Regulating health information: a US perspective

http://bmj.com/cgi/content/full/324/7337/602

 

BMJ Email a friend an interesting article
 

Home Help Search/Archive Feedback Table of Contents
PDF of this article
Email this article to a friend
Send a response to this article
See related This week in BMJ item
Other related articles in BMJ
PubMed citation
Related articles in PubMed
Download to Citation Manager
Search Medline for articles by:
Terry, N. || Stanberry, B. A
Alert me when:
New articles cite this article
 
Collections under which this article appears:
Other Medical Informatics
Patient - other
World Wide Web

BMJ 2002;324:602-606 ( 9 March )

Education and debate

Education and debate
    Regulating health information: a US perspective
    Commentary: Legal aspects of health on the internet: a European perspective
 

Regulating health information: a US perspective

Nicolas Terry, professor

Center for Health Law Studies, Saint Louis University School of Law, 3700 Lindell Blvd, St Louis, MO 63108, USA

terry@slu.edu

Technologically mediated health care raises problems of quality of information, cross border practice, and patient confidentiality. Nicolas Terry probes the legal aspects of these complexities, and Benedict Stanberry adds a European perspective

Identifying the regulatory agenda for health information is not difficult. The quality of publicly available health information, cross border medical and pharmacy practice, and the privacy of medical records appear on the radar screens of most public health and consumer protection organisations. Left unregulated, any of these issues can cause considerable harm. Each issue also embodies difficult tensions: state versus federal rights, increased access to care versus quality assurance, and confidentiality versus professional discourse.

US state and federal legal systems have not achieved a coherent approach to regulating the dissemination of health information. Furthermore, the American experience will not always transfer directly to publicly funded medicine and government initiatives. Nevertheless the American experience with private sector ehealth is an instructive model, even if some areas have been neglected and others over-regulated.
 

Summary points

 

 

Quality of publicly available health information, cross border medical and pharmacy practice, and privacy of records will be key issues for European regulators

 

Concerns about medical advice sites may be exaggerated

 

US regulators have yet to find the appropriate balance between risk and benefits of cross border practice

 

New US federal laws on health privacy appear cumbersome but may be instructive for other legal systems

 




 

    Regulating the quality of online health information

Concerns about widespread inaccuracies in online health information are speculative and intuitive rather than based on robust research. Berland's quality assessments, at least for English language sites and well educated users, suggest the picture is not so gloomy as critics expected.1

Public law regulation of health information may conflict with US guarantees of free speech, and differences of opinion among medical professionals make the broad regulation of health advice difficult. Consequently, intervention through public law is reserved for obviously dangerous health content where government agencies can apply traditional consumer protection, drug regulation, and fraud powers, as with the Federal Trade Commission's "Operation Cure.All."2

Arguments about freedom of speech can be used to defend private legal actions against web sites offering medical advice, and precedents from actions against publishers of "advice" or "how to" books show that such claims are hard to win.3 Case by case, retrospective, private law "regulation" may, however, be judicially more acceptable than blanket public law regulation.

Since regulation can do only so much to deter the web's snake oil salesmen, the focus inevitably shifts to strengthening the role of the market by reducing the costs of health information to the consumer. "Kitemark" or "trustmark" schemes seek to limit the need for consumers to assess the quality of information themselves by encouraging providers to rate their own contributions or to comply with codes of conduct. With compliance or rating in place, a technology layer can be added that leverages downstream filtering technology or upstream filtering through membership in a distinct top-level domain4; Medcertain is an example of downstream filtering technology,5 whereas the World Health Organization favours the upstream approach.6 Filtering persuades content producers to participate in ratings systems because search engines and, increasingly, browsers may be set to ignore unrated sites.

