Public health policy and Privacy
Health information and the medical record include sensitive personal information that reveals some of the most intimate aspects of an individual's life. In addition to diagnostic and testing information, the medical record includes the details of a person's family history, genetic testing, history of diseases and treatments, history of drug use, sexual orientation and practices, and testing for sexually transmitted disease. Subjective remarks about a patient's demeanor, character, and mental state are sometimes a part of the record.
The medical record is the primary source for much of the health care information sought by parties outside the direct health care delivery relationship, such as prescription drug use, treatment outcomes, and reason for and length of hospital stay. These data are important because health care information can influence decisions about an individual's access to credit, admission to educational institutions, and his or her ability to secure employment and obtain insurance. Inaccuracies in the information, or its improper disclosure, can deny an individual access to these basic necessities of life, and can threaten an individual's personal and financial well-being.
At the same time, accurate and comprehensive health care information is critical to the quality of health care delivery, and to the physician-patient relationship. Many believe that the efficacy of the healthcare relationship depends on the patient's understanding that the information recorded by a physician will not be disclosed. Many patients might refuse to provide physicians with certain types of information needed to render appropriate care if patients do not believe that information would remain confidential. In addition to serving the physician-patient relationship and the delivery of personal health care, this information is a source of important data for insurance reimbursement. When aggregated, it can assist in monitoring quality control of health care delivery by providing resources for medical research. The lack of proper protections for privacy could lead to (and has, in some cases) the physician's with holding information from a record, maintaining a second complete record outside of the computerized system, or at the extreme, creating a market for health care delivered without computer documentation. Safeguards to privacy in individual health care information are imperative to preserve the health care delivery relationship and the integrity of the patient record.
‘Privacy’ of health information refers to an individuals claim to control circumstances in which personally identifiable health information is collected, used, and disclosed. Maintaining the privacy of health information does not necessarily mean keeping information a secret. It means that, protecting the privacy of health information involves allowing the person to whom the information relates to control its acquisition, use, and disclosure. To respect an individual’s autonomous interest, patients should have the right to exercise some control over the acquisition, use, and disclosure of personal health information. 1
Privacy relates broadly to the disclosure and uses of health information, confidentiality represents individual privacy interests that arise out of a specific relationship with the person about whom the information is gathered.1 Privacy from these relationships, primarily between physician and patient, is protected by traditional legal and ethical duties to maintain to maintain the confidentiality of the information. For example, the law has traditionally recognized a duty of physicians not to disclose medical information about their patients without the patients consent. Therefore, confidentiality may be viewed as a narrower sublet of health information policy.
The security of health information is distinct form individual’s interest in privacy and confidentiality. Security refers to technological organizational, or administrative processes designed to protect data systems from unwarranted access, disclosure, modification, or destruction.1 Maintaining the security of health information is not the same as preserving its privacy. Those who are authorized to use the data system can never assure absolute privacy of health information even with maximum-security protections because no security system can safeguard against access. Therefore, authorized users can invade patient’s privacy even in the most secure data systems. The purpose of security is to ensure that only those persons having authorization access data systems.
The concepts of privacy and confidentiality are separate and distinct. The right of privacy originates from the United States Constitution set by the United States Supreme Court in Roe v. Wade, 410 U.S. 113 (1973).2. This constitutional right is based on the Fourteenth Amendment’s concept of personal liberty. It provides protection from intrusion and personal autonomy in decision-making.
Although “confidentiality” is often used interchangeably with “privacy”, conceptually they are different. Confidentiality is a constitutional law giving legal status to relationships with certain individuals.2 It was established because of the need to promote trust in professional relationships. It acknowledges respect for sensitivities of patients and facilitates honest and absolute disclosure of information that is necessary for good health care. It further protects patients from harm in employment, reputation, and personal relationships by preventing disclosure of certain information. The individual controls confidentiality or to whom an individual’s privacy is given up. This differs from privacy, which is controlled by the individual.
