News & Updates

The Latest on Internet Pharmacies, Supplements, Designer Drugs,
and Other High-Risk Merchants

LegitScript Standard #7: Privacy

LegitScript’s 7th standard relates to something most of us are concerned about when it comes to the Internet: Privacy.

Standard 7: Privacy. If the pharmacy website transmits information that would be considered Protected Health Information (PHI) under the HIPAA Privacy Rule (45 CRF 164), the information must be transmitted in accordance with HIPAA requirements, including the use of Secure-Socket Layer or equivalent technology for the transmission of PHI, and the pharmacy must display its privacy policy that accords with the requirements of the HIPAA Privacy Rule.

What does it mean? If you’ve been to the doctor in the recent past, you’ve probably heard of HIPAA. Short for Health Information Portability and Accountability Act of 1996, HIPAA came into being as a means of protecting patient health information. As it applies to the Internet, HIPAA requires that any website engaging in the transmission of Protected Health Information (PHI) must use secure technology when doing so. PHI refers to “individually identifiable health information”, or information that could identify a patient in relation to a health condition. For instance, if an Internet pharmacy requires that you enter your name and address, along with the medication name when submitting a prescription request, that information is deemed PHI. In such cases, the website is required to protect that information through the use of technology such as Secure-Socket Layer (SSL). You can usually tell if a website does this by checking if the “http” that begins the URL changes to “https” when transmitting PHI. This requirement is a patient privacy and safety mechanism that prevents your personal information from getting into the hands of anyone outside those directly related to your health care.

Is PHI always submitted when ordering an online prescription? No. Many legitimate pharmacy websites do not require patients to enter personally identifying health information. Some sites are formatted in such a way that a patient only needs to enter a prescription number, not the actual medication name, as well as a patient ID number to order a refill. These sites are not required to post a privacy policy or use SSL technology, but many still do as an added precaution.

Why is privacy protection important for health information? We’re sure most people would agree that they don’t want their medical history posted on the Internet for all to see. Health information is private, and HIPAA helps make sure it stays that way in the face of health-related technology. It comes as no surprise that rogue Internet pharmacies do not abide by HIPAA regulations and while they may purport to protect payment information, there are no such guarantees on PHI. Ironically, many people who buy drugs from rogue Internet pharmacies do so out of a desire for privacy (just look at the sheer number of illicit sites for erectile dysfunction drugs). However, if you’re not buying your prescription from a legitimate site, you cannot rest assured your privacy has been protected.

LegitScript is a strong proponent of both patient privacy and HIPAA. You can be sure that all of LegitScript’s approved sites comply with our privacy standard.