One approach that is emerging in the United States is to combine the evaluation of online content---for example, kitemarking---with private accreditation, a quality assurance system widely adopted by bricks and mortar healthcare providers.7 For this, a provider of online health information would subscribe to an accrediting agency's quality standards and pay the agency to check for compliance. Accreditation is a particularly interesting model because it uses a well respected method of quality assurance that is already recognised in private malpractice actions and brings traditional healthcare bodies and online providers under the same quality assessment umbrella. The use of such a model will also be of interest to litigators as US courts have held that failure to comply with applicable accreditation standards may constitute sufficient evidence of medical malpractice.

Whether simple or sophisticated, and whether relying on self regulation or rating by third parties, kitemarking systems are not without their difficulties,8 critics,9 or legal pitfalls, including the potential liability of rating organisations to private legal actions.10 The voluntary adoption of codes of conduct in good faith by health websites should not be trivialised or discouraged. Equally, the potential for fraudulent self rating and the likelihood that kitemarking will reduce consumers' natural skepticism about health information continue to trouble US regulators; this may explain a lack of enthusiasm relative to that of their colleagues in Europe.


 

    Controlling cross border practice

With the appearance of online medical advice sites, it is easy to overlook the proportion of cross border health information provided by physicians and pharmacists. In the United States, healthcare institutions are subject to national accreditation standards, and they educate their medical students according to a national curriculum with a view toward national testing. Medical professionals, however, are exclusively regulated by state authorities. Most state licensing and disciplinary systems assume that there will be some level of cross border medical practice by providers who consult with colleagues in other states or treat their travelling patients; these activities are not required to be licensed. Such exceptions aside, however, US states insist on local licensing.

Theoretically, increasing cross border services through technologically mediated health care should stimulate interest in an overall liberalisation of cross border practice. In reality, state authorities are strengthening their legislation to deter interstate ehealth services that either originate from or are received within their borders.11 While some of the voices raised against ehealth may have protectionist accents, the reality is that states' disciplinary and quality assurance powers are tied to the licensing process and there is no political will for moving such functions to a federal body.

In the United States federal regulators have legal competence over drug approval and marketing. Nevertheless, pharmacists, like doctors, face a state-by-state system of licensure and discipline. Licensing and quality issues, however, are not such a problem in pharmacy because it is easier for pharmacy chains to comply with multiple licensing requirements. The National Association of Boards of Pharmacy has facilitated compliance and consumer education by setting up a national system for trustmarking online pharmacies.12 Additional state by state regulation of pharmacists may, however, be imminent. At least one state now believes it can achieve indirectly what it has failed to do directly: stopping internet doctors from writing prescriptions for its citizens by placing the responsibility on the pharmacist to make sure that the prescription was the product of a traditional doctor-patient interaction.13 Such regulations will function as an indirect but effective method of controlling cross border medical practice.

 
(Credit: MARK OLDROYD)

 

This stringent regulation of ehealth exchanges across borders assumes too readily that indirect health care is inferior. Valid questions have been raised about the quality of email communications between doctor and patient,14 particularly doctors' responses to unsolicited email from patients. Though they pose some marginally interesting legal questions, these are essentially transitional issues that call for better education of doctors more than for regulatory intervention. A more important issue is whether doctors must disclose the risks of remote consultations. The American Medical Informatics Association has cogently argued that an informed consent instrument should "provide instructions for when and how to escalate the contact from being via the internet to phone calls and office visits" and that it should "describe the security mechanisms that are in place."15 Some US states already require specific consent for remote, technologically mediated care and professional organisations increasingly are recommending the use of encrypted systems for doctor-patient communications.16 Such regulation is appropriate when motivated by concerns over quality or patient autonomy but less so if designed to discourage non-traditional care.

