Q: “What do you think about the patient medical records that were seized by NY prosecutors in the whole Signature Pharmacy and Applied Pharmacy + longevity clinic fiasco? It seems that patients have no rights to privacy. Law enforcement can come in and seize individual’s prescription records, share them with the press, etc. Yes, I had my prescriptions for testosterone filled at AP. But no, I am not a pro athlete or bodybuilder, etc. simply a patient with a legitimate medical necessity for testosterone, hCG etc. I thought that certain medical information was privileged info and couldn’t simply be taken by LE to become a matter of public record. My medical conditions are not a matter for public disclosure! Isn’t there some sort of patient medical privacy in this case?”
A: Privacy is an intensely, perhaps uniquely, personal value. The word stems from a Latin root, “privare,” which meant “to separate.” To want privacy is to want to be separate, to be individual. Another meaning of the Latin was “to deprive”; privacy also means leaving something behind.[1] Health care information is generally considered to be among the most intimate and sensitive of personal information. Unfortunately, the simplest answer is that even under the best of circumstances; do not expect privacy and little, if any, available recourse for the release and sharing of medical information.
It should be said from the outset that any and all information used in the commission of a crime has no privacy interest in law. Whether or not the user is aware a crime is being committed is of no relevance. Assuming an individual has a valid prescription (issued by a physician for a legitimate medical purpose in the usual course of practice), what is the privacy that one can expect by using an online pharmacy?
Following is a discussion of privacy of medical information from a medical provider, a physician. Included are current regulatory laws concerning medical privacy, for further clarification one should consult an attorney or state agency. Excellent resources found online are Professor Arthur Miller of Harvard Law School, Privacy in Cyberspace, Nicole Rothstein, Protecting Privacy and Enabling Pharmaceutical Sales on the Internet, and Kerry Toth Rost, Policing the “Wild West” World of Internet Pharmacies.
On a more general note, attempting not to be more cynical than necessary the idea or thought of medical privacy is a concept cherished but in reality nonexistent. In the age of paper records alone, one could be confident that few people had the ability to retrieve the information. When all records were in paper form only and kept in the locked filing cabinet of a single physician, it was much harder to share these records with third parties and easier to guard against unauthorized access.
As the ability of society to communicate becomes easier and easier the concept of what privacy includes becomes increasingly smaller. Electronic technology advances (telephone, facsimile, and internet) allow more access points to information, legally or illegally. The increasing use of computers and the Internet has heightened the public’s concern that the privacy protection of medical information is not adequate.[2] From a privacy protection standpoint, the architectural structure of the Internet itself presents concerns because it is a global “network of computer networks,” and digital information often passes through dozens of computers before reaching its intended destination.
The ease of creating and sharing information over the Internet makes this grave threat of invasion of medical privacy a very real and constant concern in today’s electronic age. Thus, an individual’s health care information shared over the Internet is potentially more vulnerable to unauthorized access, distribution, disclosure, and general misuse than if this information had simply been in paper form in one location.
Although many individuals might think otherwise, there is no blanket privacy protection in the law for health information. No laws specify the people allowed to see medical records or the parts of the records they can see. Of even more concern, individually identifiable medical information is often shared with managed-care organizations, health insurance companies, life insurance companies, self-insured employers, pharmacies, pharmacy-benefit managers, clinical laboratories, accrediting organizations, and medical-information bureaus.
The United States has a federal system of government. Each of the fifty states has its own governmental system complemented by a national governmental framework covering the entire nation. In the context of health care services over the Internet, therefore, any such enterprise must comply with both national and state laws.
Most federal laws merely address the handling of personally identifiable health information by federal agencies and their private subcontractors. The Privacy Act of 1974 provides a system of confidentiality protections that apply to individual records, including medical histories, when that information is retained by federal agencies.[3]
In August of 1996, former President Clinton and Congress took an important step toward regulating the conduct of private actors by enacting the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936 (codified at scattered sections of 26, 29, and 42 U.S.C.). One of the primary purposes of HIPAA was to facilitate the electronic storage and distribution of health information. In addition, HIPAA was intended to address the “need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information.”
On December 20, 2000, the HHS Secretary announced the final regulations (“Privacy Rule”), which became effective on February 26, 2001.[4] In the view of the HHS Secretary, the key principles necessary in a federal privacy law were consumer control, accountability, public responsibility, boundaries, and security. In fulfilling these principles, the Privacy Rule establishes a set of basic national privacy standards and fair information practices that protect Americans’ personally identifiable health information.
