{"id":97438,"date":"2001-11-19T00:00:00","date_gmt":"2001-11-19T05:00:00","guid":{"rendered":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/"},"modified":"2024-04-14T04:14:30","modified_gmt":"2024-04-14T09:14:30","slug":"part-4-partially-covered-and-indirectly-covered-web-sites","status":"publish","type":"post","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/","title":{"rendered":"Part 4: Partially Covered and Indirectly Covered Web Sites"},"content":{"rendered":"<h3 data-is-section=\"true\" data-wp-context=\"{&quot;id&quot;:&quot;sites-with-multiple-activities&quot;}\" data-wp-interactive=\"{&quot;namespace&quot;:&quot;prc-block\\\/table-of-contents&quot;}\" id=\"sites-with-multiple-activities\" class=\"wp-block-heading\">Sites with Multiple Activities<\/h3>\n\n<p class=\"wp-block-paragraph\">As covered entities establish an online presence, their online collection and transmission of personal health information will be regulated by the privacy rule.\u00a0 Even if a company is a covered entity, however, it is not obvious whether all information collected by the entity at its Web site is covered.\u00a0 Most health-related Web sites engage in a number of different activities, from providing general educational health information to allowing patients to review test results online.\u00a0 Only some of these activities will be protected by the privacy regulation.\u00a0 For example, drugstore.com sells both drugs pursuant to a prescription and over-the-counter products.\u00a0 While information related to the prescription drug will be covered by the privacy regulation, information related to the over-the-counter product will not.\u00a0 The privacy rule covers only identifiable information related to \u201chealth care.\u201d\u00a0 This term does not include selling or distributing non-prescription health care items.<\/p>\n\n<p class=\"wp-block-paragraph\">This scenario could pose serious concerns for some online patients.\u00a0 Consumers often use the Internet to purchase health items with the belief that their purchase will be anonymous.[41.numoffset=&#8221;41&#8243; <em>See e.g.<\/em>, C. Frey, \u201cOnline Shopper; When Privacy Matters; If buying condoms or adult diapers embarrasses you, try a Web drugstore,\u201d <em>L.A. Times<\/em>, June 14, 2001, at T-4, which actually encourages consumers to shop for embarrassing products on the Web.] Drugstore.com, for example, sells sexual enhancement items that a customer would find difficult to locate in a bricks and mortar pharmacy.[42. <em>See<\/em> the Specialty Shops at <a href=\"http:\/\/www.drugstore.com\">http:\/\/www.drugstore.com<\/a>.] Yet, information related to these over-the-counter items is not protected by the privacy rule.\u00a0 For instance, an HIV\/AIDS patient can purchase AZT and condoms at Drugstore.com in one transaction and have them both shipped at the same time.\u00a0 Yet only information related to the AZT purchase will be protected by the privacy regulation.<\/p>\n\n<p class=\"wp-block-paragraph\">The posting of a notice of privacy practices at the Web site, as required by the federal privacy rule, may compound the problem.\u00a0 A customer may read the notice and believe that it applies to the entire Web site, as opposed to just certain activities.<\/p>\n\n<p class=\"wp-block-paragraph\">The issue becomes even more ambiguous when a site operated by a covered entity offers general health information for \u201ceducational\u201d purposes.\u00a0 For example, Cleveland Clinic has a Web site,[43. <a href=\"http:\/\/www.clevelandclinic.org\">http:\/\/www.clevelandclinic.org<\/a>.] a small portion of which functions as an extension of its offline health care activities.\u00a0 Patients can request an appointment online, for instance.\u00a0 Assuming that Cleveland Clinic will be a covered provider under the regulation, these activities would be covered by the privacy rule.\u00a0 However, a significant component of the site[44. <a href=\"http:\/\/www.clevelandclinic.org\/health\">http:\/\/www.clevelandclinic.org\/health<\/a>.] is information-based and furnishes information on a wide spectrum of health conditions.\u00a0 Individuals can sign up at the \u201chealth information\u201d component of the site to receive e-mail alerts on specific health topics of interest, including sensitive medical conditions such as AIDS, alcoholism and incontinence.\u00a0 Is the fact that a person has registered to receive this type of health information from a covered provider protected by the privacy rule? <\/p>\n\n<p class=\"wp-block-paragraph\">It is not clear.\u00a0 The question centers on whether the personal data provided in registering to receive information on a specific health topic would be considered \u201cindividually identifiable health information\u201d under the privacy rule, since this is the only type of information that is protected.