It may be time to review the marketing activities of pharmaceutical companies both on the internet and in more traditional media. Direct to the consumer advertising is commonplace in the United States. The Federal Drug Agency's Center for Drug Evaluation and Research seeks valiantly to enforce advertising standards17 through its general regulatory standards and processes.18 In comparison with the constant barrage of pharmaceutical advertising aimed at US consumers, however, regulatory efforts tend to pale into insignificance. Against the background of the tightly controlled environment of doctors and patients under managed care, pharmaceutical companies are using direct to consumer advertising to try and persuade patients to pay for items not covered by their managed care plans, while simultaneously using both patients and doctors to coerce managers of health plans to add the company's products to their formularies. The importance to pharmaceutical manufacturers of direct advertising to consumers, however, may be illustrated by manufacturers' sanguine acceptance of increased exposure to liability for their products when they circumvent the traditional channel---doctor to patient---for drug information.19

Apart from suggesting the need for increased direct regulation (such as the American Medical Assoociation's demand that direct to consumer advertising should contain warnings that a doctor might actually recommend a different treatment20), the growth of direct advertising presents difficult issues of ethical and possibly legal conflicts of interest for health advice sites that seek click-stream revenue from their links to the sites of pharmaceutical manufacturers or pharmacies.21


 

    Privacy of medical information

Health websites on both sides of the Atlantic have failed to establish acceptable standards of data protection.22 Somewhat ironically, the European Union's green paper exploring the development of a community-wide approach to consumer protection was published within days of the Federal Trade Commission's announcement that it was abandoning plans to introduce any new online privacy legislation.23 Without such legislation, the commission's ability to protect consumer privacy on the internet is limited to cases where websites breach their own published privacy policies.24 Websites need not have privacy policies, however, and if they do, the content goes unregulated. The United States' trading partners are justifiably concerned by this neglect for consumer privacy, and the Federal Trade Commission's recent backtracking on guarantees for online privacy for children will increase discomfort.25

Although US regulators have been derelict in protecting the general privacy of citizens, concerns regarding the privacy of health information in the United States are not necessarily warranted. The new federal standards for privacy of individually identifiable health information26 (and related draft security regulations) issued under the Health Information Portability and Accountability Act (HIPAA) provide the world's most robust protection for medical information, although recent developments in Australia threaten that status.27

Most modern privacy regimes, including the EU data protection directive,28 are collection-centric. That is, they limit the collection of consumer information, frequently by reference to a concept such as proportionality. Serious questions arise, however, as to whether health privacy regimes should place any limits on the collection of patient data, at least for purposes related to treatment. Thus HIPPA is a disclosure-centric confidentiality scheme. It protects patient information by prohibiting most disclosures unless they are preceded by highly regulated processes of consent for treatment or payment purposes. Even more stringent provisions, together with a "minimum necessary" rule, limit disclosures for other purposes, such as marketing or fundraising.

These privacy and security rules were not developed in a vacuum. US regulators are introducing a vastly more efficient system for health transactions, based on electronic data interchange. Unfortunately, this origin exposes the fundamental flaw in the HIPAA privacy and security schemes: they apply only to healthcare entities that use the electronic data interchange system. As a result, hospitals, doctors, and health insurers are likely to find their internet activities regulated, while the more typical ecommerce sites offering health advice or medical products, which collect and resell customer information, are far less likely to fall within the regulatory scope. State statutory and common law systems that provide higher levels of privacy protection are not, however, pre-empted by the federal HIPAA scheme. These unharmonised state law protections will become increasingly important as health websites sell their visitor data to research companies29 and if healthcare organisations continue their unfortunate accidental postings of confidential patient information on the web.30


 

    Conclusion

Industry consolidation around a few well known brands and the dot.com implosion have taken their toll on health advice sites. In the near term the major ehealth players will be drawn from basic health organisations looking to technology to improve the quality and efficiency of their services31 and government agencies seeking to improve healthcare delivery to underserved populations.

It is both appropriate and practical to shift regulatory emphasis away from advice sites. Outdated, inaccurate, fraudulent, or even dangerous information on the web is notoriously difficult to regulate. Our regulatory energies are better devoted to pressing health information problems that are soluble, such as Balkanised approaches to regulating cross border health interactions and the security and privacy of personal medical information.

    Footnotes

   Competing interests: None declared.