In 1992 the Joint Commission on Accreditation of HealthCare Organizations (JCAHO) added a new chapter entitled “Patients Rights” in its Accreditation Manual for Hospitals.2 This new standard states that patients have the right to personal privacy and confidentiality of information. Standard MR.3 addresses confidentiality of the patient’s medical record, and the hospitals responsibility for protecting both the patients record and information.2
The most serious threats of privacy come from “systematic flows of information through the health care industry. Most transfers of health care information occur among authorized users.3 Access to patient records is not limited to persons with a primary need for information, such as those involved in direct health care of a patient. Authorized secondary uses of patient records include education (medical conferences and medical programs at teaching hospitals) regulation (litigation, postmarketing surveillance, and accreditation), commercial enterprises (development of biotechnologies and marketing strategies), social services and child protection (tracking medical records of spouse or child abuse), and public health services (reports on disease mortality and morbidity, partner notification, and surveillance.3
Unauthorized persons and organizations might also have access to medical information. According to The Office of Technology Assessment, the sale of unlawful and lawful personal information from databases (particularly databases that contain medical information) operated by the government is common.3 (17) The establishment of an extensive infrastructure of health care information would create numerous opportunities for invasion of privacy by many authorized users, users who have explicit authority, and users who obtain fraudulent access.
Information Flows to Downstream Users, flowchart next page 8 (4)
As with all personal information, health information can be used for many purposes other than those for which it was gathered. As more information is put in electronic format, it is becoming easier to obtain patient data for activities that are unrelated to health care. Quite often these uses take advantage of information that patients give in confidence. Although many of these activities are currently legal, many consumers consider them inappropriately. Some examples are:
a. Drug Marketers
Two major chain pharmacies, CVS and Giant Food, made patient prescriptions records available to direct mail and pharmaceutical company as part of a marketing campaign. The goal was to send letters to consumers encouraging them to refill prescriptions and to consider alternative treatments. After a series of news reports and public outrage, the companies abandoned the practice. (Washington Post, Feb, 15,1998) 4.
b. Public Assistance Programs
In New York City, the Giuliani Administration announced plans to use medical billing records to identify recipients on welfare and applicants who required drug or alcohol treatment. Those recipients could be forced into mandatory treatment programs as a condition of receiving public assistance. (The New York Times, September 25,1999) 4
c. Immigration and Naturalization Services
An anti-fraud program was targeted when the California Department of Health and Human Services was accused of providing the Immigration and naturalization Services with information about immigrant’s lawful use of Medi-Cal services. (California HealthLine, August 8, 1998) 4
d. Law enforcement Agencies
In Virginia, police seized 200 medical records from a drug treatment center after a car was stolen from a parking garage. Even though the police believed that the medical records could help them find the guilty party, they returned the medical records, conceding that the search was an unnecessary intrusion of patient privacy. (“Fairfax Police Concede Seizure Was Wrong,” The Washington Post, September 1, 1998) 4
e. Judicial Proceedings
The San Diego Union Tribute recently reported that a company named Longs Drugs settled a lawsuit filed by a HIV positive man. After a pharmacist inappropriately disclosed the mans condition to his ex-wife, she was able to use that information in a custody dispute. However, rather than pursue the lawsuit against the pharmacy, the man chose to settle in order to avoid a court trial that would result in news coverage-and further disclose his illness. (“Longs Drugs Settles HIV Suit,” San Diego Union Tribute, September 10, 1998) 4
f. Private Databases
Medical information is shared between companies. One company, All Claims, collects medical information from numerous insurance companies and makes it available “in the investigation of potentially fraudulent activities.” They advertise that there database
includes millions of records and can be used to identify pre-existing conditions, duplicate coverage and over utilization. (www.all-claims.com) Another company, the Medical Information Bureau provides a similar service to more than 600 member insurance companies. (www.mib.com) 4
The Sensitive Nature of Health Care Information and the Danger of Disclosure
