bodies and medical privacy
This page considers questions about health records, patient
privacy, genetic redlining and adoption.
It covers -
- some basic questions about the shape of patient privacy,
medical data and the body
integrity, transparency and dignity - searches,
scans, touching and shame
therapy and confidentiality - is medical privacy now
a meaningless concept?
privacy in the networked environment - changing
relationships in health services, as one to one becomes
many to many
and health networks - questions about who owns your
medical records, who gets to see the data and its commercialisation
attitudes - conflicting views about the nature and
cost of medical privacy
testing and identification - data collection and
utilisation, including police forensic databases and
privacy legislation - major medical privacy enactments
- anonymity, registration and identity
privilege - doctor-patient relations in the courts
is a supplementary discussion
of national identification schemes, in particular health
service cards, and health
data registers. Australia's medical privacy regimes
are considered in more detail elsewhere
on this site.
Community expectations about 'bioprivacy' - and associated
practices and regulation - are complex and fragmented.
They reflect both the evolution of technologies (in particular
diagnostic and therapeutic technologies) and changing
social, economic and cultural relationships.
That is evident in -
ongoing 'industrialisation' of health services, with
continuing shift from a purely patient-doctor relationship
to interactions that may involve the patient and a large
number of nurses, technicians, doctors, system administrators
and third parties
by government agencies, health maintenance organisations
and insurers of services provided to patients
assembly and use (or misuse) of genetic and other databases
for the purposes of law enforcement, provision of financial
services and recruitment
about the rights of adopted children and biological
about biometric applications
diffusion of responsibilty from professional elites
to a wider range of actors, some of whom have an uncertain
grasp of ethics or indeed a strong commercial incentive
to erode the privacy of individuals
A result of that evolution is that bioprivacy protection
involves a patchwork of legislation, professional codes
and often unstated assumptions about practice or outcomes.
In Australia, the US and other countries much protection
is independent of primary privacy legislation such as
the Commonwealth Privacy Act 1988. Some protections
apply only to information held by government agencies.
Some protections (or an explicit lack of protection) apply
to specific groups, such as government employees and prisoners.
Some apply to particular medical conditions or types of
information, eg regarding HIV/AIDS or substance abuse.
In the West much thinking about medical privacy can be
traced back to the Hippocratic Oath, still a cornerstone
of medical ethics, with most doctors subscribing to a
shibboleth such as -
I may see or hear in the course of the treatment or
even outside of the treatment in regard to the life
of men, which on no account must spread abroad, I will
keep to myself, holding such things to be shameful to
be spoken about
practice contemporary economics and technologies mean
that there is a substantial tension between what is restricted
to a doctor and patient and what is "spread abroad".
Much debate accordingly centres on mechanisms for minimising
inappropriate access to (and misuse of) data that is necessarily
bodily integrity, transparency and dignity
In the 'age of the internet' it is easy to dismiss as
quaint Victorian medical practice - or that in some contemporary
societies - that preserved the privacy of female patients
by requiring medical practitioners to conduct physical
examinations while a patient was fully clothed or indeed
provide a diagnosis without having physically touched/seen
the patient. Undressing for the GP (or a proxy) of whatever
gender and responding to questions about health, lifestyle
and family is for many people so common as to be unremarked.
We have similarly come to accept reduction of bodily integrity,
such as cavity searches, and mandatory provision of blood
or other samples if that occurs within an appropriate
legal framework - typically one that affects other people,
such as prisoners, alleged drug smugglers and illegal
immigrants. If privacy is fundamentally "the right
to be left alone" all societies blur the right when
dealing with some citizens or non-citizens, whose bodies
are less of their own and more objects for interrogation
by the state.
Stripsearches and groping by an agent of the state date
from antiquity and have often taken place in public as
a demonstration of the searcher's power. Mandatory imaging
of passengers and visitors to some facilities is however
new and has provoked responses such as the ACLU comment
there is ever a place where a person has a reasonable
expectation of privacy, it is under their clothing.
from some privacy scholars have argued the importance
of differentiating between dignity and privacy or, more
persuasively, that electronic imaging may be less invasive
than a physical examination. The World Medical Association,
for example, calls
on authorities to explore alternatives to cavity searches.