\u00a0 To be protected, identifiable information must relate either to the health or condition of a person or to the provision of health care to a person.[45. The information also must be created or received by a covered entity.] The Cleveland Clinic takes the position that it does not provide health care by furnishing health information via e-mail.[46. The privacy policy at the health information portion of Cleveland Clinic\u2019s Web site states in part: \u201cplease remember that medical information provided by The Cleveland Clinic Foundation, in the absence of a visit with a health care professional, must be considered as an educational service only. The information sent through e-mail should not be relied upon as a medical consultation.\u201d Available at <a href=\"http:\/\/www.clevelandclinic.org\/health\/popupprivacy.htm\">http:\/\/www.clevelandclinic.org\/health\/popupprivacy.htm<\/a>.] And it is unclear when a person merely asks for information on a health topic whether they are relating health information about themselves.<\/p>\n\n<p class=\"wp-block-paragraph\">Why would signing up to receive health information on a medical topic, however, be any different from a trip to the library to obtain information on a specific disorder?\u00a0 The privacy rule itself is ambiguous, and HHS has not issued any guidance on this topic.<\/p>\n\n<p class=\"wp-block-paragraph\">In short, a health care consumer should not assume that all information that she provides at a Web site run by a covered entity will be protected by the privacy rule. <\/p>\n\n<h3 data-is-section=\"true\" data-wp-context=\"{&quot;id&quot;:&quot;business-associates&quot;}\" data-wp-interactive=\"{&quot;namespace&quot;:&quot;prc-block\\\/table-of-contents&quot;}\" id=\"business-associates\" class=\"wp-block-heading\">Business Associates<\/h3>\n\n<p class=\"wp-block-paragraph\">Health plans and providers routinely hire business associates.\u00a0 Business associates receive health information on behalf of or from a covered entity, but they are not directly covered by the privacy rule.\u00a0 Rather, the burden is on the covered entity to ensure through contracts that the business associates protect the health information that they receive.<\/p>\n\n<p class=\"wp-block-paragraph\">Some of the most promoted and publicized Web sites, such as MedicaLogic,[47.numoffset=&#8221;47&#8243; <a href=\"http:\/\/www.medicalogic.com\/\">http:\/\/www.medicalogic.com\/<\/a>.] which recently merged with Medscape, may be considered \u201cbusiness associates\u201d by the new regulation.\u00a0 MedicaLogic allows physicians to create online medical records. MedicaLogic would be a business associate of covered health care providers that use its online services.\u00a0 And information stored at MedicaLogic\u2019s site would only be indirectly protected by the privacy rule. <\/p>\n\n<p class=\"wp-block-paragraph\">As a general matter, health information collected by a business associate should receive some indirect protection under the privacy rule.\u00a0 If the business associate does anything improper with the health information, the covered entity would be expected to cancel its contract, if possible.\u00a0 However, HHS does not have the ability to impose any civil or criminal fines directly against a business associate.\u00a0 The business associate contract should provide adequate protection, but what happens when a Web-based business associate files for bankruptcy and its only valuable asset is the information that it has collected on patients?[48. There is no definitive answer to this question, since the issue of selling customer data lists when a company goes bankrupt has only been addressed outside of the courtroom. For example, when Toysmart.com, an online toy seller, went bankrupt, the company advertised an asset auction that included its customer database as an auction item, even though its privacy policy had promised not to disclose customers&#8217; data to outside parties. The Federal Trade Commission filed a lawsuit against Toysmart, and ultimately Walt Disney, a major investor in Toysmart, agreed to buy and destroy the information. Similarly, when the online furniture seller Living.com went bankrupt, the Texas Attorney General sued the company to prevent it from selling customer data. On the same day, Living.com agreed to destroy all customers\u2019 financial records. Kim Peterson, \u201cDon\u2019t count on privacy if you\u2019re on the Internet,\u201d <em>San Diego Union Trib.<\/em>, Jan. 13, 2001, at A1.]<\/p>","protected":false},"excerpt":{"rendered":"<p>Sites with Multiple Activities As covered entities establish an online presence, their online collection and transmission of personal health information will be regulated by the privacy rule.