Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - HIPAA/advisory bulletins
Home

Practice Areas: HIPAA
 

Legal Services

Related Practice Areas

Advisory Bulletins

Publications & Resources

HIPAA Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

Pharmacy and the Internet: The Challenge and Opportunity of eHealth
By Keith M. Korenchuk
[March 2000]

The explosion of the Internet as a force in American life and business has created both opportunities and challenges, particularly in the delivery of health care. On the one hand the use of the Internet as an information source and as an empowering vehicle for individuals to take control over their own health issues is certainly a benefit. The challenges of the Internet, however, are significant when it comes to providing safe and reliable information to the public concerning health choices and information. Pharmaceuticals are at the center of the complex legal issues associated with the use of the Internet for health care. The use of online pharmacies to provide prescription drugs to patients raises both traditional and novel legal issues as the role of traditional health care regulation is challenged by the new medium that cuts across state lines, jurisdictional authority and international boundaries. Historically, the regulation of pharmaceuticals has been based on the state regulation of the practice of pharmacy and the practice of medicine. Because societies were focused around communities and mobility was limited, this state regulation worked well for a significant period of time. As society became increasingly mobile, state regulations began to be challenged as professionals moved jurisdictions and as mail order pharmacies were established to respond to the pressures of managed care to provide cost effective access to pharmaceutical products for patients. The combination of the Internet and health care, with immediate access to health care throughout the world from a computer demonstrated both the severe limitations of a state-based regulatory approach, and the complexity of complying with multiple jurisdictional requirements. This article examines legal issues in the context of the appropriate actions that should be undertaken by businesses wishing to capitalize on this growing source of commerce. It also provides an analytical framework applicable to other eHealth businesses.

From a legal perspective, the analysis of the pharmaceutical/Internet interface focuses on three different types of business activity:

(1) the traditional pharmacy business that utilizes the Internet to combine the traditional bricks and mortar pharmacy with a new avenue to obtain customers for those services;

(2) a business seeking the opportunity to combine both the pharmacy activity with the prescribing regimen, thus allowing a user at one site to obtain a prescription and have it filled without the need for independent physician advice;

(3) an offshore pharmacy where the business is located outside the United States and provides pharmaceuticals that may not be FDA approved without a prescription and physician involvement. The traditional pharmacy company with an Internet interface will encounter a number of traditional issues faced by telephone and mail order pharmacies.

First, they must deal with state licensure issues. To lawfully dispense drugs, Internet pharmacies will need to be licensed in the state in which they operate and will need to comply with the various state laws for patients that access them through their Internet site. For example, a pharmacy headquartered in California will be required, if it serves patients in New York, to comply with New York prescribing and dispensing laws.

Accordingly, it is crucial that pharmacies obtain licensure or regulatory approval in each of the states in which they wish to operate in order to maintain compliance for their operations.

A second important legal issue arises with respect to the protection of patient confidentiality. Pharmacies that engage in Internet commerce must have appropriate safeguards in place to protect confidential information of the patient. Without these safeguards, Internet pharmacies risk potential liability for damages caused by the inappropriate disclosure of patient information. Federal regulations have also been issued pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). These regulations will require pharmacies to use the latest technology available for data encryption to ensure that when the information is transmitted over the Internet it cannot be accessed by unauthorized individuals and require pharmacies to protect patient confidentiality. See 64 Fed. Reg. 59918. Other legal issues involve using appropriate risk management methods to reduce the risk of professional liability associated with engaging in the pharmacy business.

Pharmacies must be in a position to verify that a prescription has been appropriately written. While the verification process is similar to that used by pharmacies which operate locally or on a mail order basis, the Internet provides a wider geographic area and level of complexity for companies to obtain appropriate verification. Verification activities include ensuring:

(1) that the prescription is valid when received by the pharmacy;

(2) that the physician is authorized to write the prescription; and

(3) that the physician has appropriate licensure, in particular with respect to the prescription of federal controlled substances.

Pharmacies that provide health and product information online must make certain that the information is accurate and not misleading. Inappropriate provision of information to the patient could result in potential liability from injury to a patient that relies on this information, or from a state consumer protection or Federal Trade Commission action against an Internet pharmacy for promulgating deceptive information.

A second type of company seeking to join the Internet/pharmacy explosion is one which combines the pharmacy function with a prescribing function. The second line of business presents significant legal challenges beyond those presented by traditional pharmacies, although they face the same compliance issues discussed above as well.

Providing clear guidance to organizations that seek to comply with the law presents a significant challenge in this second line of business. This regulatory uncertainty also provides an opportunity for unscrupulous operators to test the limits of current regulatory authority with respect to the prescribing and dispensing activities.

These organizations often provide the online user with the ability to access pharmaceutical information, to fill out a patient encounter form, and to order pharmaceuticals online without the patient independently seeking medical advice and an independently obtained prescription. The online process often includes a physician consultation with an online fee charge for the medical review of the prescription.