Others have emphasised notions of best practice, with
arrangements for example to stop fellow passengers seeing
body scans while queuing to catch a flight. Imaging -
like cavity searches - should not be a public spectacle.
diagnosis, therapy and confidentiality
Preceding pages of this guide noted Scott McNealey's claim
that "privacy is already history: it is gone, so
get over it". That is arguably the case with medical
confidentiality in the traditional sense, ie the gathering,
storage, use and disclosure/disposal by medical practitioners
of information gathered from patients for the purposes
Medical confidentiality has traditionally had three functions
respect for the patient as an individual (and as the
practioner's employer), consistent with notions of etiquette
in primers such as Percival's Medical Ethics
noted earlier in this guide
trust, with patients encouraged to communicate honestly,
fully and effectively with the particular practitioner
broadly underpinning the delivery of health care across
Siegler's cogent 1982 Confidentiality in Medicine
- A Decrepit Concept comments that
bond of trust between patient and doctor is vitally
important both in the diagnostic process (which relies
on an accurate history) and subsequently in the treatment
phase, which often depends as much on the patient's
trust in the physician as it does on medications and
has been reflected in notions of professional privilege,
with doctors (but not necessarily agents and associates)
enjoying a legal status that is similar to that of journalists
and the clergy.
As with those groups doctors have found that privilege
has been modified in particular areas, for example obligations
to disclose information about specific medical conditions
and practices (eg recurrent unsafe sexual activity by
people who are HIV+ and the physical/sexual abuse of children).
Changing relations within societies are evident in debate
about whether doctors should disclose to parents information
provided by or about teenagers, who assume that they are
autonomous or independent of those parents/guardians.
There has been less debate about the nature of 'confidentiality'
in relations between patients, doctors and the increasingly
wide range of third parties.
Some observers have suggested that consumers are simply
quiescent, assessing that information flows are the price
paid for access to modern medicine and assuming that any
fundamental abuses can be addressed through legislation.
Others, drawing on often contradictory studies of consumer
and practitioner attitudes, suggest that many people are
unaware of medical privacy challenges and indeed when
alerted often overreact through calls for protocols and
legislation that may restrict improved services.
Points of entry into the literature on the evolution of
doctor-patient confidentiality and particular ethical
issues are The Hippocratic Oath & the Ethics of
Medicine (New York: Oxford Uni Press 2004) by Steven
Miles, Ethics in Medicine: Historical Perspectives
& Contemporary Concerns (Cambridge: MIT Press
1977) edited by Stanley Reiser, Arthur Dyck & William
Curran, Historical & Philosophical Perspectives
on Bio-Medical Ethics: From Paternalism to Autonomy?
(Aldershot: Ashgate 2002) edited by Andreas-Holger Maehle
& Johanna Geyer-Kordesch, Searching Eyes: Privacy,
the State, and Disease Surveillance in America (Berkeley:
Uni of California Press 2007) by Amy Fairchild, Ronald
Bayer & James Colgrove and The Codification of
Medical Morality (Dordrecht: Kluwer 1995) edited
by Robert Baker.
patient privacy in the networked environment
Traditional notions of medical privacy have been founded
on an intimate and essentially one to one relationship
between the medical practitioner and the patient.
As preceding paragraphs have suggested, that relationship
has been eroded by what has been characterised as the
'technogical imperative' (or more perjoratively as 'big
medicine'), with delivery of health services now involving
a range of actors and agents, some of whom may be unaware
of ethical concerns, uncommitted to professional codes
and because of lack of intimacy tend to see the patient
as a set of digits rather than a person. The relationship
is thus of one to many, rather than one to one.
Siegler's 1982 Confidentiality in Medicine comments
to confidentiality arise because the patient's personal
interest in maintaining confidentiality comes into conflict
with his personal interest in receiving the best possible
health care. Modern high-technology health care is available
principally in hospitals (often, teaching hospitals),
requires many trained and specialized workers (a "health-care
team"), and is very costly. The existence of such
teams means that information that previously had been
held in confidence by an individual physician will now
necessarily be disseminated to many members of the team.
