By Mark Hochhauser, Ph.D.
Readability Consultant
3344 Scott Avenue North
Golden Valley, MN 55422
Phone: 763-521-4672
Fax: 763-521-5069
E-mail: MarkH38514(at)aol.com
Research verification, additional tips, and resources provided by Jordana Beebe of the Privacy Rights Clearinghouse.
1. Summary
2. Privacy Missing from Most Online Pharmacy Reports
3. Privacy, Business, and Spam
4. Online Pharmacy Privacy Practices
5. Tips for Consumers
6. Resources
Summary
Visits to 50 online pharmacies in early July 2004 found only 11 (22%) with HIPAA Privacy Notices. These same sites also contained a website privacy notice and 4 of those 11 (8% of the total surveyed) were certified by VIPPS (Verified Internet Pharmacy Practice Sites) through the National Association of Boards of Pharmacy (http://www.nabp.net/vipps/consumer/listall.asp). A little over half or 28 sites (56%) had a privacy notice posted.
The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires health care providers to give adequate notice of uses and disclosures of protected health information. As defined under HIPAA, heath care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription."
As long as the care provider transmits health information in electronic form in connection with a covered transaction, the notice is required. Under HIPAA, a "covered transaction" is generally one that involves clams to and payments by a health plan. The purpose of this study was not to evaluate payment methods for pharmacy sites to determine whether the site must comply with HIPAA. Rather, this study was undertaken simply to identify sites that do or do no not have a posted privacy policy. The fact that some sites are required there is no blanket privacy protection in the law for health information. to post a HIPAA notice while others are not points out a common misconception: although many individuals might think otherwise.
Whether an online pharmacy transmits payment information electronically or collects payments through credit cards or direct account debit, consumers must supply some kind of personal information when purchasing drugs over the Internet. We strongly advise that consumers who purchase drugs in response to an unsolicited e-mail or spam should use the utmost caution in supplying personal information, particularly to sites that have no posted privacy policy. Additional tips are provided at the end of this report.
Privacy Missing from Most Online Pharmacy Reports
Although the Federal Trade Commission's (FTC) 1999 Congressional testimony identified several problems with online pharmacies, privacy was not one of them. Issues of online privacy-and spam-were not the important customer or regulatory issues that they are now. (www.ftc.gov/opa/1999/07/pharma.htm)
However, online pharmacy privacy issues were raised in the FTC's July 2000 report, which found several online pharmacies not adhering to their privacy and confidentiality assurances (www.ftc.gov/opa/2000/07/iog.htm). Pharmacy owners were prohibited by the FTC from:
"selling, renting, leasing, transferring or disclosing the personal information that was collected from their customers without express authorization from the customer."
In addition, the FTC required the defendants to post a privacy policy describing the personal identifying information they collected and used, and how their customers could access, review, modify or delete their personal information. Four years after that FTC settlement, most online pharmacies still don't meet these privacy policy criteria.
A 2000 article in FDA Consumer (www.fda/gov/fdac/features/2000/100_online.html) identified problems such as sites outside the USA selling unapproved products, or not requiring contact with a physician or a prescription. But the article did not address privacy issues. (Many of the web sites surveyed below did not have a postal address or phone number, and therefore, it was difficult to determine their physical location. Domain name registration information at times indicated that a site might be registered to someone outside of the U.S. as noted below. However, with the majority of the sites reviewed, there was no way to determine if it was operated from the U.S. or another country.)
The FDA's 2001 "Buying Prescription Medicines Online: A Consumer Safety Guide" (www.fda.gov/cder/drug/consumer/buyonline.guide.htm) noted the "lack of assurance of confidentiality and security issues" as a potential risk. FDA recommended that consumers "Look for easy-to-find and understand privacy and security policies," and that consumers should not "provide any personally identifiable information (social security number, credit card, and health history) unless you are confident that the site will protect them. Make sure the site does not share your information with others without your permission." But another FDA guide, "Buying Medicine and Medical Products Online," says nothing about consumer privacy. (www.fda.gov/buyonline/default.htm)
In a March 2004 press release, "Drugstore.com Warns Against the Growing Dangers of Pharmacies Outside US.; Consumers Urged to Seek the VIPPS Seal of Approval before Buying Prescriptions Online," the company warned that buying from online pharmacies ".could seriously increase the risk of receiving counterfeit medicine, incorrect dosages, improperly stored medications, or expired, contaminated or recalled medications. In addition, consumers patronizing overseas pharmacies may be unaware that their private medical information is not protected by the strict Health Insurance Portability and Accountability Act (HIPAA) regulations that govern privacy of both paper-based and electronic medical information in the U.S." For this reason and others, it's a good idea to avoid purchasing medication from companies that you are unable to confirm are located in the U.S. (http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=
news_view&newsId=20040330006008&newsLang=en)
For more information about HIPAA, see our fact sheet 8(a) "HIPAA Basics: Medical Privacy in the Electronic Age"
Privacy, Business, and Spam
While a November 2003 article in Business Week analyzed the future business possibilities of online pharmacies, it did not mention privacy issues and their business implications.
