
Patrick J. Leahy (D-VT) and Sen. Edward M.
Kennedy (D-MA); =93Health Care Personal Information
Nondisclosure Act of 1999=94 (S. 578),
sponsored by Sen. Jim M. Jeffords (R-VT) and
Sen. Christopher J. Dodd (D-CT); and =93Medical
Information Protection Act of 1999=94 (S. 881),
sponsored by Sen. Robert Bennett (R-UT).
30. See The Medical Privacy ProtectionActHR 4585:Hearings
before the House Committee on Banking and Financial
Services, 106th Cong., 2d sess., 14 June 2000;
Medical Records, Privacy, and the Proposed Regulation,
before the Senate Committee on Health, Education,
Labor, and Pensions, 106th Cong., 2d sess.,
26 April 2000; and Confidentiality of Patient Records,
before the House Ways and Means Subcommittee
on Health, 106th Cong., 2d sess., 17 February
2000.
31. Legislation introduced in the 106th Congress includes
=93Consumer Privacy Protection Act=94 (S.
2606), sponsored by Sen. Ernest F. Hollings (DSC);
=93Online Privacy Protection Act=94 (S. 809),
sponsored by Sen. Conrad Burns (R-MT) and
Sen. Ron Wyden (D-OR); and =93Secure Online
Communication Enforcement Act of 2000=94 (S.
2063), sponsored by Sen. Robert G. Torricelli
(D-NJ).
32. 15 U.S. Code, sec. 65d (1998).
33. Federal Trade Commission, Privacy Online: Fair Information
Practices in the Electronic Marketplace:A Report
to Congress, May 2000, <www.ftc.gov/os/
2000/05/index.htm#22> (22 June 2000). The
FTC based its position on a series of surveys and
workshops with consumers and industry. It concluded
that, overall, self-regulatory initiatives
=93fall far short of broad-based implementation of
effective self-regulatory programs.=94 This is the
third report released by the FTC concerning online
privacy since 1995.
34. Ibid.
35. To the extent that the site collects information
anonymously, it should not be covered by the
new law, as is the case now in HIPAA.
36. See J. Goldman, =93Privacy and Individual Empowerment
in the Interactive Age,=94 in Visions of Privacy:
Policy Choices for the Digital Age, ed. C.J.
Bennett and R. Grant (Toronto: University of
Toronto Press, 1998), 97=96115.
Pe r s p e c t i v e s
H E A L T H A F F A I R S ~ V o l u m e 1 9 , N u m b e r 6=