Study Shows Most Online Pharmacies Lack HIPAA Privacy Notice

Study Shows Most Online Pharmacies Lack HIPAA Privacy Notice

Complaint Submitted to Department of Health and Human Services

By Mark Hochhauser, Ph.D., Readability Consultant
and Privacy Rights Clearinghouse


Submitted by e-mail:


Richard M. Campanelli, Director
Office of Civil Rights (OCR)
U.S. Department of Health and Human Services (DHHS)
200 Independence Avenue, S.W.
Washington, D.C., 20201


RE: Complaint -- Most Online Pharmacies Lack HIPAA Privacy Notice


Dear Mr. Campanelli,


The Privacy Rights Clearinghouse (PRC)1, along with readability expert Mark Hochhauser, Ph.D., is writing to call your attention to a recent survey of online pharmacies, and, in particular, the failure of most sites to post a HIPAA Privacy Notice. Please consider this letter to be a complaint.


This study, conducted by respected readability consultant Mark Hochhauser2, Ph.D., and the Privacy Rights Clearinghouse comes to an alarming conclusion: A majority of the online pharmacies examined fail to comply with HIPAA's requirement that covered entities give individuals adequate notice of their privacy practices and procedures, as specified in §164.520 of the Privacy Rule.


In conducting this survey, Dr. Hochhauser visited 50 online pharmacy web sites. Of the 50, only 11 sites (22%) included a HIPAA Privacy Notice. The 11 sites that had a HIPAA privacy notice also posted a web site privacy policy.


An additional 17 online pharmacies had privacy policies, indicating that 56% of the total sites surveyed posted a privacy policy. In other words, 44% of the sites, or 22 online pharmacies, had neither a web site privacy policy nor a HIPAA policy. Only four of the 50 sites studied (8%) were certified by VIPPS (Verified Internet Pharmacy Practice Sites) through the National Association of Boards of Pharmacy. As the study shows, having VIPPS certification does not ensure compliance with the HIPAA notice requirement.


The HIPAA Privacy Rule (§164.520) requires health care providers to give individuals adequate notice of uses and disclosures of protected health information. As defined by HIPAA, health care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. (§160.103(2)).


The Privacy Rule makes no exception for pharmacies or other covered entities that transmit protected health information electronically. In fact, HHS guidance even recognizes the new era of electronic services by allowing a covered entity to obtain an individual's acknowledgement of having received the privacy notice electronically.


Online pharmacies are no less obligated than their brick and mortar counterparts to give individuals the required privacy notice. Although 56% of the online pharmacies surveyed included a website privacy notice, this does not comply with the very specific privacy notice required by HIPAA.


Online pharmacies that fail to give a HIPAA privacy notice deny individuals of the fundamental rights guaranteed by the Privacy Rule. Specifically, individuals who fill prescriptions through an online pharmacy are entitled to notice, among other things, of their right to:

  • Obtain copies of their medical records.
  • Restrict the use of medical information.
  • Request an amendment of medical records.
  • Request an accounting of medical information.
  • Receive notice of how to complain to a covered entity and to the Secretary of HHS.

We urge the OCR to investigate online pharmacies and to take the necessary action to ensure that online pharmacies, like any other covered entity, comply with the HIPAA privacy notice requirements.

Thank you for your consideration of our complaint.



Beth Givens, Director
Privacy Rights Clearinghouse


Mark Hochhauser, Ph.D.
Readability Consultant
3344 Scott Avenue North
Golden Valley, MN 55422
(763) 521-4672

Federal Trade Commission, Consumer Protection Bureau
Food and Drug Administration
National Association of Boards of Pharmacy

1 The PRC ( is a nonprofit consumer education and advocacy organization based in San Diego, California. Privacy of medical information is a leading topic of consumer concern.

2 Dr. Hochhauser has published many articles and studies on readability. He has served a consultant to state insurance agencies as well as the Department of Health and Human Services. As part of his consulting work with HHS, Dr. Hochhauser studied and reported on the readability of privacy notices mandated by the privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Dr. Hochhauser's report is titled Compliance vs. Communication.