Return to the Data Council home page .At issue right now—as health care is rapidly becoming industrialized, collectivized, and computerized—is to what extent society will preserve the cherished tradition of patient–healthcare provider confidentiality with its many implications, and the related relationships of trust with those who perform health research.
Also at issue is whether the public's current apprehensiveness about invasions of privacy by various forces will result in "backlash" legal restrictions that will jeopardize aspects of health research, ultimately to society's detriment.
The policy and technical challenges are to devise improved ways for preserving individuals' informational privacy, while at the same time preserving justified research access to personal data in order to gain health benefits for society. Much is at stake.
Several important legislative events are focusing attention on the issues.
But even if all these formal activities weren't occurring, now would be a propitious time to review the issues. Indeed, for reasons that will be made evident below, now is almost too late.
As the fundamental nature of health care, and of health data and their uses, is changing dramatically, society must—now—examine and re-decide how much it cares about protecting health privacy. Health researchers must be certain that they are taking all reasonable measures to safeguard the data they collect and use, and to maintain the respect for privacy that is embodied in the very compact with society under which they work. And society must reformulate and update some of the rationales and criteria under which the health experience of individuals may be studied to benefit society.
The public are rightly concerned about the erosion of privacy of information about health, for at least the following reasons taken together.
For the general public all of this has induced a cynical resignation, with undertones of resentment. There seem to be relatively few complaints about privacy intrusions by research. But important research access to data may well suffer, largely for wrong reasons. And research programs do probe people's bodies and lives in intimate ways, record and analyze data that people feel sensitive about, and move data around.
Privacy is a deeply felt but elusive concept. Everyone is sensitive to having his privacy violated. The concepts of "personal matters" and "intimate knowledge" are familiar, as is the notion that individuals live in a "private sphere" over which they are to be granted autonomy. The right to private life was proclaimed in the Universal Declaration of Human Rights and has been reaffirmed in every other human rights declaration since 1945.
But defining privacy in a way that is applicable to all persons and situations is impossible. Everyone believes that some, indeed many, core aspects of his life "are nobody else's business." Yet what one person is fiercely secretive about, another may openly reveal.
Privacy is not an ersatz notion, just an elusive and relative one. It is a concept difficult to formalize. Philosophically it tends to be derived from, or gain force by being associated with, other societal goods, such as freedom of self-determination. (1)
Informational privacy is not explicitly protected by the U.S. Constitution. Nonetheless, many aspects of personal life that can be considered "private" are protected under a patchwork of Federal and State laws, and by interpretations derived from such Constitutional principles as due process or restriction on unreasonable searches and seizures. Obligations to respect confidentiality of shared information are standard elements in the law of contracts. Some U.S. Federal agencies' statutes, such as those governing the scientific work of the National Center for Health Statistics, set firm constraints on the redisclosure of personally identifiable data. So do the State laws on confidentiality of medical records.
One of the few widely cited legal expressions in this area is that of Louis Brandeis and Samuel Warren in 1890, who, themselves quoting an authority on tort law, defended the privacy "right to be let alone." (2) Yet that doesn't carry much compulsion in the modern world (if indeed it did in the good jurists' era).
In his 1967 book, Privacy and Freedom, Alan Westin defined informational privacy as meaning "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others."(3) "Privacy," according to Lawrence Gostin, "is the right of individuals to limit access by others to some aspect of their persons." (4) The U.S. National Information Infrastructure Task Force, in 1995, formulated it this way: (5)
Information privacy is an individual's claim to control the terms under which personal information—information identifiable to an individual—is acquired, disclosed, and used.
Obviously, privacy is a highly relative matter—relative to personal and societal values, and relative to the context.
Obviously too, in the contemporary world it is easy for people, even at great remove, to know things about others without the subjects being aware of the knowing, which adds much more difficulty to the definitional problem.
Privacy can be demanded, and sometimes obedience to that demand can be compelled. But privacy, at essence, is something that we grant to others out of basic human respect.
Privacy and confidentiality are related to each other but are not identical notions. Privacy is much broader and is closer to moral fundamentals. Alan Westin, again, made a useful distinction: (6)
Privacy is the question of what personal information should be collected or stored at all for a given function. It involves issues concerning the legitimacy and legality of organizational demands for disclosures from individuals and groups, and setting of balances between the individual's control over the disclosure of personal information and the needs of society for the data on which to base decisions about individual situations and formulate public policies.
Confidentiality is the question of how personal data collected for approved social purposes shall be held and used by the organization that originally collected it, what other secondary or further uses may be made of it, and when consent by the individual will be required for such uses. It is to further the patient's willing disclosure of confidential information to doctors that the law of privileged communications developed.
Such distinctions are implied in the opening sentence of the "Information Practices" form that is discussed with patients entering the hospital at the U.S. National Institutes of Health: "We, here at the Clinical Center, strive to provide privacy for all our patients and to maintain the confidentiality of the sensitive personal information they share during the course of treatment." (7)
The U.S. Office for Protection from Research Risks asserts that "Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure without permission." (8)
Relating to privacy and confidentiality is "security." In a disturbing, constructive recent report on protection of computerized health records, a panel of the National Research Council construed it this way: (9)
Security consists of a number of measures that organizations implement to protect information and systems. It includes efforts not only to maintain the confidentiality of information, but also to ensure the integrity and availability of that information and the information systems used to access it.