 

    References


 

1. Berland GK, Elliott MN, Morales LS, Algarzy JI, Kravitz RL, Broder MS, et al. Health information on the internet: accessibility, quality, and readability in English and Spanish. JAMA 2001; 285: 2612-2621[Medline].
2. Federal Trade Commission. "Operation Cure.All" wages new battle in ongoing war against internet health fraud. Press release, 14 June 2001. www.ftc.gov/opa/2001/06/cureall.htm (accessed 24 Jan 2002).
3. Terry NP. Cyber-malpractice: legal exposure for cybermedicine. Am J Law Med 1999; 25: 349-358.
4. Eysenbach G. An ontology of quality initiatives and a model for decentralized, collaborative quality management on the (semantic) world wide web. J Med Internet Res 2001; 3(4): e34.
5. MedCertain. www.medcertain.org (accessed 24 Jan 2002).
6. WHO proposal would raise quality of internet health information. Press Release WHO/72,13 November 2000. www.who.int/inf-pr-2000/en/pr2000-72.html (accessed 24 Jan 2002).
7. URAC, American Accreditation Health Care Commission. Health web site accreditation. www.urac.org/v1-0.PDF (accessed 25 Jan 2002).
8. Jadad AR, Gagliardi A. Rating health information on the internet: navigating to knowledge or to Babel? JAMA 1998; 279: 611-614[Medline].
9. Delamothe T. Quality of websites: kitemarking the west wind, BMJ 2000;321:843-4. [Full Text]
Terry NP. Rating the "raters": legal exposure of trustmark authorities in the context of consumer health informatics. J Med Internet Res 2000; 2(3): e18.
11. West Virginia Code. W Va Code §30-3-13 (2001).
12. National Association of Boards of Pharmacy. VIPPS. www.nabp.net/vipps/intro.asp (accessed 24 Jan 2002).
13. Texas Administrative Code, 22 Tex. Admin. Code §§291.34, 291.36.
14. Eysenbach G, Diepgen TL. Responses to unsolicited patient email requests for medical advice on the world wide web. JAMA 2998;280:1333-5.
15. Kane B, Sands DZ. Guidelines for the clinical use of electronic mail with patients. J Am Med Inform Assoc 1998; 5: 104[Abstract/Full Text].
16. Medem. Online medical liability addressed by national consortium: medical liability moves online. Press release, 29 Jan 2002. www.medem.com/corporate/xl_corporate_medeminthenews_detail.cfm?ExtranetPressNewsKey=121 (accessed 25 Feb 2002).
17. Center for Drug Evaluation and Research. Guidance for industry; consumer-directed broadcast advertisements, August 1999. www.fda.gov/cder/guidance/1804fnl.htm (accessed 24 Jan 2002).
18. Center for Drug Evaluation and Research. Warning letters and notice of violation letters to pharmaceutical companies. www.fda.gov/cder/warn/index.htm (accessed 24 Jan 2002).
19. Perez v Wyeth Laboratories Inc. 734 A.2d 1245 (NJ 1999).
20. American Medical Association. House of Delegates, June 19 2001, Resolution 503. www.ama-assn.org/ama/pub/category/4940.html (accessed 24 Jan 2002).
21. Terry NP. AMA Ethics Forum: Making a health web site ethically sound. Am Med News 2001 June 4.
22. Consumers International. Privacy@net: an international comparative study of consumer privacy on the internet. January 2001:5-7. www.consumersinternational.org/news/pressreleases/fprivreport.pdf (accessed 25 Jan 2002).
23. Federal Trade Commission. FTC chairman announces aggressive, pro-consumer privacy agenda. Press release, 4 Oct 2001. www.ftc.gov/opa/2001/10/privacy.htm (accessed 24 Jan 2002).
24. Federal Trade Commission. Eli Lilly settles FTC charges concerning security breach. Press release, 18 Jan 2002. www.ftc.gov/opa/2002/01/elililly.htm (accessed 25 Feb 2002).
25. Federal Trade Commission. FTC seeks comment on amending children's internet privacy rule. Press release, 26 Oct 2001. www.ftc.gov/opa/2001/10/slidingscale.htm (accessed 24 Jan 2002).
26. Department of Health and Human Services. Standards for privacy of individually identifiable health information. 65 Fed. Reg. 82462 (28 Dec 2000), http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm (accessed 24 Jan 2002).
27. Office of the Federal Privacy Commissioner. Guidelines on privacy in the private health sector (October 2001). www.privacy.gov.au/publications/hg_01.html (accessed 24 Jan 2002).
28. Council of the European Communities. Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the member states concerning liability for defective products. http://europa.eu.int/eur-lex/en/lif/dat/1985/en_385L0374.html (accessed 24 Jan 2002).
29. Quintiles and WebMD announce settlement agreement, October 12, 2001. www.quintiles.com/corporate_info/press_releases/press_release/1,1167,891,00.html (accessed 24 Jan 2002).
30. Web mishap: kids' psychological files posted. LA Times 2001 Nov 7. www.latimes.com/technology/la-000088956nov07.story (accessed 24 Jan 2002).
31. Terry NP. An eHealth diptych: the impact of privacy regulation on medical error and malpractice litigation. Am J Law Med 2001; 27: 361-419[Medline]. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=286778 (accessed 7 Feb 2002).