The new federal regulations, promulgated under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), were adopted to protect the privacy of medical records. Specifically, it: (1) ensures patient access to their medical records; (2) requires patient consent before individually identifiable health information is used and shared for purposes of treatment and payment; (3) establishes fair information practices to inform patients how their personal information is used and disclosed; (4) requires safeguards to protect confidentiality and prevent unauthorized access; and (5) establishes penalties for misuse of personal health information.
Patients must also be notified about their rights with respect to their medical information, including the right to restrict the use and disclosure of such information, the right to inspect and copy their records, the right to amend their records, and the right to an audit of any disclosure of their records. In addition, these entities “must make reasonable efforts to limit health information to the minimum necessary to accomplish the intended purpose” when they use, disclose, or request such information. The new regulations do not preempt or change any existing rule or state law that provides greater protection of privacy.[5]
The new regulations were adopted for three reasons: to give patients access to and control of their medical information, to restore trust in the health care system, and to improve the “efficiency and effectiveness” of health care delivery by adopting a national framework for maintaining the privacy of medical information. As the background to the regulations notes, previously there were “virtually no federal rules . . . to protect the privacy of health information and guarantee patient access to such information. . . . All fifty states today recognize in tort law a common law or statutory right to privacy.”[6]
While the Privacy Rule represents the first comprehensive federal law that protects the confidentiality of personally identifiable health information, it has some gaps in its protection. First, there is no private right of individual action for inappropriate use of medical data. A private right of action is important because it gives consumers direct redress for harms to their personal privacy. Second, HHS does not have authority to issue standards for records maintained by other insurers, employers, or schools because the “covered entities” section limits the specific entities governed by the requirements. Third, the Privacy Rule does not directly place restrictions on the use or disclosure of information by business associates. Fourth, covered entities are permitted to disclose protected health information to law enforcement officials pursuant to administrative subpoenas or summons without independent judicial review.
The privacy of consumers who purchase prescription medication is protected under the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-91.[7] HIPAA protects “protected health information” from disclosure. “Protected health information,” means individually identifiable health information maintained and/or transmitted in any form or medium.[8] Pharmacists are health care providers covered by the act. Patient authorization is required for disclosure of “protected health information.” Improper disclosure may subject the provider to civil and/or criminal penalties.[9]
Internet pharmacies present a potential for abuse that is not present, or nearly as prevalent, in traditional “bricks-and-mortar” pharmacies. Essentially, three types of Internet pharmacies exist: 1) pharmacies that only fill prescriptions written by a patient’s physician; 2) pharmacies that charge for a physician “cyber-consultation” (usually nothing more than the patient completing a simple questionnaire) and then the cyber-doctor writes a prescription; and 3) pharmacies that dispense prescription drugs without a physician’s prescription.[10]
The first type of online pharmacy requires a prescription from a physician before an order for medication can be filled. These sites are considered an extension of the traditional brick-and-mortar pharmacies. Brick-and-mortar pharmacies are state licensed pharmaceutical stores that have chosen to create web sites as an extra convenience for their patients. These brick-and-mortar pharmacies allow a patient to mail or fax in a prescription from a physician who has previously diagnosed the patient’s need for the prescription. These types of internet sites verify the prescription, generally by contacting the physician, fill the prescription, and mail the medicine directly to the consumer.
The second type of internet pharmacy does not require a consumer visit with a physician in their area. Instead, these sites employ physicians to consult with patients on their websites. At these sites, a physician will often issue a prescription without ever examining the patient. Where most physicians require a physical examination of the patient before they will write a prescription, on-line practitioners at these types of sites will issue prescriptions without establishing the traditional physician-patient relationship. Generally, the patient merely has to fill out an online questionnaire, which is reviewed by a physician employed by the site. This physician will write a prescription based solely on the questionnaire. The patient is charged with a consultation fee if the physician prescribes medication.
The third type of internet pharmaceutical sites dispenses drugs without requiring any type of prescription. These are often called “rogue‟pharmacies because they dispense medicine while bypassing all of the safeguards created to protect the patient. Consumers searching for specific drug information may enter an internet site that will sell them the controlled substance without ever consulting a physician.