\u00a0 Even if a company is a covered entity, however, it is not obvious whether all information collected by the entity at its Web site is covered.\u00a0 Most health-related [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sub_headline":"","sub_title":"","_crdt_document":"","_prc_public_revisions":[],"_ppp_expiration_hours":0,"_ppp_enabled":false,"ai_generated_summary":"","relatedPosts":[],"reportMaterials":[],"multiSectionReport":[],"package_parts__enabled":false,"package_parts":[],"_prc_fork_parent":0,"_prc_fork_status":"","_prc_active_fork":0,"datacite_doi":"","datacite_doi_citation":"","_prc_seo_qr_attachment_id":0,"spoken_article_player_enabled":true,"bylines":[],"acknowledgements":[],"displayBylines":true,"footnotes":"","prc_watchers":[]},"categories":[],"tags":[],"bylines":[],"collection":[],"datasets":[],"level_of_effort":[],"primary_audience":[],"information_type":[],"_post_visibility":[],"formats":[458],"_fund_pool":[],"languages":[],"regions-countries":[],"research-teams":[526],"workflow-status":[],"class_list":["post-97438","post","type-post","status-publish","format-standard","hentry","formats-report","research-teams-internet"],"label":false,"post_parent":97396,"word_count":1151,"canonical_url":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/","art_direction":false,"_embeds":[],"watchers":[],"table_of_contents":[{"id":97396,"title":"Exposed Online: The federal health privacy regulation and Internet user impacts","slug":"exposed-online-the-federal-health-privacy-regulation-and-internet-user-impacts","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/exposed-online-the-federal-health-privacy-regulation-and-internet-user-impacts\/","is_active":false},{"id":97403,"title":"About Us","slug":"about-us-4","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/about-us-4\/","is_active":false},{"id":97409,"title":"The Terrain","slug":"the-terrain","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/the-terrain\/","is_active":false},{"id":97416,"title":"Part 1: Public Opinion","slug":"part-1-public-opinion","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-1-public-opinion\/","is_active":false},{"id":97423,"title":"Part 2: The New Federal Health Privacy Regulation","slug":"part-2-the-new-federal-health-privacy-regulation","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-2-the-new-federal-health-privacy-regulation\/","is_active":false},{"id":97432,"title":"Part 3: Covered Web Sites","slug":"part-3-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-3-covered-web-sites\/","is_active":false},{"id":97438,"title":"Part 4: Partially Covered and Indirectly Covered Web Sites","slug":"part-4-partially-covered-and-indirectly-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/","is_active":true},{"id":97444,"title":"Part 5: Web Sites Not Covered","slug":"part-5-web-sites-not-covered","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-5-web-sites-not-covered\/","is_active":false},{"id":97447,"title":"Part 6: Putting It All Together","slug":"part-6-putting-it-all-together","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-6-putting-it-all-together\/","is_active":false},{"id":97454,"title":"Part 7: Conclusion","slug":"part-7-conclusion","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-7-conclusion\/","is_active":false}],"report_materials":"","report_pagination":{"current_post":{"id":97438,"title":"Part 4: Partially Covered and Indirectly Covered Web Sites","slug":"part-4-partially-covered-and-indirectly-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/","is_active":true,"page_num":7},"next_post":{"id":97444,"title":"Part 5: Web Sites Not Covered","slug":"part-5-web-sites-not-covered","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-5-web-sites-not-covered\/","is_active":false,"page_num":8},"previous_post":{"id":97432,"title":"Part 3: Covered Web Sites","slug":"part-3-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-3-covered-web-sites\/","is_active":false,"page_num":6},"pagination_items":[{"id":97396,"title":"Exposed Online: The federal health privacy regulation and Internet user impacts","slug":"exposed-online-the-federal-health-privacy-regulation-and-internet-user-impacts","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/exposed-online-the-federal-health-privacy-regulation-and-internet-user-impacts\/","is_active":false,"page_num":1},{"id":97403,"title":"About Us","slug":"about-us-4","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/about-us-4\/","is_active":false,"page_num":2},{"id":97409,"title":"The Terrain","slug":"the-terrain","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/the-terrain\/","is_active":false,"page_num":3},{"id":97416,"title":"Part 1: Public Opinion","slug":"part-1-public-opinion","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-1-public-opinion\/","is_active":false,"page_num":4},{"id":97423,"title":"Part 