(Accepted 21 January 2002)

 

Commentary: Legal aspects of health on the internet: a European perspective

Benedict A Stanberry, managing director

Avienda Limited, PO Box 2327, Cardiff CF23 9YW

ben.stanberry@avienda.co.uk

For many European citizens, online doctors and pharmacies offer the opportunity to acquire medical advice and treatment from abroad more cheaply or swiftly than they could in their own country. Yet, in common with the individual states in the United States, regional and national authorities of the member states of the European Union seem to be resisting online medical practice. Indeed, they are actively entrenching legal barriers to such practice rather than liberalising regulations.

On 10 January 2002, for instance, a doctor from Staffordshire who sold the "sex pill" Viagra and a slimming drug, Xenical, through the MEDClinic website (www.medclinic.co.uk) was found guilty of serious professional misconduct by the United Kingdom's General Medical Council and suspended for three months.1 During his suspension the GMC will decide whether or not to take further action. The case clearly shows that the practice, common on websites, of requiring an online questionnaire to be completed by the patient and reviewed by the prescribing doctor is not considered anywhere near adequate to avoid a gross breach of the standards of patient care expected of doctors by the GMC. It remains to be seen whether or not, in light of this ruling, similar services throughout Europe will modify their practices.

In the case of DocMorris (www.docmorris.com), an internet pharmacy based in the Netherlands, a Berlin court ruled in May 2001 that their sale of pharmaceuticals through the internet (at an average discount of 20% compared with German competitors' prices) was illegal. A second DocMorris case was brought before court in Frankfurt in August 2001. It has been referred to the European Court of Justice for a ruling as to whether Germany is infringing the principle of the free movement of goods by outlawing cross border trade in medicines.2 A further question is whether internet pharmacies are effectively prevented from describing prescription medicines on their websites by a European directive which prohibits direct to consumer advertising of medicines (a practice permitted in the United States).3

Even if the case goes well for DocMorris, truly cross border medical practice remains a distant dream. Professional medical qualifications awarded by one EU state are valid in all the other members states, but this does not grant a right to automatic registration: clinicians must apply to the national or regional authority that supervises medical practice in the member state in which they wish to practise.4

This system can scarcely deal with the physical movement of clinicians within the European Union: there is no system by which the striking-off of a clinician in one member state can be brought to the attention of the authorities in other states in which that clinician may be practising. Supervising medical practice in the internet age therefore presents great challenges. It may become impossible to prevent foreign healthcare providers from delivering healthcare related goods and services into another member state. Logically, the emphasis of European policy in this area ought now to switch from resisting online health services to finding ways to properly supervise and accredit them.

