Study Finds No Privacy Rights at Many Online Pharmacies (Hochhauser)

By Mark Hochhauser, Ph.D.
Readability Consultant
3344 Scott Avenue North
Golden Valley, MN 55422
Phone: 763-521-4672
Fax: 763-521-5069
E-mail: MarkH38514(at)

Research verification, additional tips, and resources provided by Jordana Beebe of the Privacy Rights Clearinghouse.


1. Summary
2. Privacy Missing from Most Online Pharmacy Reports
3. Privacy, Business, and Spam
4. Online Pharmacy Privacy Practices
5. Tips for Consumers
6. Resources



Visits to 50 online pharmacies in early July 2004 found only 11 (22%) with HIPAA Privacy Notices. These same sites also contained a website privacy notice and 4 of those 11 (8% of the total surveyed) were certified by VIPPS (Verified Internet Pharmacy Practice Sites) through the National Association of Boards of Pharmacy ( A little over half or 28 sites (56%) had a privacy notice posted.


The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires health care providers to give adequate notice of uses and disclosures of protected health information. As defined under HIPAA, heath care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription."


As long as the care provider transmits health information in electronic form in connection with a covered transaction, the notice is required. Under HIPAA, a "covered transaction" is generally one that involves clams to and payments by a health plan. The purpose of this study was not to evaluate payment methods for pharmacy sites to determine whether the site must comply with HIPAA. Rather, this study was undertaken simply to identify sites that do or do no not have a posted privacy policy. The fact that some sites are required there is no blanket privacy protection in the law for health information. to post a HIPAA notice while others are not points out a common misconception: although many individuals might think otherwise.


Whether an online pharmacy transmits payment information electronically or collects payments through credit cards or direct account debit, consumers must supply some kind of personal information when purchasing drugs over the Internet. We strongly advise that consumers who purchase drugs in response to an unsolicited e-mail or spam should use the utmost caution in supplying personal information, particularly to sites that have no posted privacy policy. Additional tips are provided at the end of this report.


Privacy Missing from Most Online Pharmacy Reports

Although the Federal Trade Commission's (FTC) 1999 Congressional testimony identified several problems with online pharmacies, privacy was not one of them. Issues of online privacy-and spam-were not the important customer or regulatory issues that they are now. (


However, online pharmacy privacy issues were raised in the FTC's July 2000 report, which found several online pharmacies not adhering to their privacy and confidentiality assurances ( Pharmacy owners were prohibited by the FTC from:

"selling, renting, leasing, transferring or disclosing the personal information that was collected from their customers without express authorization from the customer."


In addition, the FTC required the defendants to post a privacy policy describing the personal identifying information they collected and used, and how their customers could access, review, modify or delete their personal information. Four years after that FTC settlement, most online pharmacies still don't meet these privacy policy criteria.


A 2000 article in FDA Consumer (www.fda/gov/fdac/features/2000/100_online.html) identified problems such as sites outside the USA selling unapproved products, or not requiring contact with a physician or a prescription. But the article did not address privacy issues. (Many of the web sites surveyed below did not have a postal address or phone number, and therefore, it was difficult to determine their physical location. Domain name registration information at times indicated that a site might be registered to someone outside of the U.S. as noted below. However, with the majority of the sites reviewed, there was no way to determine if it was operated from the U.S. or another country.)


The FDA's 2001 "Buying Prescription Medicines Online: A Consumer Safety Guide" ( noted the "lack of assurance of confidentiality and security issues" as a potential risk. FDA recommended that consumers "Look for easy-to-find and understand privacy and security policies," and that consumers should not "provide any personally identifiable information (social security number, credit card, and health history) unless you are confident that the site will protect them. Make sure the site does not share your information with others without your permission." But another FDA guide, "Buying Medicine and Medical Products Online," says nothing about consumer privacy. (


In a March 2004 press release, " Warns Against the Growing Dangers of Pharmacies Outside US.; Consumers Urged to Seek the VIPPS Seal of Approval before Buying Prescriptions Online," the company warned that buying from online pharmacies ".could seriously increase the risk of receiving counterfeit medicine, incorrect dosages, improperly stored medications, or expired, contaminated or recalled medications. In addition, consumers patronizing overseas pharmacies may be unaware that their private medical information is not protected by the strict Health Insurance Portability and Accountability Act (HIPAA) regulations that govern privacy of both paper-based and electronic medical information in the U.S." For this reason and others, it's a good idea to avoid purchasing medication from companies that you are unable to confirm are located in the U.S. (


For more information about HIPAA, see our fact sheet 8(a) "HIPAA Basics: Medical Privacy in the Electronic Age"


Privacy, Business, and Spam

While a November 2003 article in Business Week analyzed the future business possibilities of online pharmacies, it did not mention privacy issues and their business implications.