Furthermore, since healthcare teams are expensive and
few patients can afford to pay such costs directly,
it becomes essential to grant access to the patient's
medical record to persons who are responsible for obtaining
third-party payment. These persons include chart reviewers,
financial officers, insurance auditors, and quality-of-care
Finally, as medicine expands from a narrow, disease-based
model to a model that encompasses psychological, social,
and economic problems, not only will the size of the
health-care team and medical costs increase, but more
sensitive information (such as one's personal habits
and financial condition) will now be included in the
medical record and will no longer be confidential.
an incisive analysis of 'one to many' see David Rothman's
Beginnings Count: The Technological Imperative in
American Health Care (New York: Oxford Uni Press
In considering privacy some critics have discerned another
'technological imperative', arguing that the ease with
which digital information can be stored, transmitted and
processed has driven the creation of large-scale data
network initiatives - such as Australia's HealthConnect
- that may be innately destructive of privacy.
commodification and health networks
At the moment much personal health information is located
in islands (eg a general practitioner's surgery, the database
of a public health insurer, the database of a private
health insurer, the premises of a consultant specialist,
different units within a hospital or other care provider).
There is pressure to bridge those islands (and enhance
the quality of data) for reasons that include -
by technology vendors
aggrandisement by major health/welfare service providers
and compliance bodies
health industry economics, including reduced processing
costs and better fraud control
services for individuals through better access to data
for better epidemiological and other studies as the
basis for greater community care.
reasons are explored here.
Some of that bridging may involve actual exchange of information.
Other bridging involves use of 'whole of life' identifiers
that are unique to specific individuals, such as the Australia
Card scheme and its successors discussed in more detail
elsewhere on this site.
Consistent with comments earlier in this guide, there
are substantial variations in community attitudes to health
privacy within and between nations, reflecting factors
personal experience of individuals
of bad practice at institutional, regional and national
comprehensiveness of privacy legislation and efficacy
of privacy codes
of health data in employment, insurance, lending and
of network technologies
shape of surveys and nature of advocacy by particular
1993 Harris Equifax Health Information Privacy Survey
for example suggested that in the US some
believe that protecting the confidentiality of medical
records is "absolutely essential" or "very
important" in health care reform.
believe that medical claims submitted under an employer
health plan may be seen by their employer and used to
affect their job opportunities
believe that it is not acceptable for medical information
about them to be provided, without their individual
approval, by pharmacists to direct marketers who want
to mail offers to new medications
do not want medical researchers to use their records
for studies, even if the individual is never identified
personally, unless researchers first get the individual's
worry (with 38% "very concerned") that medical
information from a computerized national health information
system will be used for many non-health purposes
say that it is important that individuals have the legal
right to obtain a copy of their own medical records
believe that federal legislation should designate all
personal medical information as "sensitive"
and impose penalties for unauthorized disclosure
report that they or member of their family have personally
paid for a medical test, treatment, or counseling rather
than submit a bill or claim under a health care plan
genetic testing and identification
Perceptions about the power of genetic information and
DNA testing have resulted in claims such as "none
of us are more than one short step away from being at
risk of genetic discrimination" or genetic redlining,
ie denial of benefits/opportunities on the basis that
"DNA is destiny".
They have resulted in what some analysts have characterised
as genetic exceptionalism, the notion that genetic information
is so different from other types of information that new
rules are necessary to govern its collection and dissemination.
Those rules - independent of traditional medical privacy
and service provision legislation - are based on
of the "powerful information" provided by
longevity of the data
genotype as an individual's unique identifier
the familial nature of genetic information
impact of genetic information on discrete communities.
particular they are concerned with potential misuse of
genetic information in insurance, with US enactments for
example banning 'genetic underwriting', and in law enforcement.
Some states have enacted 'front-loading' or 'information
management' restrictions on the collection of genetic
information. Others have more sensibly emphasised 'harm
avoidance' regimes, with restrictions on access to and
use of that data by particular industries or for specific
purposes such as health insurance.
Salient works include the Australian Law Reform Commission's
2003 Essentially Yours: The Protection of Human Genetic
Information in Australia report,
Thomas Murray's 'The Genome and Access to Health Care:
Two Key Ethical Issues' in The Human Genome Project
& the Future of Health Care (1996), Dorothy Nelkin
& Susan Lindee's The DNA Mystique: The Gene As
Cultural Icon (1995), Jennifer Geetter's 2002 Coding
for change: the power of the human genome to transform
the American health insurance system and Philip Leith's
of Genetic Privacy: A Challenge to Medico-legal Norms
(Cambridge: Cambridge Uni Press 2002) by Graeme Laurie,
one of the more interesting studies of theory and practice
regarding ownership and custodianship of medical information.
