Caslon Analytics elephant logo title for Privacy guide
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa




Aust law

EU law

New Zealand

Asia law

N America





other writing


















related pages icon
& notes:


Card &

Rights in



section heading icon     bodies and medical privacy

This page considers questions about health records, patient privacy, genetic redlining and adoption.

It covers -

  • introduction - some basic questions about the shape of patient privacy, medical data and the body
  • bodily integrity, transparency and dignity - searches, scans, touching and shame
  • diagnosis, therapy and confidentiality - is medical privacy now a meaningless concept?
  • patient privacy in the networked environment - changing relationships in health services, as one to one becomes many to many
  • commodification and health networks - questions about who owns your medical records, who gets to see the data and its commercialisation
  • community attitudes - conflicting views about the nature and cost of medical privacy
  • genetic testing and identification - data collection and utilisation, including police forensic databases and insurance redlining
  • health privacy legislation - major medical privacy enactments and codes
  • adoption - anonymity, registration and identity
  • professional privilege - doctor-patient relations in the courts

There is a supplementary discussion of national identification schemes, in particular health service cards, and health data registers. Australia's medical privacy regimes are considered in more detail elsewhere on this site.

subsection heading icon     introduction

Community expectations about 'bioprivacy' - and associated practices and regulation - are complex and fragmented. They reflect both the evolution of technologies (in particular diagnostic and therapeutic technologies) and changing social, economic and cultural relationships.

That is evident in -

  • the ongoing 'industrialisation' of health services, with continuing shift from a purely patient-doctor relationship to interactions that may involve the patient and a large number of nurses, technicians, doctors, system administrators and third parties
  • tracking by government agencies, health maintenance organisations and insurers of services provided to patients
  • the assembly and use (or misuse) of genetic and other databases for the purposes of law enforcement, provision of financial services and recruitment
  • disagreement about the rights of adopted children and biological parents
  • anxiety about biometric applications
  • the diffusion of responsibilty from professional elites to a wider range of actors, some of whom have an uncertain grasp of ethics or indeed a strong commercial incentive to erode the privacy of individuals

A result of that evolution is that bioprivacy protection involves a patchwork of legislation, professional codes and often unstated assumptions about practice or outcomes.

In Australia, the US and other countries much protection is independent of primary privacy legislation such as the Commonwealth Privacy Act 1988. Some protections apply only to information held by government agencies. Some protections (or an explicit lack of protection) apply to specific groups, such as government employees and prisoners. Some apply to particular medical conditions or types of information, eg regarding HIV/AIDS or substance abuse.

In the West much thinking about medical privacy can be traced back to the Hippocratic Oath, still a cornerstone of medical ethics, with most doctors subscribing to a shibboleth such as -

What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account must spread abroad, I will keep to myself, holding such things to be shameful to be spoken about

In practice contemporary economics and technologies mean that there is a substantial tension between what is restricted to a doctor and patient and what is "spread abroad". Much debate accordingly centres on mechanisms for minimising inappropriate access to (and misuse of) data that is necessarily widely shared.

subsection heading icon     bodily integrity, transparency and dignity

In the 'age of the internet' it is easy to dismiss as quaint Victorian medical practice - or that in some contemporary societies - that preserved the privacy of female patients by requiring medical practitioners to conduct physical examinations while a patient was fully clothed or indeed provide a diagnosis without having physically touched/seen the patient. Undressing for the GP (or a proxy) of whatever gender and responding to questions about health, lifestyle and family is for many people so common as to be unremarked.

We have similarly come to accept reduction of bodily integrity, such as cavity searches, and mandatory provision of blood or other samples if that occurs within an appropriate legal framework - typically one that affects other people, such as prisoners, alleged drug smugglers and illegal immigrants. If privacy is fundamentally "the right to be left alone" all societies blur the right when dealing with some citizens or non-citizens, whose bodies are less of their own and more objects for interrogation by the state.

Stripsearches and groping by an agent of the state date from antiquity and have often taken place in public as a demonstration of the searcher's power. Mandatory imaging of passengers and visitors to some facilities is however new and has provoked responses such as the ACLU comment that

If there is ever a place where a person has a reasonable expectation of privacy, it is under their clothing.

Rejoinders from some privacy scholars have argued the importance of differentiating between dignity and privacy or, more persuasively, that electronic imaging may be less invasive than a physical examination. The World Medical Association, for example, calls on authorities to explore alternatives to cavity searches.