Health care records have a vast amount of personal information: a) demographic information, such as age, sex, race, and occupation; b) financial information, such as employment status and income; c) information about disabilities, special medication needs, and other criteria required to determine eligibility for federal or state subsidies; d) medical information about diagnosis, treatments, and disease histories (including mental illness, drug or alcohol dependency, AIDS, and sexually transmitted diseases); e) genomic information, including diagnostic tests for carrier traits ( for example, sickle cell anemia or cystic fibrosis) and genetically related diseases (for example Huntington’s chorea or certain types of breast cancer) f) personal and social information, such as sexual orientation, family status and sexual relationships, and environmental choices; and g) information about being a victim or perpetrator of violent behavior, such as rape, spouse or child abuse or firearm injury. 3
There are federal and state laws pertaining to information, which may be protected under confidentiality and privacy laws, as well as providing for disclosure of certain information. Federal laws are applicable to federal facilities or federally funded programs, or other statutory designed entities such as alcohol and drug abuse treatment programs. The freedom of information Act, 5 U.S.C.S 552, was established to provide for disclosure of governmental and agency records and information for purposes of opening these administrative processes to the scrutiny of the press and general public.5 It applies to all federal agencies; however, hospitals receiving federal funds are not federal agencies within the meaning of this statute and, therefore, are not under the jurisdiction of this statute. Although this does not apply to hospitals and health care facilities, subsection (b) 6 of the ‘freedom of information act’ which provides that these statutory provisions do not apply to “personal and medical files and similar files the disclosure of which would constitute an unwarranted invasion of personal privacy,’2’5(As a result, no health care information should be disclosed unless ordered by the court).
Without any specific statute or regulatory provisions, governmental agencies do not have an automatic right to health care records. State statutes create confidential relationships because they are not based on common law principals. Examples of statutorily-created privileged include physician-patient, psychologist-patient, clergy-patient, nurse-patient and records of health maintance organizations. The physician-patient privilege has been extended to protect all medical records created by a health care institution or facility.
Under both federal and state laws, certain health related information is required to be disclosed for the protection of public. If reporting is done in good faith and pursuant to the appropriate law, immunity will be given to the reporting person provided the information is reported to the correct governmental agency. (22) Failure to report may subject the individual to both civil and criminal liability. The disclosure laws may vary among states but generally require reporting of health information, such as communicable diseases, seizure activity, child or elder abuse, gunshot wounds, wound that were sustained during a crime or attempted crime.
An example of a federal law requiring disclosure pertains to the adverse reactions regarding blood collecting and blood transfusions (21 C.F.R. 606.170.).6 When a complication of blood collection or transfusion is fatal, it is required that the Director of, Office of Compliance, Center for Drugs and Biologics of the food and drug Administration be notified as soon as possible, and that a written report of the investigation be submitted within seven days after the fatality. 7
The Nuclear Regulatory Commission requires that notification of any misadministration of radioactive materials with twenty-four hours after discovery. 8 The referring physician of the patient and the patient or the patient’s legal guardian or representive must also be informed. Within fifteen days after the misadministration, a written report must be sent to the Nuclear Regulatory Commission regional office initially telephoned and to the notifying physician, and a copy given to the patient or the patients legal guardian or representive unless the referring physician assumed responsibility for informing the patient or guardian. The required reporting is pursuant to 10 C.F.R. 35.33.
The obligation to report has been extended to the risk of contagious diseases. In Hoffman v. Blackman, 241 So. 2d 752 (Fla. App. 1970).9 The patient was treated for two years before Tuberculosis was diagnosed. The physician did not inform the patient of his/her diagnosis. The patient’s two-year-old daughter contracted the disease and the father sued for her injuries. The court held that once the disease was diagnosed the physician had the duty to inform the patient of its nature and any precautionary steps to be taken to prevent other members of the patient’s family from contracting it.