(http://www.businessweek.com/technology/content/nov2003/tc20031125_2272_tc136.htm)
A January 2004 Associated Press report listed the 10 most common spam topics as reported by America Online. Number 1 was spam for drugs such as Viagra, Xanax, Valium and Celebrex. Number 2 was spam for online pharmacies. Since you have to buy the drugs at a pharmacy, these are essentially the same ads. If you buy from an online pharmacy, is your identifying information sold to drug or other online pharmacy spammers? Are you at risk for identity theft? Without privacy notices, customers have no way of knowing how their personal, financial, and health information is being used - and misused. (http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=46979)
Online Pharmacy Privacy Practices
| Online pharmacies with some privacy protection | HIPAA Notice? | Privacy Notice? | VIPPS Certification? | Updated Privacy Policy after 30 day notice? |
| 1. cvs.com | Yes | Yes | Yes | N/A |
| 2. drugstore.com1 | Yes | Yes | Yes | N/A |
| 3. familymeds.com | Yes | Yes | Yes | N/A |
| 4. walgreens.com | Yes | Yes | Yes | N/A |
| 5. duanereade.com | Yes | Yes | No | N/A |
| 6. pharmacare.com | Yes | Yes | No | N/A |
| 7. prescriptionAmerica.com | Yes | Yes | No | N/A |
| 8. rite-aid.com1 | Yes | Yes | No | N/A |
| 9. rxusa.com | Yes | Yes | No | N/A |
| 10. samsclub.com | Yes | Yes | No | N/A |
| 11. walmart.com | Yes | Yes | No | N/A |
| 12. clickpharmacy.com | No | Yes | Yes | N/A |
| 13. canadadrugs.com * | No | Yes | No, has other certification | N/A |
| 14. pharmnet.com | No | Yes | No, has other certification | N/A |
| 15. aarppharmcy.com | No | Yes | No | N/A |
| 16. AmericaRx.com | No | Yes | No | N/A |
| 17. amerimedrx.com | No | Yes | No | N/A |
| 18. drugstore-online-pharmacy.com | No | Yes | No | N/A |
| 19. fillascript.com | No | Yes | No | N/A |
| 20. healthpluspharmacy.com * | No | Yes | No | N/A |
| 21. kmart.com | No | Yes | No | N/A |
| 22. overnightpharm.com | No | Yes | No | N/A |
| 23. prioritypharmacy.com | No | Yes | No | N/A |
| 24. pharmacyhealth.net | No | Yes | No | N/A |
| 25. rxlist.com | No | Yes | No | N/A |
| 26. unitedpharmacies.com | No | Yes | No | N/A |
| 27. usprescription.com | No | Yes | No | N/A |
| 28. yourfriendlypharmacy.com | No | Yes | No | N/A |
| Online pharmacies with no privacy protection | HIPAA Notice? | Privacy Notice? | VIPPS Certification? | Updated Privacy Policy after 30 day notice? |
| 29. 1stoppharmacy.com | No | No | No | No Policy Posted |
30. 24hourmedications.com | No | No | No | No Policy Posted |
| 31. 7-onlinepharmacy.com | No | No | No | No Policy Posted |
| 32. buy-online-prescription-drugs.net * | No | No | No | No Policy Posted |
| 33. cheap-pharmacy-online.com | No | No | No | No Policy Posted |
| 34. cheap-online-pharmacy.info * | No | No | No | No Policy Posted |
| 35. legalmedsonline.com | No | No | No | No Policy Posted |
| 36. mixpills.com * | No | No | No | No Policy Posted |
| 37. mygeneric.com | No | No | No | No Policy Posted |
| 38. online-pharmacy-123.com | No | No | No | No Policy Posted |
| 39. online-prescriptiondrugs.com | No | No | No | No Policy Posted |
| 40. online-scripts.com | No | No | No | Posted Policy |
| 41. onlineprescriptionsportal.com | No | No | No | Letter Returned |
| 42. prescriptiondrugs.com * | No | No | No | No Policy Posted |
| 43. pharmacy-prescriptions.com | No | No | No | Letter Returned |
| 44. pillsfast.com | No | No | No | No Policy Posted |
| 45. pillstore.com | No | No | No | No Policy Posted |
| 46. pillsupplier.com | No | No | No | No Policy Posted |
| 47. pillvalue.com | No | No | No | Letter Returned |
| 48. rxmeds.com | No | No | No | No Policy Posted |
| 49. trustpharma.com * | No | No | No | No Policy Posted |
| 50. usa-pharmacy-online.com * | No | No | No | No Policy Posted |
1Although Rite-Aid is not VIPPS Certified, drugstore.com - which processes Rite Aid's online prescriptions - is VIPPS Certified.