Although there is no guarantee of privacy at a traditional pharmacy, the information transmitted and stored by Internet pharmacies is vulnerable to hackers. Much of this vulnerability can be overcome if the pharmacy uses secure server technology, maintains strict policies against sharing or selling patient personal data, and encrypts transactions during transmission. Not all Internet pharmacies, however, make such a commitment to privacy. Without privacy notices, customers have no way of knowing how their personal, financial, and health information is being used – and misused.
Furthermore, certain practices of both Internet pharmacies and traditional pharmacies raise privacy concerns. Some drug stores sell confidential patient information to third parties conducting marketing campaigns for drug manufacturers. This inappropriate or inadvertent disclosure of private medical or prescription information can lead to a variety of problems, such as employment discrimination, increased health or life insurance premiums, and even denial of insurance coverage. Some drug manufacturers and pharmacies combine technology, marketing techniques, and patient prescription information to increase medication sales. One technique currently used by drug advertisers and manufacturers involves gathering and storing personal information about people calling toll-free numbers for information on medications.
The Health Insurance Portability and Accountability Act (HIPAA) privacy rule requires health care providers to give adequate notice of uses and disclosures of protected health information. Simply creating and posting privacy policies is not enough. Even when Web sites purport to offer strong privacy protections, they may ignore their own policies. The California HealthCare Foundation sponsored a study released on February 1, 2000, showing that many online health care sites do not follow their own privacy policies, and, in some cases, share health information about visitors with third-party business partners.[11]
In giving patients greater access to and control over their personal health information and providing boundaries for use and security of that information, the Privacy Rule directly applies only to health plans, healthcare clearinghouses, and healthcare providers who transmit health information in electronic form (“covered entities”) in their use and disclosure of “protected health information.”[12] “Protected health information” is defined as “individually identifiable health information” regardless of its form or format.[13] The majority of health care Web sites may not meet the statutory definition of “covered entities” under the proposed Privacy Rule, and will therefore not be subject to its requirements.[14]
The primary enforcement mechanism for federal laws in the United States is the Department of Justice (“DOJ”). The DOJ’s mission includes “enforc[ing] the law and defend[ing] the interests of the United States.” Although many reputable Internet pharmacies exist today, the FDA is concerned with the public health implications of rogue Web site operators, owners, and affiliates.[15] Such concerns include the sale of prescription drugs without a prescription, the sale of unapproved new drugs, health fraud, and counterfeit medications.
The Federal Food, Drug, and Cosmetic (“FDC”) Act is currently the primary enforcement mechanism by which the DOJ may protect consumers engaging in the purchase of prescription drugs over the Internet. In establishing the system that currently regulates the sale of prescription drugs, Congress developed a plan that relied on both the physician and the pharmacist to protect patients from knowing or accidental misuses of medicines.
Under the FDC Act, drugs that are considered prescription drugs may be distributed only with a valid prescription under the professional supervision of a physician. In addition, the FDC Act prohibits the manufacture of misbranded or adulterated drugs. A prescription drug is considered “misbranded” if it is not dispensed pursuant to a valid prescription in accordance with 21 U.S.C. § 353(b).166. The FDC Act is also violated when misbranded drugs are distributed or introduced into interstate commerce.[16]
The Controlled Substances Act prohibits dispensing controlled substances without a legitimate medical purpose. In determining if a practitioner failed to act for a valid (legitimate) and professional “medical purpose” the question of fact turns on whether the physician made an “honest” or “good faith effort” to treat and prescribe in compliance with an accepted standard of medical practice.
To satisfy the requirement that a prescription be issued by a practitioner in the usual course of his professional practice, there must be a physician-patient relationship that is for the purpose of maintaining the patient’s well being and the physician must conform to certain minimum norms and standards for the care of patients. A bona fide physician-patient relationship includes the following: (1) medical history & physical examination, (2) diagnosis, (3) informed consent, (4) diagnostic tests, (5) prescriptions, (6) continuity of care, and (7) prognostic indicators. Board admissions, testimony, and evidence demonstrate conclusively each of these requirements is present.
Case law has provided the kind of behavior from which you may conclude that a doctor was not prescribing drugs for a legitimate medical purpose and was not acting in the usual course of medical practice. These factors are categorized by those demonstrating (1) Lack of medical treatment by the physician, (2) Lack of medical judgment by the physician, and (3) Awareness of a nonlegitimate purpose on the part of the physician.
