Many Web Sites Can Skirt Privacy Law

Consumer advocates were encouraged last year when President Bush endorsed new privacy regulations intended to protect patients’ medical records as they traverse the health-care system. Now, however, researchers at Georgetown University say the rules fall woefully short in protecting much of the supposedly confidential medical information that is gathered by Internet companies.

In a study released last week, researchers at Georgetown University’s Health Privacy Project examined how the new laws apply to the many thousands of Web sites that traffic in health information. Among other things, the federal rules, which went into effect on April 14, require that doctors and other health-care providers get written consent from patients whenever health information is shared, electronically or otherwise, and even for routine purposes, such as claims processing. Fines for violating the rules can range from $100 up to $250,000.

*

Yet when Congress set the framework for the privacy protections back in 1996, it focused on the activities of doctors, and insurers, the report said; the legislation did not anticipate the swarm of health activities and services that would appear on the Web, many of which are not covered. The new report identifies several categories of health-related Web sites that are not subject to the new privacy regulations:

* General information sites, which may provide advice about fitness, nutrition, treatment and medical conditions. These include sites such as https://foodfit.com, https://drkoop.com and https://medigenesis.com, the report said. General health sites often include interactive features, such as health “calculators,” in which visitors fill out extensive forms that include name, address, age, income and partial medical histories.

* Sites offering online mental counseling, which typically involves an exchange of e-mails over hours or days. Therapy by e-mail or over the Web by necessity involves disclosure of sensitive personal and medical information. This service can be useful to people who are reluctant to visit a therapist in person or who live in less-populated areas where access to counseling services is difficult, psychologists say. But because such sites usually require payment upfront, without involvement of insurance claims, they are not subject to the privacy laws, Goldman said.

* Web sites that sell drugs online without a prescription. Hundreds of sites have popped up in recent years to capitalize on demand for drugs like Viagra, Prozac and Cipro, the antibiotic that has been used to treat anthrax. But because these companies typically take payment only by credit card, rather than through traditional health insurance channels, they are covered under the new privacy regulations, the report said.

“These are business sites that have nothing like a Hippocratic oath; they don’t have the same strict ethics that are built into the doctor-patient relationship,” said Janlori Goldman, director of the Privacy Project and lead author of the report. Also, she said, “sites often contract with many others when doing business, and you have no idea who’s gathering medical information on you.”

Goldman said prior research at Georgetown of the practices of individual Web health sites has found that often the sites “themselves don’t know what’s happening to the information.”

In just the last two years, the number of people accessing health information online has doubled, to include some 65 million Americans and more than 60% of Internet users, according to surveys by the Pew Internet & American Life project.

Most Web sites do post privacy policies, in which they typically promise not to pass on personal information without first getting consumers’ consent. If a posted policy is clearly violated, the site can be charged with unfair trade practices under current Federal Trade Commission regulations. But even when consumers take the time to read privacy policies, the wording can change or the entire policy be rewritten, Goldman said.

“When one company takes over another, for instance, the new owners can change the policy and just send out a notice,” she said.

*

Even under California’s relatively strong privacy protections, about 20% of adults say they have taken precautions to protect their privacy, such as occasionally paying for care out-of-pocket even when they have insurance, according to surveys commission by the California HealthCare Foundation, a health-care charity based in Oakland.

“We would argue as a matter of ethics and policy that e-health entities should err on side of being safe,” Goldman said. If not, she said, “consumers will quickly feel betrayed.”