As Alan Westin put it, "Security of data involves an organization's ability to keep its promises of confidentiality."(10) Willis Ware once combined the three terms in one sentence: "If the security safeguards in an automated system fail or are penetrated, a breach of confidentiality can occur and the privacy of data subjects be invaded." (11)
Often issues are cast as "fair information practice" rather than as "privacy or confidentiality protection," to acknowledge that privacy is relative, not absolute; to convey the expectation that in complex modern societies most data will be put to multiple uses; and to imply the weighing-off of different interests, under considerations of fairness.
Fair information practices that are invoked include: (12)
An inevitable logical starting-point is the hallowed medical privacy tradition dating back at least as far as Hippocrates—but one doesn't have to be cynical to surmise that even Dr. H's own receptionist may have gossiped about patients' foibles and maladies.... The precept of nondisclosure is an ideal. But it has been, and should still be, central to the patient–physician relationship, and to the similar relationship with nurses, pharmacists, health social workers, and other care-providers.
The assurance that revelations made within the healthcare relationship will be held confidential encourages people to seek care in the first place, and then to be open in the exchanges involved—divulging information truthfully, asking questions even though doing so may be awkward or embarrassing, cooperating with procedures, and generally nurturing mutual confidence in the relationship. This is essential to effective health care, including public-health surveys and many other activities beyond primary care. (14)
Thus there is the expectation, embodied in most medical licensing laws and in professional codes, that medical care is delivered within a "medical circle" supervised by physicians and performed within accredited clinics and other institutions. Nurses, pharmacists, physical therapists, laboratory technicians, orderlies, data clerks, and the rest of the "healthcare team" are bound by licensing, ethical obligations, and/or their employment contracts, to respect patients' privacy.
Given the unlikelihood of strict supervision and enforcement within complex, bustling healthcare organizations, institutional "cultures" that emphasize respectful ethical practice are at least as important for patients' privacy as legal rules are.
As will be mentioned repeatedly in this Report, a major problem is that today physicians' span of control simply does not extend to follow or protect data as they are examined by all the different parties who claim rights to access. New responsibilities and liabilities need to be delineated.
The ethos surrounding research on humans was recast and codified after World War II, as the world coped with the revelation of the medical atrocities perpetrated by the Nazis. The resulting "Nuremberg Code"—the opening sentence of which was, "The voluntary consent of the human subject is absolutely essential"—established principles having to do with the purposes of the research, gauging of risk and benefit to the subject, qualifications of researchers, and subject rights generally. (16) Consent is central in all privacy negotiations.
Initially in 1964, then through subsequent revisions, these ethical concepts were developed and disseminated much further by the World Medical Association's "Declaration of Helsinki: Recommendations Guiding Medical Doctors in Biomedical Research Involving Human Subjects." (17) The Declaration's sixth principle is: "Every precaution should be taken to respect the privacy of the subject...." Over the years a number of groups have firmed-up the philosophical foundations and guided the application of the Helsinki principles.
In the U.S. one of the most influential inquiries was the 1979 "Belmont Report" of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. It probed the (often, soft) distinctions between routine healthcare practice and medical experiment. Then it crystallized three principles of subject protection, and at length discussed their application to various research situations: (18)
These Belmont principles have been elaborated upon in many settings, and they serve as guides to researchers and Institutional Review Boards. Explicitly and implicitly, they have been widely applied to privacy and confidentiality decisions.
In the early 1970s such prophets as Alan Westin raised the alarm about erosion of privacy as the world moved into the computer age. (19) Partly out of concern about computerized (then also called "automated") data systems, in 1974 the U.S. passed the landmark "Privacy Act," covering personally identifiable data held by the Federal government (discussed on page 59).
A Privacy Protection Study Commission, which had been created by the Privacy Act, in 1977 issued a sweeping report on the way "records mediate relationships between individuals and organizations and thus affect an individual more easily, more broadly, and often more unfairly than was possible in the past." (20) It covered most government and commercial activities.
With respect to medical data the Commission's conclusions and predictions were absolutely correct. It noted the rapid broadening of the scope of data covered, and the decrease in data control by medical practitioners. Regarding secondary use of data, and consent, the Commission was prescient:
It appears that the importance of medical-record information to those outside ofthe medical-care relationship, and their demands for access to it, will continue togrow. ... There appears to be no natural limit to the potential uses of medical-record information for purposes quite different from those for which it was originally collected.
Moreover:
As third parties press their demands for access to medical-record information, the concept of consent to its disclosure, freely given by the individual to whom the information pertains, has less and less meaning.
The Commission emphasized three privacy-policy objectives: (21)
That was in 1977. The broad public agreement with the Commission's findings was not—still has not been—matched by legislation to attend to the problems.