Online pharmacies may also be regulated under the Federal Trade Commission Act (FTCA). The FTC Act protects consumers from unfair or deceptive acts or practices. The Federal Trade Commission (“FTC” or “Commission”) enforces a variety of consumer protection laws as well as a number of competition-promoting laws. The FTC’s consumer protection mission involves eliminating deceptive or unfair acts from the marketplace. Under the Federal Trade Commission Act (“FTC Act”), the FTC is empowered to prevent unfair methods of competition and “unfair or deceptive acts or practices in or affecting commerce,” prescribe trade regulation rules defining acts that are unfair or deceptive, and establish requirements designed to prevent such acts or practices. As a result, one of the Commission’s major policy initiatives since 1995 has been to address online privacy.
To the extent that an online pharmacy makes false representations about health-related services on its Web site, the FTC Act could be used in a civil enforcement action to eliminate such an unfair or deceptive trade practice. Websites may be enjoined for engaging in unfair or deceptive acts or practices, including false advertising of medications. Online pharmacies making false or deceptive representations to potential consumers are be in violation of the FTCA, making the website operator subject to a civil enforcement action.[17] For instance, claiming that a properly licensed physician will review the online questionnaire would be such a representation. Websites may represent, falsely, that medical information collected from consumers will be kept confidential, or that an online consultation is equivalent to a physical examination.
Finally, depending on the facts of a particular case, federal mail, and wire fraud statutes could be invoked in either a criminal or civil proceeding anytime an online pharmacy defrauds a consumer using the postal or telecommunications systems.
While working with state and federal agencies to better coordinate enforcement efforts of illegal online sales and to analyze ways to regulate online sales, the FDA nonetheless maintains that a self-regulatory framework is crucial to the success of online pharmacies.
Working under this self-regulatory framework, the U.S. National Association of Boards of Pharmacy (“NABP”)[18] has implemented a voluntary certification program in which participating Internet pharmacies must meet state licensing criteria and Verified Internet Pharmacy Practice Site (“VIPPS”) criteria.
The Verified Internet Pharmacy Practice Sites (VIPPS)[19] program and its accompanying VIPPS seal of approval identifies to the public those online pharmacy practice sites that are appropriately licensed, are legitimately operating via the Internet, and that have successfully completed a rigorous criteria review and inspection. The VIPPS program is a voluntary accreditation program for which Internet pharmacy practice sites may apply. The value of the program to the patient and the Internet pharmacy is that it provides members of the public with a means to assure them that the Internet pharmacy they choose is a bona fide, fully licensed facility exercising competent Internet/interstate pharmacy practices.
Internet-based pharmacy practice sites wishing to become VIPPS accredited submit a detailed application to NABP, which includes the pharmacy’s policies and procedures addressing the VIPPS criteria. Licensure information is verified with applicable state boards of pharmacy. The VIPPS team reviews the application, policies, and applicant’s Web site, and performs an on-site inspection of the pharmacy’s facilities. Once the policies and procedures as well as the operations of the pharmacy appear to meet the intent of the VIPPS criteria, permission to display the VIPPS Seal is granted and the verified information about the pharmacy is posted on the VIPPS Web site.
NABP does not regulate online pharmacies. The state boards of pharmacy have primary responsibility for regulation of online pharmacies. The state board of pharmacy of the state in which the pharmacy is physically located mainly exercises regulatory authority. In addition, most states protect their citizens by licensing “out-of-state pharmacies” that ship medications to patients in their jurisdictions. The same regulations that apply to traditional brick-and-mortar and mail order pharmacies typically apply to online pharmacies. Federal agencies, such as FDA and Drug Enforcement Administration (DEA), are also partners with the state boards of pharmacy in this regulatory process.
Each of the pharmacies (Signature Pharmacy, Applied Pharmacy Services, and Life Extension Rx)[20] cited do not have a HIPAA Notice, Privacy Notice, or VIPPS Certification.
The United States and Canada have taken different approaches to the general protection of privacy, and this difference remains consistent between the two nations’ treatment of Internet medical privacy. While the United States offers a patchwork of industry-specific privacy laws and encourages industry self-regulation, Canada has recently enacted a comprehensive privacy protection law that covers actions of both public and private actors and gives consumers a private right of action. Nonetheless, the United States has recently enacted a detailed medical privacy law. While this industry-specific law covers actions of both public and private actors, it does not give consumers a private right of action. This U.S. law is likely more comprehensive in terms of medical privacy protections because of its pinpoint focus, but it does not offer an industry neutral, umbrella privacy protection, and individual redress that the Canadian law promises.