The quality and reliability of health information on the internet remains of paramount concern in Europe, as elsewhere. Self regulatory codes of ethics for health websites abound, yet the quality and practices of many are highly questionable.

Little progress seems to have been made, moreover, in assuring consumers that the information they share with health websites will not be misused. Several US studies have already concluded that websites' privacy practices do not match their proclaimed policies.5 In an attempt to counter this erosion of trust in Europe, the European Commission's guidelines for quality criteria for health related websites have recognised that there is no shortage of legislation in the field of privacy and security.6 They have drawn specific attention to a new recommendation regarding online data collection adopted in May 2001 that explains how European directives on issues such as data protection should be applied to the most common processing tasks carried out via the internet.7

The challenge facing Europe's health professionals and policymakers is to carefully craft the development of new approaches to the supervision of medical and pharmaceutical practice. Their ultimate goal is to raise consumers' confidence in online healthcare. They must ensure that the mechanisms are put in place whereby health professionals themselves can benefit from using the internet, while still ensuring the highest standards of medical practice.

    Acknowledgments

Avienda was formerly known as the Centre for Law Ethics and Risk in Telemedicine.

    Footnotes

Competing interests: None declared.


 

    References


 

1. http://news.bbc.co.uk/hi/english/uk/england/newsid_1752000/1752670.stm (accessed 5 Feb 2002).
2. Case C-322/01: Reference for a preliminary ruling by the Landgericht Frankfurt am Main by order of that court of 10 August 2001 in the case of Deutscher Apothekerverband e.V. against DocMorris NV and Jacques Waterval. Official Journal of the European Communities No C 2001 December 8:348/10.
3. Council Directive 1992/28/EEC of 31 March 1992 on the advertising of medicinal products for human use. (Articles 1(3) and 3(1).) Official Journal of the European Communities No L 1995 11 February:32/26.
4. Directive 2000/31/EC on mutual recognition of primary medical and specialist medical qualifications and minimum standards of training. Official Journal of the European Communities No L 2001 July 31:206/1-51.
5. Schwartz J. Medical websites faulted on privacy. Washington Post 2000 February 1.
6. http://europa.eu.int/information_society/eeurope/ehealth/quality/draft_guidelines/index_en.htm (accessed 5 Feb 2002).
7. European Commission. Recommendation 2/2001 on certain minimum requirements for collecting personal data on-line in the European Union. Adopted on 17 May 2001. http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp43en.htm (accessed 25 Jan 2002).

© BMJ 2002
 

PDF of this article
Email this article to a friend
Send a response to this article
See related This week in BMJ item
Other related articles in BMJ
PubMed citation
Related articles in PubMed
Download to Citation Manager
Search Medline for articles by:
Terry, N. || Stanberry, B. A
Alert me when:
New articles cite this article
 
Collections under which this article appears:
Other Medical Informatics
Patient - other
World Wide Web

Other related articles in BMJ:

EDITOR'S CHOICE
The invention of talk.
BMJ 2002 324: 0. [Full text]  

 


 

ALL INFORMATION, DATA, AND MATERIAL CONTAINED, PRESENTED, OR PROVIDED HERE IS FOR GENERAL INFORMATION PURPOSES ONLY AND IS NOT TO BE CONSTRUED AS REFLECTING THE KNOWLEDGE OR OPINIONS OF THE PUBLISHER, AND IS NOT TO BE CONSTRUED OR INTENDED AS PROVIDING MEDICAL OR LEGAL ADVICE.  THE DECISION WHETHER OR NOT TO VACCINATE IS AN IMPORTANT AND COMPLEX ISSUE AND SHOULD BE MADE BY YOU, AND YOU ALONE, IN CONSULTATION WITH YOUR HEALTH CARE PROVIDER.
 

 

 

Home Help Search/Archive Feedback Table of Contents

BMJ Intended for health professional