A very important step for Europe was the passing by the Council of Europe, in 1981, of a carefully worked out "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," the principles of which have become practice in most of the Member States (discussed on page 54).
Various bodies have examined the issues since then, especially as the U.S. debated healthcare reform and dashed/stumbled toward "managed care" in the early 1990s. (22)
Wrongful disclosure of confidential health data may occur either through carelessness— through gossip in a clinic, for instance, or lazy discarding of clinical records—or through deliberate transgression, either by someone associated with the data-holder or by an outsider.
Harm may be inflicted through the very fact of disclosure—that is, simply through other people's coming to know things that the data-subject, and presumably the entrusted data custodian, expected to be kept confidential. The subject may feel embarrassed, vulnerable, or otherwise violated, as well as feel betrayed by the data-holder, and personal or other relationships may suffer.
Or, harm may be incurred if discrimination is brought against the interests of the subject (in employment hiring or promotion, access to health or life insurance, access to housing, qualifying for a loan, exposure in legal proceedings, etc.) based on wrongfully disclosed information.
Abuses may be personally offensive and harmful, though not necessarily illegal; or they may be clearly illegal (such as blackmail).
Commentators usually surmise that threats to health data are more likely to be perpetrated from inside the data-holding organization, through curiosity, nosiness, mischief, or malice, than from outside. This is especially a vulnerability of computerized systems having many nodes and only weak security controls. Outside attackers of health data range from computer pranksters, to business competitors, to private detectives pursuing evidence of unfitness in divorce or child- custody cases, to journalists probing the lives of celebrities or other public figures.
An important issue for policy is whether to focus controls and sanctions on protection of confidentiality per se (i.e., protecting against unwarranted disclosure in-and-of-itself), or, on punishing inflictions of harm that occur because data are used improperly; or both. (The author believes it should be, both.)
Privacy has variously been cited as a rationale to cover a great many situations. (23) Here we can just note a few potentially relevant for health research. Among data-subject rights claimed have been:
Each such claim has to be judged in its context.
This study takes it as given that because members of society benefit greatly from health research, research—if it is for justifiable purposes, and is conducted with proper protection of subjects—must continue to be allowed controlled access to individuals' health data.
In the compact between health researchers and the public, good-faith respect for privacy, and therefore stewardship of confidentiality, is necessary and expected. (24) The idea of a compact pervades the "Guidelines for the Conduct of Research Involving Human Subjects at the National Institutes of Health," for instance, which are prefaced by the admonition:(25)
Society has granted a conditional privilege to perform research on human beings. The condition is that it must be conducted in a way that puts the rights and welfare of human subjects first.
In a similar spirit the "Nondisclosure Statement" that all employees of the U.S. National Center for Health Statistics are required to sign declares: (26)
The success of the Center's operations depends upon the voluntary cooperation of States, of establishments, and of individuals who provide the information required by Center programs under an assurance that such information will be kept confidential and be used only for statistical purposes.
The challenge is to devise criteria, standards, laws, regulations, systems, and professional practices for controlling physical and cyber access to data, managing personal identifiability, and securing informed consent—while, at the same time, facilitating justified research access.
Yes, what is taken to be "justified" is itself a crucial issue. Privacy demands can hardly be judged in isolation. Balance must be sought between the good of privacy and the good of contributing to the improvement of society's health through research.
This "selfishness example" makes the fundamental point more clearly than many tomes of social philosophy: (27)
Doctor: Here; this medication will help your condition.
Patient: How do you know?
Doctor: A study of 10,000 people's experience showed that it helped 9,247 of them get better.
Patient: Good, I'll take it. But don't let anybody know whether I get better.
Patient-advocacy organizations should be urged to express publicly the willingness of the patients they represent to have themselves or their data studied in research, and in what kinds of research, and under what conditions. Some patient organizations have done this, and some have helped recruit volunteers to studies. Other groups, such as womens' groups and organizations concerned with genetic conditions, have done the same, as has the U.S. Indian Health Service for its constituents.
Relevant basic legal logic was enunciated in 1980 by the U.S. Third Circuit Court of Appeals: (28)
The factors which should be considered in deciding whether an intrusion into an individual's privacy is justified are the type of record requested, the information it does or might contain, the potential for harm in any subsequent nonconsensual disclosure, the injury from disclosure to the relationship in which the record was generated, the adequacy of safeguards to prevent unauthorized disclosure, the degree of need for access, and whether there is an express statutory mandate, articulated public policy or other recognizable public interest militating toward access.
Similar logic must be applied in balancing individuals' privacy against the potential benefit to society of insights derived by studying individuals' health experience.
Respect for persons will best be served not by insisting on absolute privacy, which is unattainable in modern life anyway, but by seeking informed consent to reasonable use of health information under strictly delimited conditions; by safeguarding personal data carefully; by genuinely affording fair-information-use rights to data-subjects; and by enforcing sanctions against improper use.
| [Previous] | [Next] |
Return to the Data Council home page .
Last updated 7/23/97.