|
Abstract: The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to "covered entities" (health providers, health insurance plans and health care clearinghouses) and their business associates. Through the regulations, HHS attempts to set a "floor" for protections that, it suggests, "balance[s] the needs of the individual with the needs of society." Reaching this balance, however, is precarious. The national privacy rule does not always achieve a fair and reasonable allocation of benefits and burdens for patients and the community. We suggest a framework for balancing that values privacy and common goods, without a priori favoring either. We instead seek to maximize privacy interests where they matter most to the individual and maximize communal interests where they are likely to achieve the greatest public good. Thus, where the potential for public benefit is high and the risk of harm to individuals is low, we suggest that public entities should have discretion to use data for important public purposes. Provided that the data are used only for the public good (e.g., research or public health), and the potential for harmful disclosures are negligible, there are good reasons for permitting data sharing.
Conversely, if data are disclosed in ways that are unlikely to achieve a strong public benefit, and the personal risks are high, individual interests in autonomy should prevail. Consequently, for these kinds of disclosures, the law should strictly prohibit the release of information without the patient's consent. Through this framework we attempt to maximize individual and communal interests in the handling of identifiable health data.
|