HIPAA may offer little protection to Internet users

The Health Insurance Portability and Accountability Act (HIPAA) does not protect the privacy of Internet users when they are engaged in the most common e-health transactions online, according to a report released this month.

"Why the new federal health privacy regulation doesn't offer much protection to Internet users," a report by the Health Privacy Project in the Institute for Health Care Research and Policy at Georgetown University, says the federal health regulation applies only to three healthcare entities:

• healthcare providers (hospitals or physicians' offices)

• health plans (such as Aetna U.S. Healthcare or Kaiser Permanente)

• healthcare clearinghouses that process health insurance claims information for providers and insurers (such as WebMD Office)

Health Web sites not owned by one of these three entities fall outside the scope of the rule. Different rules may, therefore, apply to different Web sites offering similar services, such as second opinions or e-prescriptions.

"Even at Web sites that are owned or operated by organizations covered by the privacy regulation, it is ambiguous which activities at those sites are subject to the privacy rule," the report said.

The burden will be on consumers and Web site operators to determine which Web sites must comply with the regulation.

Until the release of HIPAA in December, 2000, there were few legal limits on how health-related information collected on individuals could be used and disclosed. By focusing on electronic transactions, HIPAA attempts to give consumers confidence that health information moving across computer-based networks would be protected.

By leaving this loophole, however, HIPAA may be merely creating the illusion of legal protection, lulling consumers into a false sense of security when they engage in online health activities.

"Given the wide range of activities on the Internet and the relatively narrow scope of the regulation, it is likely that a great deal of health information collected on health Web sites will not be covered by the new regulation," the report said.

Some sites have responded to the concern about privacy and security on the Internet by establishing self-regulation. Some professional organizations and trade associations have taken preemptive measures to cut off potential federal Internet privacy regulations by developing standards and seal programs (such as TRUSTe) to address Internet privacy and security issues. But compliance is voluntary, and few if any enforcement mechanisms are in place.

"People believe they are invisible and anonymous online, but they are often exposing their most sensitive health information to online healthcare sites that are not required by law to protect the information or keep it confidential," the report said. "The potential for abuse is enormous."

The report is available online.