Consumers must be enabled to avoid known and unknown risks and unfair business practices in their searches for prescription drugs and other health care services on the Internet. Providing responsible and dependable health care over the Internet requires protecting personal health information, guarding against unauthorized surveillance of Web site activity, empowering consumers to find reliable and credible information and drugs via Internet pharmacies, and establishing national licensure standards for Internet pharmacies.
Footnotes
[1] Arthur Miller, Privacy in Cyberspace, Berkman Center for Internet & Society’s experimental Online Lecture & Discussion Series. Available at: http://cyber.law.harvard.edu/privacy99.
[2] National Research Council, For the record: protecting electronic health information, National Academy of Sciences, Washington, D.C. (1997).
[3] 5 U.S.C. § 552a(a)(4) (1994). Privacy Act of 1974, Pub. L. No. 93-573, § 2(b), 88 Stat. 1896, 1897.
[4] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160, 164).
[5] Department of Health and Human Services, Standards for privacy of individually identifiable health information, Final rule, 65 Fed Reg 82,462-82,829 (2000).
[6] George J. Annas, HIPAA Regulations – A New Era of Medical-Record Privacy?, 348(15) N Engl J Med 1486 (2003).
[7] 42 U.S.C. § 1320d-2.
[8] 45 C.F.R. § 160.103 (2004).
[9] 42 U.S.C. § 1320d-5 and 6.
[10] Kerry Toth Rost, Policing the “Wild West” World of Internet Pharmacies, 55 Food and Drug Law Journal 619 (2000) (also Kerry Toth Rost, Policing the “Wild West” World of Internet Pharmacies, 273 Spec Law Dig Health Care Law 9 (2002)) Available at: http://www.fdli.org/pubs/Journal%20Online/55_4/art7.pdf
[11] Janlori Goldman et al., California Healthcare Found., Privacy: Report On The Privacy Policies And Practices Of Health Web Sites 3 (2000), available at http://admin.chcf.org/documents/ehealth/privacywebreport.pdf
[12] Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160.102(a). Under HIPAA section 1171(a), only these three entities could be covered under a final privacy rule. The Health Insurance Portability and Accountability Act of 1996 § 1171(a), 42 U.S.C. § 1320d (Supp. IV 1998).
[13] 45 C.F.R. § 164.501 (2001).
[14] 45 C.F.R § 160.102.
[15] Drugstores on the Net: The Benefits and Risks of Online Pharmacies, Hearings Before the Subcomm. on Oversight and Investigations of the House Comm. on Commerce, 106th Cong. 95-96 (1999) (statement of Janet Woodcock, Director, Center for Drug Evaluation and Research, Food and Drug Administration).
[16] Nicole A. Rothstein, Protecting Privacy and Enabling Pharmaceutical Sales on the Internet: A Comparative Analysis of the United States and Canada, 53 Fed. Comm. L.J. 344 (2001).
[17] 15 U.S.C. § 45 et seq.
[18] National Associations of Boards of Pharmacy (NABP), 700 Busse Highway, Parkridge, IL 60068 (847-698-6227), http://www.nabp.net. The National Association of Boards of Pharmacy (NABP) is the independent, international, and impartial association that assists its member boards and jurisdictions in developing, implementing, and enforcing uniform standards for the purpose of protecting the public health.
[19] Verified Internet Pharmacies List, http://vipps.nabp.net/verify.asp
[20] Signature Pharmacy, 1200 Kuhl Ave., Orlando, FL 32806 (888-323-7788), http://www.signaturepharmacy.com (Accessed July 6, 2007). Applied Pharmacy Services, 3207 International Drive, Mobile, AL 36606 (877-729-1015), http://www.appliedpharmacyrx.com (Accessed July 6, 2007). Life Extension Rx, 1100 West Commercial Blvd, Suite 130, Fort Lauderdale, FL 33309 (877-877-9700), http://www.lifeextensionrx.com (Accessed July 6, 2007).
About the author
The research of Michael Scally focuses on returning individuals to normal physiology after the discontinuation of anabolic steroids. Dr. Scally has presented his medical protocol for the treatment of Anabolic Steroid Induced Hypogonadism before the Endocrine Society, American Association of Clinical Endocrinologists, American College of Sports Medicine, and International Workshop on Adverse Drug Reactions and Lipodystrophy in HIV. Dr. Scally is the author of "Anabolic Steroids - A Question of Muscle: Human Subject Abuses in Anabolic Steroid Research."
No replies yet
Loading new replies...
Join the full discussion at the MESO-Rx →