Survey Finds Most Online Pharmacies Do Not Give HIPAA Privacy Notices

Study Shows Most Online Pharmacies Lack HIPAA Privacy Notice

Privacy Rights Clearinghouse Urges Federal Agencies to Investigate Online Pharmacies; also Finds Significant Noncompliance with New California Online Privacy Law


Readability consultant Mark Hochhauser, Ph.D., in cooperation with the Privacy Rights Clearinghouse, conducted a survey of 50 online pharmacy web sites from mid-April through July 9, 2004. Of the 50, a scant 11 sites (22%) included a HIPAA privacy notice as required by the Department of Health and Human Services (HHS) under the federal medical privacy rule. "Consumers should know that most online pharmacies offer no privacy protection for their medical or financial information," said report author Hochhauser.


The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires health care providers to give adequate notice of uses and disclosures of protected health information. As defined under HIPAA, heath care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription." As long as the care provider transmits health information in electronic form in connection with a covered transaction, the notice is required.


Today, due to the alarming results of the research, the Privacy Rights Clearinghouse, together with Mark Hochhauser, sent a letter to Richard M. Campanelli, Director, of the U.S. Department of Health and Human Services' (HHS), Office of Civil Rights, urging an investigation of online pharmacies and enforcement of the HIPAA privacy notice requirement. The groups also sent letters to the Federal Trade Commission (FTC) and the National Association of Boards of Pharmacy which oversees the Verified Internet Pharmacy Practice Sites (VIPPS) certification process, regarding the situation, urging their attention as well.


Tena Friery, Research Director for the Privacy Rights Clearinghouse noted, "With so few online pharmacies heeding the requirement for a HIPAA privacy notice, we felt compelled to ask the HHS and other agencies to investigate sites that are not complying. If they can't comply with the prerequisites of federal law, the question is whether there are other ways these sites are failing consumers."


The 11 sites that had a HIPAA privacy notice also posted a web site privacy policy. An additional 17 online pharmacies had privacy policies, indicating that 56% of the total sites surveyed posted a privacy policy. In other words, 44% of the sites, or 22 online pharmacies, had neither a web site privacy policy nor a HIPAA policy. Only four of the 50 sites studied (8%) were certified by VIPPS (Verified Internet Pharmacy Practice Sites) through the National Association of Boards of Pharmacy.


In addition to notifying federal regulatory agencies about the shortcomings of online pharmacies, the Privacy Rights Clearinghouse has notified sites of their noncompliance with California law. As of July 1, 2004, California's Online Privacy Protection Act requires commercial web sites that serve California consumers to post privacy policies. The PRC notified the pharmacies that, according to the law, they must post a policy within 30 days of the notice. We will monitor their web sites in 30 days to determine if they have since complied with state law, and will alert state authorities to those that are still in violation of the California Online Privacy Protection Act.


The complete survey and findings about the privacy policies of online pharmacies can be found at