By doing all this, WellMed is complying with HIPAA's ban on "disclosure by sale, rental or barter" of certain personal health data without prior patient authorisation. The law also calls for patients to have access to their health records to correct any errors, and WellMed's privacy policy allows for such access online at any time.
While HIPAA was passed by Congress in 1996, its data privacy provisions were announced by the White House in December of last year.
Besides mandating patient access to records and patient authorisation, the new provisions require that doctors and companies providing health care services give patients notice of how their health records are being used. Companies covered by HIPAA have two years to comply.
Fines of up to $250,000 and jail terms of up to 10 years could be imposed on violators.
Although WellMed officials say they aren't technically covered by HIPAA, complying with its regulations means peace of mind for WellMed's users and a stronger business model for the company. WellMed aggressively markets its privacy protections on its site.
"Everything we do is consumer-focused," Meek said. "We're not simply trying to cover ourselves by complying with the law. We're complying with the spirit of HIPAA because it makes sense for our business."
According to experts familiar with the lengthy checklist of information within the HIPAA statute about how to determine whether a company must comply with the law, WellMed might discover that the law applies to it after all. It's this uncertainty that argues for a cautious approach by any company to sharing or selling personal consumer information, analysts say.
Any company collecting or storing patient records "must interpret the law to see if they're required to comply" with HIPAA, said Eric Hemmendinger, a health industry analyst with Aberdeen Group.
Even if there's doubt about whether new privacy regulations apply to your company, experts say, expect to be asked by business partners to comply, particularly if they are subject to the privacy laws.
In the case of HIPAA, said Jody Patilla, vice president at MetaSeS, a data security consultancy in Atlanta, "Whoever has custody of the patient data is supposed to be responsible for the privacy of the data. HIPAA requires a 'chain of trust.' If you share health records with an insurance company, you need to have an agreement in place that that partner will maintain the same level of security that you will."
The law specifies compliance by HMOs, hospitals, insurance companies, individual doctors and health information "clearinghouses", a somewhat murky term that health companies are still trying to define, Patilla said.
That kind of regulatory murkiness may be visited soon on other industries as Congress gets serious about online consumer privacy.
The Gramm-Leach-Bliley Financial Services Modernization Act, for example, which passed late in 1999, will require banks and other financial services companies to let consumers decline to share certain personal information. Even if they're not covered now by such legislation, enterprises doing business online should begin to examine the way they think about collecting and storing personal consumer data, according to Aberdeen's Hemmendinger.
"Cleansing personal data of identifying information is going to become key" for companies that have kept identifying markers on such information up until now, he said. Smart companies will try to find ways to collect consumer data anonymously, thus bypassing much of the effort involved in stripping markers off data, Hemmendinger said.
