Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Medical privacy in principle

The processing of information is part and parcel of the provision of healthcare. At the most simple level, patients have information that they share with medical staff, and medical staff impart information unto patients. At the most complex, we see a myriad of institutions sharing and generating information on the patients and medical staff in order to manage the provision of healthcare.

Information must flow for the entire system to function. Each individual and institution must share information. Compulsion to share information becomes ethically challenging, however, and this is why the relationship between the patient and the doctor has long been regulated on the basis of trust. The original Hippocratic oath included the duty of the care-giver to ‘keep secret’ and ‘never reveal’ ‘all that may come to my knowledge’. The modern version of the oath is more explicit on ‘privacy’, “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.” The concern is that if there are no promises of confidentiality, then the patient will not disclose information, and worse, may forego treatment.1 There is evidence that individuals may not even seek testing if their confidentiality is not assured.2

This principle has been enshrined in the practice of medicine, and in turn, in international statements, policies, and commitments. Several examples are provided below:

  • The World Health Organization places an emphasis on health and human rights, wherein privacy is crucial, particularly as it is enshrined in international human rights covenants. These covenants aim to protect the dignity and autonomy of the individual through minimising and restricting interferences.
  • The World Medical Association Declaration of Helsinki on the Ethical Principles for Medical Research Involving Human Subjects3 states that “every precaution should be taken to respect the privacy of the subject, the confidentiality of the patient’s information and to minimize the impact of the study on the subject’s physical and mental integrity and on the personality of the subject”. Furthermore it outlines the nature of consent that is required from research subjects.
  • UNAIDS also considers human rights as a crucial component of its work: using health information for public health goals must be balanced against individuals’ rights to privacy and confidentiality. Individuals must be protected against mandatory testing; HIV status must be kept confidential.64 Laws must be developed in countries to protect these rights. Importantly, funding organisations are called on to comply with the guidelines and make funding available to implement them – in fact ‘maintaining security and confidentiality must be a condition for funding.’5

International organisations also have their own confidentiality guidelines to which their staff must adhere. For example, the International Committee of the Red Cross (ICRC) has long argued that any information it collects must be kept confidential in order for it to do its job, and failing to protect data could place individuals at risk.6 Strong safeguards against disclosure are sometimes necessary; for instance, warring parties are likely to restrict access of the ICRC if they believe that the organisation may be collecting information for future use, e.g. in a criminal proceeding.7

But these are merely initial steps in a complex area. These ‘rights’ and ‘principles’ only have strength when they are supported by local conditions. To date, these have included the following:

  • Awareness of responsibilities. Rights are best protected when institutions and individuals are most empowered and aware of these rights. Privacy and security of medical information have been protected best when we are well aware of the risks and accordingly act to ensure that only relevant information is collected, and it is managed with great care. The norms that govern healthcare have, in the past, been strong protectors of privacy and confidentiality.8
  • A legal basis. Rights and principles often require a strong legal footing in order to enumerate and specify rights that grant explicit protections. Many countries around the world have such legal protections in the form of data protection laws with particular emphasis on medical information as ‘sensitive’ information. Other legal safeguards include constitutional protections, and individuals may use the common law and tort to seek remedies in case of the disclosure of private facts. These ensure that responsibilities are known, accountability is assigned, and remedies are available.
  • Minimal use of technologies. Perhaps the greatest protector of the privacy and security of medical information to date has been the limited availability of platforms for data-sharing. Information kept on paper in locked cabinets is less likely to be shared en-masse with other institutions. A single healthcare practitioner may keep files under direct supervision, thus limiting the availability of information to other parties. Systems often cannot interact with one another, again limiting the ability of the information to be accessed by third parties, and in turn, used for other (originally unspecified) purposes. This is not a sure-footed safeguard, however, as the paper-based or isolated systems may also limit the possibilities for ensuring confidentiality and security through the use of privacy-enhancing technologies.

In many countries these legal, regulatory, and even normative frameworks interact to provide an environment where medical information is protected. Even in these environments there are concerns about the introduction of technologies to enhance information processing.

Developing countries tend to lack legal and regulatory safeguards. International treaties and conventions may have been signed, but they are not enacted into law. Laws may exist but the regulations that give life to these legal rights may not have been codified, and the ability to gain access to remedies may be limited. What is remarkable is that the norms of confidentiality and privacy may yet exist. In our discussions with practitioners from a number of developing countries we learned that these norms are indeed often practiced, despite the legal and regulatory void.

In our interactions within this domain, we saw that technologies are being introduced that expand data collection and the potential for access and sharing, even though they are not designed to necessarily support the normative safeguards. We are encountering the same level of momentum behind ‘eHealth’ that we saw with ‘e-commerce’ and ‘e-government’. A key difference is that with these previous initiatives, it was presumed that legal and regulatory frameworks were necessary for adoption. However we are not seeing similar levels of legislative and regulatory activities to support the introduction of eHealth. As a result, any gap between principle and practice will only be exacerbated.

This does not need to be the case. As a healthcare system becomes more complex, the management of information will in turn become more complex. There is a greater need for more elaborate explanations of responsibilities and safeguards, even beyond those enshrined in acts of law. Many medical codes include a more detailed articulation of patients’ rights. For instance, the Canadian Medical Association Health Information Privacy Code defines a “patient’s right to determine with whom he or she will share information and to know of and exercise control over use, disclosure and access concerning any information collected about him or her.” Similarly, the British Medical Association has developed a ‘tool kit’ for confidentiality and disclosure of health information,9 and the General Medical Council has guidance on the confidentiality of patients’ privacy.10

These codes are indeed helpful at explaining the responsibilities and duties of the practitioners, yet more thorough legal frameworks are necessary to explain the rights of the patient. The foundation stone of a patient’s right in this domain is the treatment of the patient as a human who deserves dignity. This ‘dignity’ is linked to the human right to life in most constitutional codes, and more explicitly as the constitutional right to privacy, upon which rest all other legal and technological measures.