This obligation to disclose or to warn has also been extended to situations where the patient is mentally ill and could be dangerous to others. The landmark case establishing this duty is Tarasoff v. Regents of the University of California, 551 P2d. 334 (California 1976).10 This was an action against the university and psychotherapist employees for the murder of the plaintiff’s daughter by a psychiatric patient. There was a fundamental principal that an individual owes a duty of care to all persons who are foreseeably endangered by the persons conduct. However, when the avoidance of foreseeable harm requires that an individual to control the conduct of another or to warn individuals of this conduct, the common law has traditionally imposed liability only if there is some special relationship between the two parties or to the potential victim.11 This relationship could be a physician and patient, nurse and patient, or therapist and patient. This relationship may support exercising affirmative duties for the benefit of third party persons. For example, health care institutions must exercise reasonable care to control the behavior of a patient, which may endanger other persons. Health care providers must warn other patients if the patient’s condition or medication elicits certain conduct, such as driving a car, dangerous to others.
The duty to warn individuals of risks inherent in treating arises whenever they are recognized, even if that knowledge is obtained after the patient was treated. This was the holding by the court in Mink v. University of Chicago, 460F. Supp. 713 (D.Ill. 1978).12 This case was a class action by women receiving diethylstilbestrol (DES) as part of medical experiments. The plaintiffs sought recovery on theories of battery and breach of duty to notify them that they had been given the drug. They had not been told that they were part of the experiment, which occurred from 1950 through 1952. The women received letters in 1975 and 1976, and the defendants allegedly were aware of the relationship between DES and cancer as early as 1971.13
This duty to disclose has also been extended to information regarding infections diseases, such as herpes or Human Immunodeficiency Virus (HIV).15 Just as confidentiality is not absolute, neither is the duty to breach that confidentiality even if a third party may be affected. Although some states have enacted laws requiring the reporting of HIV positive tests to the state department of health, other states have legislated that there be no disclosure regarding HIV positive status.14’15 Even disclosing to health care providers and institutions is not automatically required or permitted; the generally accepted policy is that such information be disclosed only to those individuals who need to know for purposes of treatment or for protection of personnel. The need for disclosure is severely limited with the mandated universal precautions set by the Center for Disease Control (CDC).16
Any duty to disclose or to warn has to be balanced with statutory limitations on disclosure, such as privileged communications or other protections for health information. The federal regulations regarding confidentiality of alcohol and drug abuse patient records, 42 C.F.R. part 2, set very restricted requirements for disclosure of this information. Section 2.31 provides that disclosures may be made with the patient’s consent, which will be in writing.* The regulations do provide for disclosures without patient consent for medical emergencies, scientific research, management audits, financial audits, or program evaluations provided that there is no personal identifying information.
Since the introduction of Medicare and Medicaid programs in the mid-1960s, the health care industry has experienced a significant increase in governmental regulations.17 As a result, how medical records are maintained and managed has been significantly affected. Previously health care institutions were able to control creation, use, and disposition of medical records through hospital policy, now they are subject to a variety of laws, rules and regulations, both state and federal, governing medical record management.17’18 Medical records have become more important than just health care documents; they are now both important and necessary for quality assurance activities, medical research, billing, and legal purposes.
The health care facility creating the medical record owns it and it is considered a business record. However, while being responsible for the physical property of the record, the health care institution is only a custodian of the information. Patients and others therefore have the right of access to the information that is contained in the medical record, as well as to other documents such as radiographic x-ray films and pathology slides.
Even though the patient has the right to access personal medical records or authorize them to be disclosed to other r individuals, the health care institution has the right to control how the record is released. Since a health care institution has an obligation to protect its patients from the unauthorized release of privileged information, it may take reasonable precautions to check the credentials and authority of the person seeking access to that information. Unreasonable restriction of access to medical records can be equivalent to a refusal to release the records, and subject the health care institution to a legal suit for interfering with that patient right (Thurman v. Crawford, 652 S.W.2d 240 (MO. App. 1983).19 This case marks the failure to release appropriately requested medical records and can also expose the institution to punitive damages.