A serviceable introduction to technologies is provided
by Jeff Augen's Bioinformatics in the Post-Genomic
Era (Upper Saddle River: Addison-Wesley Longman 2005)
and in DNA and the Criminal Justice System (Cambridge:
MIT Press 2004) edited by David Lazer.
Works on DNA use in the criminal justice system include
Neil Gerlach's The Genetic Imaginary: DNA in the Canadian
Criminal Justice System (Toronto: Uni of Toronto
health privacy legislation
Pointers to overseas health privacy legislation, such
as the US Health Insurance Portability & Accountability
Act (HIPAA), are found in the discussion of national
regimes earlier in this guide.
The Australian regime is discussed
in more detail in the supplementary profile on federal/state
legislation and industry codes.
Concerns regarding health privacy laws/codes include -
coverage (the US HIPAA for example only applies to medical
records maintained by health care providers, health
plans and health clearinghouses in electronic formats)
the records are located
the purpose for which the information was compiled
the conditional nature of rights, with some regimes
for example recognising a waiver of an individual's
rights in return for gaining (or merely applying for)
employment, insurance or other benefits
Questions about privacy and conflicting rights also occur
in relation to adoption, the process by which a minor
becomes legally the child of the adopting parents rather
than biological parents, with the latter relinquishing
rights of custody, guardianship and inheritance.
For much of the past 150 years many regimes have placed
restrictions on access, with biological parents for example
not having physical access to the child or information
about the child's new identity. Adoptees have similarly
not received information - as minors or adults -
about their biological parents. Critics of such restrictions
have argued that
of these records, and the secrecy that is an inherent
part of the adoption system in America and elsewhere,
perpetuates an unhealthy climate for every adoptee that
makes the development of self-esteem and a strong self-identity
nearly impossible, regardless of the quality of one's
past thirty years have seen moves towards discretionary
disclosure, with adoption service operators or specialist
intermediaries typically respecting the privacy of biological
parents and children by supplying information if both
For the US see in particular E Wayne Carp's Family
Matters: Secrecy and Disclosure in the History of Adoption
(Cambridge: Harvard Uni Press 1998). Works on the Australian
regimes, such as The Many-Sided Triangle: Adoption
in Australia (Carlton South: Melbourne Uni Press
2001) by Audrey Marshall & Margaret McDonald, are
discussed in the supplementary profile on Privacy
What about expectations that information as part of the
doctor-patient relationship will not be disclosed during
legal proceedings (or otherwise disclosed to third parties
without the patient's consent)?
Most professional codes, such as the Australian Medical
Association's current Code of Ethics, recognise that medical
confidentiality may be legitimately breached in some circumstances.
That recognition is reflected in a range of legislation
and court rulings, which indicate that a doctor is bound
to disclose confidential information where failure to
do so would constitute a threat to public or private interests.
Australian state/territory legislation such as the NSW
Public Health Act 1991 and Tasmanian HIV/AIDS
Preventive Measures Act 1993 thus features reporting
requirements on issues such as child abuse, notifiable
diseases and fitness to engage in some activities (eg
driver and pilot licences), along with the provision of
de-identified statistical data for a range of national/state
health registers. Those
requirements typically involve the provision of information
to specific government agencies and either place an obligation
on the practitioner (in some instances encompassing physiotherapists
and opticians) to supply that information or provide immunity
against legal action.
Child abuse for example is notifiable in all Australian
jurisdictions except South Australia and Queensland. The
NSW regime provides immunity for medical practitioners
alerting the Roads & Traffic Authority about a patient's
fitness to drive a motor vehicle; South Australia requires
action by doctors who have reasonable cause to believe
that a person whom they have examined suffers from a disability
such that, if driving a motor vehicle, he or she would
be likely to endanger the public. The extent to which
such reporting is undertaken - and its effectiveness -
Overall there are are few enactments or common law precedents
permitting a doctor to refuse to give evidence or disclose
information in court proceedings merely because that information
was supplied in confidence. The exceptions are Victoria,
Tasmania and the Northern Territory.
next page (in the