Doesn’t this violate HIPAA?

As careful as consumers may be about revealing personal information to product companies, few take the same care when it comes to volunteering private health information to third parties who aren’t their doctors or healthcare providers. Yet, online health risk assessments, offered by growing numbers of employers and insurance companies, ask for even more personal information about lifestyle habits, medical histories, and health. The information is compiled into electronic medical databases and used to identify people to be targeted for health tests, monitoring, education and health care management.

Many are promoted as online medical records to make it easier for consumers to put all of their records and health information in one place for ready access wherever they are. In return, besides free tote bags or discounts on their insurance, participants are given targeted health information to guide them to healthful behaviors. Growing concerns are being raised about these electronic databases, including how personal information is being shared, sold and used, especially as the marketing interests behind them are becoming better recognized.

HIPAA is not my area of expertise. Does it only apply to care providers and pharmacies? Why not on-line medical records repositories? That certainly seems in line with the purpose of the law.

Edit! I have access to a HIPAA expert, and here is what she had to say:

The only entities that are required by federal law to comply with HIPAA are health plans, health care clearinghouses and health care providers, if the provider transmits any health information in electronic form. That means that Google, Microsoft and these state networks cropping up all over the place to provide health information statewide, generally do not have to comply with any privacy laws.

. . .

At this point there are no safeguards on the system. There are no audits of access. . . . I would not use anything on the Internet to collect any personal information about me, especially my health information, and I would tell all my friends and families to forgo that opportunity as well. Those businesses are not required to provide any privacy protections for health information. Depending on the state in which you live, they may be required to protect your personal information like address, phone number, date of birth and social security number.

I think the answer is to assimilate all of my health information on my personal password protected jump drive that I can then carry with me, and have available as I need it. Of course there are problems with that as well. If I get hit by a car, and I’m the only person who knows the password, it’s useless.

So there you have it. Avoid these on-line repositories of healthcare info, get a jump drive, and tell your BFF your password in case you get hit by a car.