Others have emphasised notions of best practice, with arrangements for example to stop fellow passengers seeing body scans while queuing to catch a flight. Imaging - like cavity searches - should not be a public spectacle.

subsection heading icon     diagnosis, therapy and confidentiality

Preceding pages of this guide noted Scott McNealey's claim that "privacy is already history: it is gone, so get over it". That is arguably the case with medical confidentiality in the traditional sense, ie the gathering, storage, use and disclosure/disposal by medical practitioners of information gathered from patients for the purposes of treatment.

Medical confidentiality has traditionally had three functions -

  • signalling respect for the patient as an individual (and as the practioner's employer), consistent with notions of etiquette in primers such as Percival's Medical Ethics noted earlier in this guide
  • ensuring trust, with patients encouraged to communicate honestly, fully and effectively with the particular practitioner
  • more broadly underpinning the delivery of health care across the community.

Mark Siegler's cogent 1982 Confidentiality in Medicine - A Decrepit Concept comments that

This bond of trust between patient and doctor is vitally important both in the diagnostic process (which relies on an accurate history) and subsequently in the treatment phase, which often depends as much on the patient's trust in the physician as it does on medications and surgery.

It has been reflected in notions of professional privilege, with doctors (but not necessarily agents and associates) enjoying a legal status that is similar to that of journalists and the clergy. As with those groups doctors have found that privilege has been modified in particular areas, for example obligations to disclose information about specific medical conditions and practices (eg recurrent unsafe sexual activity by people who are HIV+ and the physical/sexual abuse of children). Changing relations within societies are evident in debate about whether doctors should disclose to parents information provided by or about teenagers, who assume that they are autonomous or independent of those parents/guardians.

There has been less debate about the nature of 'confidentiality' in relations between patients, doctors and the increasingly wide range of third parties.

Some observers have suggested that consumers are simply quiescent, assessing that information flows are the price paid for access to modern medicine and assuming that any fundamental abuses can be addressed through legislation.

Others, drawing on often contradictory studies of consumer and practitioner attitudes, suggest that many people are unaware of medical privacy challenges and indeed when alerted often overreact through calls for protocols and legislation that may restrict improved services.

Points of entry into the literature on the evolution of doctor-patient confidentiality and particular ethical issues are The Hippocratic Oath & the Ethics of Medicine (New York: Oxford Uni Press 2004) by Steven Miles, Ethics in Medicine: Historical Perspectives & Contemporary Concerns (Cambridge: MIT Press 1977) edited by Stanley Reiser, Arthur Dyck & William Curran, Historical & Philosophical Perspectives on Bio-Medical Ethics: From Paternalism to Autonomy? (Aldershot: Ashgate 2002) edited by Andreas-Holger Maehle & Johanna Geyer-Kordesch, Searching Eyes: Privacy, the State, and Disease Surveillance in America (Berkeley: Uni of California Press 2007) by Amy Fairchild, Ronald Bayer & James Colgrove and The Codification of Medical Morality (Dordrecht: Kluwer 1995) edited by Robert Baker.

subsection heading icon     patient privacy in the networked environment

Traditional notions of medical privacy have been founded on an intimate and essentially one to one relationship between the medical practitioner and the patient.

As preceding paragraphs have suggested, that relationship has been eroded by what has been characterised as the 'technogical imperative' (or more perjoratively as 'big medicine'), with delivery of health services now involving a range of actors and agents, some of whom may be unaware of ethical concerns, uncommitted to professional codes and because of lack of intimacy tend to see the patient as a set of digits rather than a person. The relationship is thus of one to many, rather than one to one.

Siegler's 1982 Confidentiality in Medicine comments that

challenges to confidentiality arise because the patient's personal interest in maintaining confidentiality comes into conflict with his personal interest in receiving the best possible health care. Modern high-technology health care is available principally in hospitals (often, teaching hospitals), requires many trained and specialized workers (a "health-care team"), and is very costly. The existence of such teams means that information that previously had been held in confidence by an individual physician will now necessarily be disseminated to many members of the team.

Furthermore, since healthcare teams are expensive and few patients can afford to pay such costs directly, it becomes essential to grant access to the patient's medical record to persons who are responsible for obtaining third-party payment. These persons include chart reviewers, financial officers, insurance auditors, and quality-of-care assessors.