2: The New Federal Health Privacy Regulation","slug":"part-2-the-new-federal-health-privacy-regulation","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-2-the-new-federal-health-privacy-regulation\/","is_active":false,"page_num":5},{"id":97432,"title":"Part 3: Covered Web Sites","slug":"part-3-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-3-covered-web-sites\/","is_active":false,"page_num":6},{"id":97438,"title":"Part 4: Partially Covered and Indirectly Covered Web Sites","slug":"part-4-partially-covered-and-indirectly-covered-web-sites","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-4-partially-covered-and-indirectly-covered-web-sites\/","is_active":true,"page_num":7},{"id":97444,"title":"Part 5: Web Sites Not Covered","slug":"part-5-web-sites-not-covered","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-5-web-sites-not-covered\/","is_active":false,"page_num":8},{"id":97447,"title":"Part 6: Putting It All Together","slug":"part-6-putting-it-all-together","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-6-putting-it-all-together\/","is_active":false,"page_num":9},{"id":97454,"title":"Part 7: Conclusion","slug":"part-7-conclusion","link":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/internet\/2001\/11\/19\/part-7-conclusion\/","is_active":false,"page_num":10}]},"parent_info":{"parent_title":"Exposed Online: The federal health privacy regulation and Internet user impacts","parent_id":97396},"materialsOrdered":[],"chaptersOrdered":[],"partsOrdered":[],"partsEnabled":false,"datacite_doi":"","prc_seo_data":{"title":"Part 4: Partially Covered and Indirectly Covered Web Sites","description":"Sites with Multiple Activities As covered entities establish an online presence, their online collection and transmission of personal health information will be regulated by the privacy rule.\u00a0 Even if a&hellip;","og_title":"Part 4: Partially Covered and Indirectly Covered Web Sites","og_description":"","schema_type":"Article","noindex":false,"canonical_url":"","primary_terms":[],"custom_schema":[],"og_image":0,"indexnow_submitted_at":null,"gsc_index_status":null},"prepublish_checks":{"prc-image-alt-text":{"status":"complete","message":"No image blocks in content.","data":null},"prc-about-this-research":{"status":"incomplete","message":"Add an \"About this research\" details block.","data":null},"prc-paragraph-count":{"status":"complete","message":"Found 10 paragraphs.","data":{"count":10}},"prc-internal-link":{"status":"incomplete","message":"Add at least one internal link.","data":{"count":0}}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"relatedPostsOrdered":[],"bylinesOrdered":[],"acknowledgementsOrdered":[],"_links":{"self":[{"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/posts\/97438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/comments?post=97438"}],"version-history":[{"count":2,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/posts\/97438\/revisions"}],"predecessor-version":[{"id":134144,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/posts\/97438\/revisions\/134144"}],"wp:attachment":[{"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/media?parent=97438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/categories?post=97438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/tags?post=97438"},{"taxonomy":"bylines","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/bylines?post=97438"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/collection?post=97438"},{"taxonomy":"datasets","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/datasets?post=97438"},{"taxonomy":"level_of_effort","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/level_of_effort?post=97438"},{"taxonomy":"primary_audience","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/primary_audience?post=97438"},{"taxonomy":"information_type","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/information_type?post=97438"},{"taxonomy":"_post_visibility","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/_post_visibility?post=97438"},{"taxonomy":"formats","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/formats?post=97438"},{"taxonomy":"_fund_pool","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/_fund_pool?post=97438"},{"taxonomy":"languages","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/languages?post=97438"},{"taxonomy":"regions-countries","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/regions-countries?post=97438"},{"taxonomy":"research-teams","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/research-teams?post=97438"},{"taxonomy":"workflow-status","embeddable":true,"href":"https:\/\/alpha.pewresearch.org\/pewresearch-org\/wp-json\/wp\/v2\/workflow-status?post=97438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}