The 1993 JCAHO Accreditation Manual for hospitals, in standard MR. 3.1-3.3, provides that medical records are the property of the hospital with the hospital responsible for protecting both the record and its information content against loss, damage, and tampering, and from use by unauthorized individuals.20 The standards also require that written consent of the patient or the legally competent representative be obtained for release of medical information to persons not authorized to receive that information. This does not exclude the health care institution from using the information in the medical record in the institution for purposes of direct medical care, administrative purposed such as auditing, billing, filling, quality assurance and utilization review, and research. In addition, the medical record can be used by the health care institution when evaluating potential legal claims or defending litigation.
Even though the American Hospital Association (AHA) recommends that the patients attending physician be notified before records are released, this does not give the physician the right to prohibit the release of those medical records without a specific reason.21
To release medical records or information, the health care institution should require a written release signed by the patient or the patient’s legal competent representative. If the patient is a minor, state laws my provide for certain types of medical care and treatment or other special situations in which minors may give consent and also authorize release of those medical records. Otherwise, the minor’s parent or legal guardian may authorize release of the information. If the minor’s parents are divorced, some states prohibit the non-custodial parent from authorizing release of medical records or information. There should be some attempt to verify that the person signing the release is, in fact, the patient or the appropriate legal representative. In most states, family members are not automatically entitled to authorized release of medical information unless the patient is deceased. An oral authorization may be accepted in emergency situations. This should be documented and become part of the medical record, with a written form sent for implementation, which should then be placed in the medical record.
To verify the competency of the individual signing the release, the authorization should be witnessed or notified, and dated. Because there is no common law establishing a time limit for the duration of an authorization, many health care institutions have established a maximum time period. There has also been a question raised as to whether it is permissible to release medical records made after the date of the authorization. This should be a policy established by the health care institution in conjunction with its legal counsel.
A copy of the authorization should be kept with the medical record, with a notation made as to whom and when the medical records were released. It is appropriate for the health care institution to charge a fee for producing the medical record, both copying costs as well as personal time. Also, requiring payment prior to releasing the medical record is permissible, which should be an institution policy. The only exception to the right of access is during the patient’s hospitalization or treatment where this disclosure would interfere with patient care activities.
Privacy is a fundamental human right recognized in the United Nations Declaration of Human Rights, the International Covenant on Civil and Political Rights and in many other international and regional treaties.22 Privacy undermines human dignity and other key values such as freedom of association and freedom of speech. It has become one of the most important human rights issues of the modern age. Nearly every country in the world recognizes a right of privacy explicitly in their Constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written Constitutions such as South Africa and Hungary's include specific rights to access and control one's personal information.22
In many of the countries where privacy is not explicitly recognized in the Constitution, such as the United States, Ireland and India, the courts have found that right in other provisions.23 In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.23
In the early 1970s, countries began adopting broad laws intended to protect individual privacy.24 Throughout the world, there is a general movement towards the adoption of comprehensive privacy laws that set a framework for protection. Most of these laws are based on the models introduced by the Organization for Economic Cooperation and Development and the Council of Europe.24
In 1995, the European Union passed a directive, which provided their citizens with a wider range of protections over abuses of their data.25 The directive on the "Protection of Individuals with regard to the processing of personal data and on the free movement of such data" sets a benchmark for national law.25 Each EU State must pass complementary legislation by October 1998.
The Directive also imposes an obligation on member States to ensure that law covers the personal information relating to European citizens when it is exported to, and outside Europe for the processed in, countries outside Europe. This requirement has resulted in growing pressure passage of privacy laws. More than forty countries now have data protection or information privacy laws. More are in the process of being enacted.
Threats To Privacy
The increasing sophistication of information technology with its capacity to collect, analyze and disseminate information on individuals has introduced a sense of urgency to the demand for legislation. Furthermore, new developments in medical research and care, telecommunications, advanced transportation systems and financial transfers have dramatically increased the level of information generated by each individual. Computers linked together by high-speed networks with advanced processing systems can create comprehensive dossiers on any person without the need for a single central computer system. New technologies developed by the defense industry are spreading into law enforcement, civilian agencies, and private companies.