* Indicates company that may be located outside the U.S.
Tips for Consumers
If you are a consumer who is considering purchasing prescriptions online, there are a few things that you should check for with the online pharmacy web site.
A reputable online pharmacy will:
- Indicate that it is located in the United States.
- Contain a Privacy Policy on its home page or that is easily located on its site.
- Not share your information with others without your permission.
- Contain a HIPAA Privacy notice.
- Provide a licensed pharmacist who can answer your questions.
- Note that it is registered with a state pharmacy board.
- Require a prescription from a physician or authorized health care provider and then verifies each prescription before dispensing medication.
- Note that the medications it sells are FDA-approved.
If you locate an online pharmacy that is selling prescription drugs that are not approved by the U.S. Food and Drug Administration or that you suspect may be counterfeit or unsafe, file a complaint with the FDA at: http://www.fda.gov/ForConsumers/ProtectYourself/default.htm
You may also want to check with the National Association of Boards of Pharmacy (see Resources below) to determine whether a web site is a licensed pharmacy in good standing.
When you order from a U.S. company, under the Mail Order Sales Rule (see Resources below), you should receive your purchase in the mail within 30 days.
Resources
Privacy Rights Clearinghouse
HIPAA Basics: Medical Privacy in the Electronic Age
E-Commerce and You: Online Shopping Tips
Federal Trade Commission
FTC Testifies "Drugstores on the Net:The Benefits and Risks of Online Pharmacies"
http://www.ftc.gov/opa/1999/07/pharma.shtm
A Business Guide to the Federal Trade Commission's Mail or Telephone Order Merchandise Rule
http://www.ftc.gov/bcp/conline/pubs/buspubs/mailorder.htm
General Accounting Office
Internet Pharmacies: Some Pose Safety Risks for Consumers
http://www.gao.gov/new.items/d04820.pdf
National Association of Boards of Pharmacy
The NABP is an independent, international, and impartial association that assists and represents the state boards of pharmacy and jurisdictions in developing, implementing, and enforcing uniform standards for the purpose of protecting the public health.
National Associations of Boards of Pharmacy (NABP)
700 Busse Highway
Parkridge, IL 60068
(847) 698-6227
http://www.nabp.net
Listing of State Pharmacy Boards
http://www.nabp.net/vipps/consumer/links/stateboards.asp
Listing of State Medical Boards
http://www.nabp.net/vipps/consumer/links/statemedical.asp
Verified Internet Pharmacy Practice Sites (VIPPS) Most Frequently Asked Questions
http://www.nabp.net/vipps/consumer/faq.asp
Verified Internet Pharmacies List
http://www.nabp.net/vipps/consumer/listall.asp
U.S. Food and Drug Administration (FDA)
Buying Prescription Medicines Online: A Consumer Safety Guide
http://www.fda.gov/cder/consumerinfo/buyOnlineGuide.htm
Buying Medicines and Medical Products Online
http://www.fda.gov/ForConsumers/ProtectYourself/default.htm
Buying Drugs Online: It's Convenient and Private, but Beware of 'Rogue Sites'
http://www.fda.gov/ForConsumers/ConsumerUpdates/default.htm
Reporting Unlawful Sales of Medical Products on the Internet
http://www.fda.gov/ForConsumers/ProtectYourself/default.htm