A January 2004 Associated Press report listed the 10 most common spam topics as reported by America Online. Number 1 was spam for drugs such as Viagra, Xanax, Valium and Celebrex. Number 2 was spam for online pharmacies. Since you have to buy the drugs at a pharmacy, these are essentially the same ads. If you buy from an online pharmacy, is your identifying information sold to drug or other online pharmacy spammers? Are you at risk for identity theft? Without privacy notices, customers have no way of knowing how their personal, financial, and health information is being used - and misused. (


Online Pharmacy Privacy Practices


Online pharmacies with some privacy protectionHIPAA Notice?Privacy Notice?VIPPS Certification?Updated Privacy Policy after 30 day notice?
1. cvs.comYesYesYesN/A
2. drugstore.com1YesYesYesN/A
3. familymeds.comYesYesYesN/A
4. walgreens.comYesYesYesN/A
5. duanereade.comYesYesNoN/A
6. pharmacare.comYesYesNoN/A
7. prescriptionAmerica.comYesYesNoN/A
8. rite-aid.com1YesYesNoN/A
9. rxusa.comYesYesNoN/A
10. samsclub.comYesYesNoN/A
11. walmart.comYesYesNoN/A
12. clickpharmacy.comNoYesYesN/A
13. *NoYesNo, has other certificationN/A
14. pharmnet.comNoYesNo, has other certificationN/A
15. aarppharmcy.comNoYesNoN/A
16. AmericaRx.comNoYesNoN/A
17. amerimedrx.comNoYesNoN/A
18. drugstore-online-pharmacy.comNoYesNoN/A
19. fillascript.comNoYesNoN/A
20. *NoYesNoN/A
21. kmart.comNoYesNoN/A
22. overnightpharm.comNoYesNoN/A
23. prioritypharmacy.comNoYesNoN/A
24. pharmacyhealth.netNoYesNoN/A
25. rxlist.comNoYesNoN/A
26. unitedpharmacies.comNoYesNoN/A
27. usprescription.comNoYesNoN/A
28. yourfriendlypharmacy.comNoYesNoN/A
Online pharmacies with no privacy protectionHIPAA Notice?Privacy Notice?VIPPS
Updated Privacy Policy after 30 day notice?
29. 1stoppharmacy.comNoNoNoNo Policy Posted



NoNoNo Policy Posted
31. 7-onlinepharmacy.comNoNoNoNo Policy Posted
32. *NoNoNoNo Policy Posted
33. cheap-pharmacy-online.comNoNoNoNo Policy Posted
34. *NoNoNoNo Policy Posted
35. legalmedsonline.comNoNoNoNo Policy Posted
36. *NoNoNoNo Policy Posted
37. mygeneric.comNoNoNoNo Policy Posted
38. online-pharmacy-123.comNoNoNoNo Policy Posted
39. online-prescriptiondrugs.comNoNoNoNo Policy Posted
40. online-scripts.comNoNoNoPosted Policy
41. onlineprescriptionsportal.comNoNoNoLetter Returned
42. *NoNoNoNo Policy Posted
43. pharmacy-prescriptions.comNoNoNoLetter Returned
44. pillsfast.comNoNoNoNo Policy Posted
45. pillstore.comNoNoNoNo Policy Posted
46. pillsupplier.comNoNoNoNo Policy Posted
47. pillvalue.comNoNoNoLetter Returned
48. rxmeds.comNoNoNoNo Policy Posted
49. *NoNoNoNo Policy Posted
50. *NoNoNoNo Policy Posted


1Although Rite-Aid is not VIPPS Certified, - which processes Rite Aid's online prescriptions - is VIPPS Certified.
* Indicates company that may be located outside the U.S.


Tips for Consumers

If you are a consumer who is considering purchasing prescriptions online, there are a few things that you should check for with the online pharmacy web site.


A reputable online pharmacy will:

  • Indicate that it is located in the United States.
  • Contain a Privacy Policy on its home page or that is easily located on its site.
  • Not share your information with others without your permission.
  • Contain a HIPAA Privacy notice.
  • Provide a licensed pharmacist who can answer your questions.
  • Note that it is registered with a state pharmacy board.
  • Require a prescription from a physician or authorized health care provider and then verifies each prescription before dispensing medication.
  • Note that the medications it sells are FDA-approved.

If you locate an online pharmacy that is selling prescription drugs that are not approved by the U.S. Food and Drug Administration or that you suspect may be counterfeit or unsafe, file a complaint with the FDA at:


You may also want to check with the National Association of Boards of Pharmacy (see Resources below) to determine whether a web site is a licensed pharmacy in good standing.


When you order from a U.S. company, under the Mail Order Sales Rule (see Resources below), you should receive your purchase in the mail within 30 days.




Privacy Rights Clearinghouse

HIPAA Basics: Medical Privacy in the Electronic Age

E-Commerce and You: Online Shopping Tips


Federal Trade Commission

FTC Testifies "Drugstores on the Net:The Benefits and Risks of Online Pharmacies"

A Business Guide to the Federal Trade Commission's Mail or Telephone Order Merchandise Rule


General Accounting Office

Internet Pharmacies: Some Pose Safety Risks for Consumers


National Association of Boards of Pharmacy
The NABP is an independent, international, and impartial association that assists and represents the state boards of pharmacy and jurisdictions in developing, implementing, and enforcing uniform standards for the purpose of protecting the public health.


National Associations of Boards of Pharmacy (NABP)
700 Busse Highway
Parkridge, IL 60068
(847) 698-6227


Listing of State Pharmacy Boards

Listing of State Medical Boards

Verified Internet Pharmacy Practice Sites (VIPPS) Most Frequently Asked Questions

Verified Internet Pharmacies List


U.S. Food and Drug Administration (FDA)

Buying Prescription Medicines Online: A Consumer Safety Guide

Buying Medicines and Medical Products Online

Buying Drugs Online: It's Convenient and Private, but Beware of 'Rogue Sites'

Reporting Unlawful Sales of Medical Products on the Internet