Legal and regulatory requirements have emerged around the world to elaborate upon the right to privacy in a high-technology environment. Though they vary slightly, the rules from Canada,11 Europe12 and the United States (though possibly to a lesser extent13), as examples, have a significant level of convergence that include:

Respecting self-determination:

  • Requiring informed consent of the individual for the collection, use and disclosure of personal information;
  • Providing for a right to withdraw from the system and/or have information deleted;
  • Granting the individual a right to access, inspect and copy health information, and to request amendments;

Collection and management:

  • Limiting collection of personal information, limiting use, disclosure and retention;
  • Requiring organisations to have established adequate privileges for staff for accessing, reading and writing medical information;
  • Duty upon organisations to keep information secure, through administrative safeguards, physical safeguards, and technical safeguards; assisted through risk analysis, policies and procedures, training, etc., and an explanation to the individual of how information is secured;

Access and disclosure:

  • Developing the ability for individuals to restrict access to their records, possibly in the form of a virtual ‘sealed envelope’;
  • Developing the ability for individuals to discover who has been accessing health information;
  • Restricting and regulating secondary uses, and regulating data-sharing, and international transfer;
  • Clear restrictions on access by law enforcement and national security agencies, and other non-secondary uses;

Monitoring compliance and accountability:

  • Notifying individuals of any breach in security and confidentiality;
  • Ensuring accuracy of the information;
  • Granting individuals the right to review privacy practices, right to challenge compliance and practices, and to seek remedy.

Some of these principles could even aid the provision of health care and the deployment of eHealth solutions. Too rarely do we discuss the integrity and accuracy of medical information held in databases, and a clear governance structure and rights of access by the individual could help to rectify these situations.14

These principles may be seen as a starting point, or perhaps as a set of principles upon which practices can be measured. Alternatively they can be seen as context-dependent, and that these principles, though they apply to eHealth, only apply to countries with foundations in human rights, supported by constitutional and legislative safeguards, under the rule of law granting rights to citizens and consumers. Our contention, however controversial, is that if we are to ignore these principles in other environments it should be done with the awareness that we are doing so, and perhaps with some justification as to why these principles may not be applicable.


  • 1. This was the principle applied by the U.S. Supreme Court in Jaffee v. Redmond, in 1996, protecting the relationship between a patient and a psychotherapist: “Effective psychotherapy depends upon an atmosphere of confidence and trust, and therefore the mere possibility of disclosure of confidential communications may impede development of the relationship necessary for successful treatment. The privilege also serves the public interest, since the mental health of the Nation’s citizenry, no less than its physical health, is a public good of transcendent importance.”
  • 2. ‘Concerns over confidentiality may deter adolescents from consulting their doctors: A qualitative exploration’, J Carlisle, D Shickle, M Cork, A McDonagh, Journal of Medical Ethics, 32, 133-137, 2006; and ‘HIV test-seeking before and after the restriction of anonymous testing in North Carolina’, I Hertz-Picciotto, L Lee, C Hoyo, American Journal of Public Health, 86, 1446-1450, 1996.
  • 3. Adopted in June 1964, with amendments in 1975, 1983, 1989, 1996, and 200; available at
  • 4. UNAIDS Political Declaration on HIV, 2006. See
  • 5. UNAIDS Guidelines on Protecting the Confidentiality and Security of HIV Information, Interim Guidelines, Proceedings from the May 2006 Workshop in Geneva, issued May 15, 2007, available at
  • 6. ‘Confidentiality: key to the ICRC’s work but not unconditional’, Interview with ICRC deputy director of operations, September 20, 2010, available at
  • 7. ‘Recognition of the ICRC's long-standing rule of confidentiality - An important decision by the International Criminal Tribunal for the former Yugoslavia’, Stephane Jeannet, ICRC, International Review of the Red Cross, No. 838: 403-425, June 2000.
  • 8. One study of American physicians found that there was a strong belief that their ethical and professional obligations, not regulatory mandates, assure patients’ privacy and confidentiality. Cf. ‘Health Information, The HIPAA Privacy Rule, And Health Care: What Do Physicians Think?’, Julia Slutsman et al., Health Affairs, 24(3): 832-842, 2005.
  • 9. ‘Confidentiality and Disclosure of Health Information tool kit’, British Medical Association, December 2009. Available at:
  • 10. See
  • 11. ‘Electronic Health Records and the Personal Information Protection and Electronic Documents Act’, Report prepared with support from the Office of the Privacy Commissioner of Canada, University of Alberta, Health Law Institute and University of Victoria, School of Health Information Science, April 2005.
  • 12. ‘Working Document on the processing of personal data relating to health in electronic health records’, Article 29 Data Protection Working Party of the European Commission, adopted February 15, 2007.
  • 13. ‘The HIPAA paradox: The privacy rule that’s not’, Richard Sobel, Hastings Center Report: 40-51, July-August 2007.
  • 14. See for instance, ‘The woman falsely labelled alcoholic by the NHS’, Rob Evans, the Guardian, November 2, 2006, available at