The concern over privacy violations is now greater than at any time in recent history. Populations throughout the world express fears about infringement on privacy, prompting an unprecedented number of nations to pass laws that specifically protect the privacy of their citizens. Human rights groups are concerned that much of this technology is being exported to developing countries, which lack adequate protections. Currently, there are few barriers to the trade in surveillance technology.
It is now common knowledge that the power, capacity and speed of information technology are accelerating very rapidly. The extent of privacy invasion, or the potential to invade privacy, increases correspondingly. Beyond these obvious aspects of capacity and cost, there are a number of important trends that contribute to privacy invasion:
* Globalization: removes geographical limitations to the flow of data. The development of the Internet is perhaps the best-known example of a global technology.26
* Convergence: is leading to the elimination of technological barriers between systems. Modern information systems are increasingly interoperable with other systems, and can mutually exchange and process different forms of data.26
* Multi-media fuses many forms of transmission and expression of data and images so that information gathered in a certain form can be easily translated into other forms.26
THE TECHNOLOGIES OF PRIVACY INVASION
A number of technologies were causing new concerns about the protection of privacy. Many of these technologies were being adopted and implemented outside legal protections.
A. Identity (ID) cards
Identity (ID) cards are in use in one form or another in almost all countries of the world. The type of card, its function, and its integrity vary enormously. While a majority of countries have official, compulsory, national ID’s that are used for a variety of purposes, many developed countries do not have such a card. Among these are the United States, Canada, New Zealand, Australia, the United Kingdom, Ireland, and the Nordic countries.27 Those that do have this type of card include Germany, France, Belgium, Greece, Luxembourg, Portugal and Spain.27
ID cards are established for a variety of reasons. Race, politics and religion were often at the heart of older ID systems. The threat of insurgents, religious discrimination or political extremism have been all too common as motivation for the establishment of ID systems which would force enemies of the State into registration, or make them vulnerable in the open without proper documents.
In recent years, ID cards have been linked to national registration systems, which in turn form the basis of government administration. In these systems - for example Spain, Portugal, Thailand and Singapore - the ID card becomes merely one visible component of a much larger system.27 With the advent of magnetic stripes and microprocessor technology, these cards can also become an interface for receipt of government services.
Before September 11 biometrics was one of those things people talked about but rarely used. After September 11th however, biometrics - the science of scanning and, categorizing physical characteristics for security purposes - is being used as the cure for many of our problems in this era of terrorism.
Biometrics is a general term for measurements of individuals designed to be used to identify them or authenticate that they are who they claim to be. Many biometric technologies have been developed in the last few decades, and the technologies have already been applied in a variety of settings.
Biometric technologies have extremely serious implications for human rights in general, and privacy in particular. Their uses to date have been to enable powerful organizations to exercise social control over people, and the designs have been highly insensitive to the interests of the individuals they're imposed upon.
The last four decades of the twentieth century saw a dramatic explosion in the use of information technologies to subject people to data surveillance. The kind of centrally controllable society that novels like '1984' foresaw depended on three conditions being fulfilled: 28
1. a range of personal data systems needs to exist, each processing data for specific purposes;
2. some, preferably all, of those personal data systems need to be connected via one or more telecommunications networks; and
3. the people to whom the data relates need to be identified consistently.
The first two of those conditions were satisfied by about 1980. The lack of consistent identification of individuals is the sole factor that has held back what has been referred to as 'the dossier society' and 'the surveillance state'.29
Biometrics technologies are expressly designed as means of identifying individuals more reliably and more consistently. They threaten to break through the last remaining protection against dominance of individuals by governments and corporations. The specific threats embodied in biometrics technologies are examined in the following sub-sections.
Biometric technologies do not just involve collection of information about the person, but rather information of the person, intrinsic to them. That alone makes the very idea of these technologies distasteful to people in many cultures, and of many religions.
