Privacy Rights Clearinghouse
Complaint Submitted to Department of Health and Human Services
By Mark Hochhauser, Ph.D., Readability Consultant
and Privacy Rights Clearinghouse
Submitted by e-mail: OCRComplaint@hhs.gov 
Richard M. Campanelli, Director
Office of Civil Rights (OCR)
U.S. Department of Health and Human Services (DHHS)
200 Independence Avenue, S.W.
Washington, D.C., 20201
RE: Complaint -- Most Online Pharmacies Lack HIPAA Privacy Notice
Dear Mr. Campanelli:
The Privacy Rights Clearinghouse (PRC)1, along with readability expert Mark Hochhauser, Ph.D., is writing to call your attention to a recent survey of online pharmacies, and, in particular, the failure of most sites to post a HIPAA Privacy Notice. Please consider this letter to be a complaint.
This study, conducted by respected readability consultant Mark Hochhauser2, Ph.D., and the Privacy Rights Clearinghouse comes to an alarming conclusion: A majority of the online pharmacies examined fail to comply with HIPAA's requirement that covered entities give individuals adequate notice of their privacy practices and procedures, as specified in §164.520 of the Privacy Rule. The study is available at the PRC web site, http://www.privacyrights.org/ar/PharmacyPrivacy.htm .
The HIPAA Privacy Rule (§164.520) requires health care providers to give individuals adequate notice of uses and disclosures of protected health information. As defined by HIPAA, health care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. (§160.103(2)).
The Privacy Rule makes no exception for pharmacies or other covered entities that transmit protected health information electronically. In fact, HHS guidance even recognizes the new era of electronic services by allowing a covered entity to obtain an individual's acknowledgement of having received the privacy notice electronically.
Online pharmacies are no less obligated than their brick and mortar counterparts to give individuals the required privacy notice. Although 56% of the online pharmacies surveyed included a website privacy notice, this does not comply with the very specific privacy notice required by HIPAA.
Online pharmacies that fail to give a HIPAA privacy notice deny individuals of the fundamental rights guaranteed by the Privacy Rule. Specifically, individuals who fill prescriptions through an online pharmacy are entitled to notice, among other things, of their right to:
Obtain copies of their medical records.
Restrict the use of medical information.
Request an amendment of medical records.
Request an accounting of medical information.
Receive notice of how to complain to a covered entity and to the Secretary of HHS.
We urge the OCR to investigate online pharmacies and to take the necessary action to ensure that online pharmacies, like any other covered entity, comply with the HIPAA privacy notice requirements.
Thank you for your consideration of our complaint.
Beth Givens, Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
Mark Hochhauser, Ph.D.
3344 Scott Avenue North
Golden Valley, MN 55422
Federal Trade Commission, Consumer Protection Bureau
Food and Drug Administration
National Association of Boards of Pharmacy
1 The PRC (www.privacyrights.org ) is a nonprofit consumer education and advocacy organization based in San Diego, California. Privacy of medical information is a leading topic of consumer concern. To address these public concerns, we have published two consumer guides on medical privacy. How Private Is My Medical Information, www.privacyrights.org/fs/fs8-med.htm  and HIPAA Basics: Medical Information in the Electronic Age, www.privacyrights.org/fs/fs8a-hipaa.htm 
2 Dr. Hochhauser has published many articles and studies on readability. He has served a consultant to state insurance agencies as well as the Department of Health and Human Services. As part of his consulting work with HHS, Dr. Hochhauser studied and reported on the readability of privacy notices mandated by the privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Dr. Hochhauser's report, titled Compliance vs. Communication, is reprinted on the PRC web site with the permission of the original publisher, Clarity www.privacyrights.org/ar/HIPAA-Reading.htm