For companies and medical professionals that engage in this type of business the legal risks are considerable. A licensed physician or other authorized health care professional is required under all state laws to make the prescription decision. If a valid prescription is not obtained, the pharmacy company itself could violate the practice of medicine prohibitions that are contained in applicable state law. To reduce this legal risk, organizations which engage in such activities should retain licensed physicians to provide appropriate patient review and prescriptive authority.

Physicians who are retained for this prescriptive authority function, however, face the risk of violating the practice of medicine laws in various states. For example, a physician located in California would violate New York law by prescribing a drug to a New York resident if that physician was not appropriately licensed in the state of New York. Various state attorneys general have undertaken enforcement activities against physicians who prescribe for residents in particular states if the physician is not authorized to practice medicine in that state and has not established an appropriate patient/physician relationship.

The nature of the forms used to collect patient information, the role of the physician in the review, and the ability to document those activities present site design challenges and operational obstacles for pharmacies seeking to incorporate the prescriptive activity within their website. Validly licensed physicians who prescribe without sufficient patient contact risk ethical, regulatory, and legal challenges to their careers from the licensing authorities. Pharmacies that establish a patient relationship through the prescriptive process often will increase their exposure to liability actions if patient injury occurs. Sites that promise appropriate review by trained medical professionals, in effect, may be establishing a physician/patient relationship. To the extent that that relationship does not comply with appropriate standards of care, liability for damage that is caused by the action or inaction of the online company and its related medical personnel could occur. Accordingly, traditional standards of tort liability are likely to be applied to these organizations. The nature of the patient information gathering mechanism by which the prescription decisions are made, the ability of online medical personnel to make appropriate medical decisions without seeing the patient, the ability of organizations to identify potential adverse reactions, and the obligation to notify the patient if new developments occur if the patient seek refills, all present operational challenges and potential legal risks for these companies.

The third type of Internet organization, the offshore pharmacy, is the most problematic from a regulatory and enforcement perspective. By design, sites operated offshore of the U.S. allow consumers in the U.S. to obtain pharmaceuticals through the Internet without prescription from a physician and without the quality control standards that pharmaceuticals sold in the United States must meet. Accordingly, there is great concern from a consumer protection and safety perspective that these organizations operating in cyberspace will create significant harm to consumers in this country.

From a regulatory perspective most of these offshore companies are designed not to comply with applicable federal and state laws, hence the challenge arises concerning how state and federal laws can protect the citizens of their state and of this country. Generally, federal regulators will not have jurisdiction over foreign operations, and the ability to track down and enforce American legal standards on these organizations is difficult, at best, to achieve.

Perhaps industry self-policing among legitimate operators with the cooperation of foreign jurisdictions is a way to assist in regulatory oversight. While health and pharmacy businesses on the Internet race ahead at incredible speed, the legal and regulatory environment struggles to respond. On December 28, 1999, President Clinton proposed sweeping new legislation that would authorize the Food and Drug Administration ("FDA") to regulate online pharmacies. This proposed legislation would require on line pharmacies to meet licensure, confidentiality and operational standards.

It is likely that this proposed legislation will generate a significant debate from various constituencies who prefer a federal approach, a new coordinated state approach or the status quo. Congress, the White House, providers, pharmacies, pharmaceutical companies and consumer groups will likely join this vigorous policy debate that may establish the framework for the future regulatory approaches on a wide variety of eHealth issues.

The growth of self-certification by the industry will also continue through the efforts of legitimate operators. The National Association of Boards of Pharmacies (through its website www.nabp.net) has established a self-regulating seal of approval for companies that operate on the Internet in the pharmaceutical area. Under guidelines established this year, organizations that comply with the criteria of the National Association of Boards of Pharmacies may display its "seal of approval." This certification requires that online pharmacies be licensed in every state to which they ship drugs. In addition, the sites must meet standards for patient privacy, quality assurance, authentication and security of prescriptions and communications between patient and pharmacist. It is the expected that the regulatory and industry self-certification process will continue to develop as the industry grows. The development of the Internet as a means of delivering health care is now well underway. As with most technological developments, it presents both an opportunity and a challenge. The opportunity is to provide new mechanisms for the delivery of health care. The challenge for legitimate businesses that seek to comply with the law is to understand the complexities and uncertainties of state regulation. We can expect litigation, enforcement actions and additional legislation to confront this growing industry in the coming years.

Keith M. Korenchuk is a partner in Davis Wright Tremaine's Washington, D.C. office. He is a co-chair of the firmıs Health Section Council and is an experienced practitioner in the area of health law and has extensive experience in advising clients regarding eCommerce issues and the regulatory issues involved with dispensing medical information over the Internet. His clients include eHealth companies, health care systems, medical groups, hospitals, medical schools and managed care companies.

return to Advisory Bulletins main page

 
Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page