In addition, each person has to submit to an examination, in some cases in a manner that many people regard as demeaning. For example, the provision of a quality thumbprint involves one's forearm and hand being grasped by a specialist and rolled firmly and without hesitation across a piece of paper or a plate; and an iris-print or a retinal print require the eye to be presented in a manner compliant with the engineering specifications of the supplier's machine. Some technologies, such as those based on DNA, go so far as to require the person to provide a sample of body fluids or body-tissue.30
Many schemes require the provision of personal data to assist in the administration of the scheme. Some are operated in close conjunction with other data-rich systems such as personnel or welfare administration. This consolidation of data enhances the opportunity for the organization to exercise control over the population for whom it holds biometrics.30
The monitoring of people's movements and actions through the use of biometrics increases the transparency of individuals' behavior to organizations. Those organizations are in a better position to anticipate actions that they would prefer to prevent and communicating warnings to the predicted perpetrators. Furthermore, an organization that performs biometrics-aided monitoring is in a position to share personal data with other organizations, such as contracted suppliers and customers, 'business partners', and corporations and governments agencies with which it 'enjoys a strategic relationship'.28
The Forensic Use of DNA Profiling: Privacy Issues
DNA profiling has been described as a powerful breakthrough in forensic science. However the scientific validity of its application by individual laboratories has been questioned. The implementation of its of DNA profiling also raises the issues of privacy. The forensic use of DNA profiling is a major contribution to the debate on law reform. Two major privacy issues arise in the implementation of any sort of DNA profiling and databank.31 First, is obtaining personal samples from individuals and the second is the issue of potential abuse of stored information.31 Part of the concern may be based on the flawed impression that DNA profiles contain the entire individual’s genotypic data including disease states and other genetic information that could be potentially is used against someone if the information were abused. In reality, within our present scientific awareness, these areas are not diagnostic for either disease states or other genetic conditions.
However, this is only true if the DNA of the individual is not retained, and only if their profile is kept in a computerized form. The question of “ what exactly should be stored-has had many conflicting responses from the scientific and forensic population. The American Society of Human Genetics believes that actual samples should be retained as long as the uses of the initial material are initially defined, and as long as adequate rules of access and disclosure are implemented.32
The New York State Forensic DNA Panel disagrees with retaining DNA samples.33 Although they strongly recommend the use of a database to improve the ability of identifying suspects, they believe that the technique should match the DNA taken from an evidentiary sample with suspects DNA coded information stored in a database computer. This information would not be the print but only the data obtained from coding that print along with relevant demographic information. The panel also recommends that the DNA sample is not saved and that if a conviction is reversed, the computers software copy as well as the hard copy of that individuals profile should be destroyed.
There is no doubt that a DNA databank could potentially violate someone’s civil liberties if; a) it contained sensitive and genetic revealing information, and b) confidentially were abused. However, steps can be taken legislatively and in the design of the database to reduce the possibility of any abuse or disclosure of information. Although keeping only coded profiles could eliminate privacy concerns, limitations would be placed on further analysis or the ability to create new profiles from the existing samples based on a change in the technology.
Figure 2. Shows the feedback between Databases and other variables. 31
Figure 2. shows the reciprocal relationship between national databases of profiles and population frequencies, quality assurance programs, and standardization of all aspects of the technique. The latter would enable the development of regulations and norms that are a prerequisite for both programs of quality control and accreditation and databases. Concurrently, Quality assurances enhance the validity and reliability of the databases while they in turn increase the acceptability and value of the DNA forensic evidence.31
Health services research (HSR) is the study of the effects of different modes of organization, delivery, and financing of health care interventions in the real world settings, as contrasted with studies of the efficacy of interventions under controlled settings such as a clinical trial.34
HSR raises particular issues regarding the protection of human subjects that differ from the problems of clinical research, just as the methods of HSR differ from the methods of clinical research. First, many HSR projects involve minimal risk of harm to subjects, so they may qualify for a waiver of informed consent and individual informed consent is often impractical or impossible in HSR projects.35 For example, an HSR project may carry out secondary analyses of data previously collected in the delivery of patient care or the payment for such care.