Finally, as medicine expands from a narrow, disease-based model to a model that encompasses psychological, social, and economic problems, not only will the size of the health-care team and medical costs increase, but more sensitive information (such as one's personal habits and financial condition) will now be included in the medical record and will no longer be confidential.

For an incisive analysis of 'one to many' see David Rothman's Beginnings Count: The Technological Imperative in American Health Care (New York: Oxford Uni Press 1997).

In considering privacy some critics have discerned another 'technological imperative', arguing that the ease with which digital information can be stored, transmitted and processed has driven the creation of large-scale data network initiatives - such as Australia's HealthConnect - that may be innately destructive of privacy.

subsection heading icon     commodification and health networks

At the moment much personal health information is located in islands (eg a general practitioner's surgery, the database of a public health insurer, the database of a private health insurer, the premises of a consultant specialist, different units within a hospital or other care provider).

There is pressure to bridge those islands (and enhance the quality of data) for reasons that include -

  • opportunism by technology vendors
  • corporate aggrandisement by major health/welfare service providers and compliance bodies
  • improved health industry economics, including reduced processing costs and better fraud control
  • enhanced services for individuals through better access to data
  • opportunities for better epidemiological and other studies as the basis for greater community care.

Those reasons are explored here.

Some of that bridging may involve actual exchange of information. Other bridging involves use of 'whole of life' identifiers that are unique to specific individuals, such as the Australia Card scheme and its successors discussed in more detail elsewhere on this site.

subsection heading icon     community attitudes

Consistent with comments earlier in this guide, there are substantial variations in community attitudes to health privacy within and between nations, reflecting factors such as

  • the personal experience of individuals
  • awareness of bad practice at institutional, regional and national levels
  • the comprehensiveness of privacy legislation and efficacy of privacy codes
  • use of health data in employment, insurance, lending and other decisions
  • understanding of network technologies
  • perceptions of powerlessness
  • the shape of surveys and nature of advocacy by particular organisations.

The 1993 Harris Equifax Health Information Privacy Survey for example suggested that in the US some

  • 85% believe that protecting the confidentiality of medical records is "absolutely essential" or "very important" in health care reform.
  • 41% believe that medical claims submitted under an employer health plan may be seen by their employer and used to affect their job opportunities
  • 60% believe that it is not acceptable for medical information about them to be provided, without their individual approval, by pharmacists to direct marketers who want to mail offers to new medications
  • 64% do not want medical researchers to use their records for studies, even if the individual is never identified personally, unless researchers first get the individual's consent
  • 75% worry (with 38% "very concerned") that medical information from a computerized national health information system will be used for many non-health purposes
  • 96% say that it is important that individuals have the legal right to obtain a copy of their own medical records
  • 96% believe that federal legislation should designate all personal medical information as "sensitive" and impose penalties for unauthorized disclosure
  • 25% report that they or member of their family have personally paid for a medical test, treatment, or counseling rather than submit a bill or claim under a health care plan or program.

subsection heading icon     genetic testing and identification

Perceptions about the power of genetic information and DNA testing have resulted in claims such as "none of us are more than one short step away from being at risk of genetic discrimination" or genetic redlining, ie denial of benefits/opportunities on the basis that "DNA is destiny".

They have resulted in what some analysts have characterised as genetic exceptionalism, the notion that genetic information is so different from other types of information that new rules are necessary to govern its collection and dissemination.

Those rules - independent of traditional medical privacy and service provision legislation - are based on

  • perceptions of the "powerful information" provided by the genome
  • the longevity of the data
  • the genotype as an individual's unique identifier
  • the familial nature of genetic information
  • the impact of genetic information on discrete communities.

In particular they are concerned with potential misuse of genetic information in insurance, with US enactments for example banning 'genetic underwriting', and in law enforcement. Some states have enacted 'front-loading' or 'information management' restrictions on the collection of genetic information. Others have more sensibly emphasised 'harm avoidance' regimes, with restrictions on access to and use of that data by particular industries or for specific purposes such as health insurance.

Salient works include the Australian Law Reform Commission's 2003 Essentially Yours: The Protection of Human Genetic Information in Australia report, Thomas Murray's 'The Genome and Access to Health Care: Two Key Ethical Issues' in The Human Genome Project & the Future of Health Care (1996), Dorothy Nelkin & Susan Lindee's The DNA Mystique: The Gene As Cultural Icon (1995), Jennifer Geetter's 2002 Coding for change: the power of the human genome to transform the American health insurance system and Philip Leith's review of Genetic Privacy: A Challenge to Medico-legal Norms (Cambridge: Cambridge Uni Press 2002) by Graeme Laurie, one of the more interesting studies of theory and practice regarding ownership and custodianship of medical information.

A serviceable introduction to technologies is provided by Jeff Augen's Bioinformatics in the Post-Genomic Era (Upper Saddle River: Addison-Wesley Longman 2005) and in DNA and the Criminal Justice System (Cambridge: MIT Press 2004) edited by David Lazer.

Works on DNA use in the criminal justice system include Neil Gerlach's The Genetic Imaginary: DNA in the Canadian Criminal Justice System (Toronto: Uni of Toronto Press 2004).

subsection heading icon     health privacy legislation

Pointers to overseas health privacy legislation, such as the US Health Insurance Portability & Accountability Act (HIPAA), are found in the discussion of national regimes earlier in this guide.

The Australian regime is discussed in more detail in the supplementary profile on federal/state legislation and industry codes.

Concerns regarding health privacy laws/codes include -

  • uneven coverage (the US HIPAA for example only applies to medical records maintained by health care providers, health plans and health clearinghouses in electronic formats)
  • where the records are located
  • the purpose for which the information was compiled
  • the conditional nature of rights, with some regimes for example recognising a waiver of an individual's rights in return for gaining (or merely applying for) employment, insurance or other benefits

subsection heading icon     adoption

Questions about privacy and conflicting rights also occur in relation to adoption, the process by which a minor becomes legally the child of the adopting parents rather than biological parents, with the latter relinquishing rights of custody, guardianship and inheritance.

For much of the past 150 years many regimes have placed restrictions on access, with biological parents for example not having physical access to the child or information about the child's new identity. Adoptees have similarly not received information - as minors or adults - about their biological parents. Critics of such restrictions have argued that

sealing of these records, and the secrecy that is an inherent part of the adoption system in America and elsewhere, perpetuates an unhealthy climate for every adoptee that makes the development of self-esteem and a strong self-identity nearly impossible, regardless of the quality of one's adoptive upbringing

The past thirty years have seen moves towards discretionary disclosure, with adoption service operators or specialist intermediaries typically respecting the privacy of biological parents and children by supplying information if both parties consent.

For the US see in particular E Wayne Carp's Family Matters: Secrecy and Disclosure in the History of Adoption (Cambridge: Harvard Uni Press 1998). Works on the Australian regimes, such as The Many-Sided Triangle: Adoption in Australia (Carlton South: Melbourne Uni Press 2001) by Audrey Marshall & Margaret McDonald, are discussed in the supplementary profile on Privacy in Australia.

subsection heading icon     professional privilege

What about expectations that information as part of the doctor-patient relationship will not be disclosed during legal proceedings (or otherwise disclosed to third parties without the patient's consent)?

Most professional codes, such as the Australian Medical Association's current Code of Ethics, recognise that medical confidentiality may be legitimately breached in some circumstances. That recognition is reflected in a range of legislation and court rulings, which indicate that a doctor is bound to disclose confidential information where failure to do so would constitute a threat to public or private interests.

Australian state/territory legislation such as the NSW Public Health Act 1991 and Tasmanian HIV/AIDS Preventive Measures Act 1993 thus features reporting requirements on issues such as child abuse, notifiable diseases and fitness to engage in some activities (eg driver and pilot licences), along with the provision of de-identified statistical data for a range of national/state health registers. Those requirements typically involve the provision of information to specific government agencies and either place an obligation on the practitioner (in some instances encompassing physiotherapists and opticians) to supply that information or provide immunity against legal action.

Child abuse for example is notifiable in all Australian jurisdictions except South Australia and Queensland. The NSW regime provides immunity for medical practitioners alerting the Roads & Traffic Authority about a patient's fitness to drive a motor vehicle; South Australia requires action by doctors who have reasonable cause to believe that a person whom they have examined suffers from a disability such that, if driving a motor vehicle, he or she would be likely to endanger the public. The extent to which such reporting is undertaken - and its effectiveness - is unclear.

Overall there are are few enactments or common law precedents permitting a doctor to refuse to give evidence or disclose information in court proceedings merely because that information was supplied in confidence. The exceptions are Victoria, Tasmania and the Northern Territory.

icon for link to official secrets page    next page  (in the workplace)

this site
the web



version of March 2008
© Bruce Arnold | caslon analytics