If the subjects whom the project will involve are enrollees in the federal Medicare program, the number of subjects may be as many as several million individuals. Additionally, many HSR projects use data that are already public and de-identified (de-identify refers to health information where some attempt has been made to provide confidentiality protections by making it difficult to link a record to a specific individual), so they may qualify for exemption from IRB review or for expedited review.35 Finally, many private organizations do HSR--or programs such as quality improvement that use similar data and methods--not covered by the federal regulations. These organizations may not have IRBs.
The committee heard one account describing the situation as a continuum, with HSR at one end of the scale and operations at the other end (see Figure 2-3).
Source: from a slide presented by Dr. Brent James at the Workshop on Institutional Review Boards and Health Services Research Data Privacy.
Some HSR projects are clear examples of research; applying scientific methods to test hypotheses and produce new, generalizable knowledge. Other projects are certainly clear examples of internal exercises to assess the quality of the operations of the specific organization with no intention of producing generalizable knowledge. At the same time, quality assessment and quality improvement (QA and QI) exercises sometimes reveal interesting and important data that the organization recognizes to be of general interest, and that therefore ought to be published. In addition, both scientific research in health services and investigations into the internal operation of a health services organization use many of the same methods (e.g., chart review, database analysis and linkage).
Many projects may start out as operations assessment and then become more like research, and many research projects involve doing very much what would be done in an internal operations assessment. This continuum is one of the interesting, if problematic, features of HSR. The committee proceeded with a view to the clearer cases of research in health services, always aware of the less clear cases and closely related operations assessment exercises.
From the point of view of the patient or subject--the person whose personally identifiable health information may be reviewed or used--the continuum appears more like a widening circle of disclosure. At the center is the individual and health information not yet shared with anyone; then, according to Etzioni's description, is the inner circle of those with whom the individual shares information because they will use the information directly in the care of that individual.36 Next are the intermediate circle of payers, and finally the widest circle of everyone else who may have an interest in the individual's health information (but with whom the individual may or may not have an interest in sharing the information [Figure 1-1). (Etzioni 1999.)
Federal policies on the protection of human subjects in all types of research rest on IRB (Institutional Review Board) review of the research proposals and protocols, and on obtaining the informed consent of subjects. (Both apply somewhat differently in HSR than in clinical research, which increases the scope and complexity of research oversight in general.37 IRB review is complicated because HSR studies often have characteristics that cause studies not to require full IRB review and discussion. On the other hand, such independent review of these studies may help ensure that confidentiality is adequately protected.
"Exemption" is a formal term in the regulations applied to studies that have such minimal impact on the subjects that no further oversight by an IRB is needed. For situations of somewhat more, but still small, impact, the proposal might receive expedited review from just one or a few members rather than the entire review board. In general, an IRB representative makes the determination of whether a project might be eligible for exemption or expedited review. Informed consent is complicated because many HSR projects involving analysis of personal health data collected previously for another purpose are eligible for waiver of informed consent. Indeed obtaining informed consent is not feasible for many HSR projects.38
The methods of HSR are varied and may include not only secondary analysis of previously collected data, but also primary data collection through surveys and interviews. This focus is on the secondary analysis of data, including personal health information, that have already been collected for some other purpose, because this type of analysis raises the most challenging ethical issues.
In research where investigators collect primary data through surveys and interviews, the subject knows that research is being conducted, can find out more about the research, and has an opportunity to decline to participate. In contrast, in secondary analyses of the type described, individuals may not know that they are subjects of research and may not have the opportunity to decline to participate. The researchers also may be unable to identify subjects individually and, therefore, unable to contact them for consent. Some people may, however, object if researchers have access to their health information without their knowledge or consent.
The committee recognized that important privacy and confidentiality concerns also arise in other forms of research using previously collected data (e.g., research using archival tissue specimens) and in many types of research in which new data are collected. Each of these areas merits careful study and the dissemination and adoption of best practices for protecting confidentiality. The committee affirms that all personally identifiable health information, no matter how it was collected or for what purpose, should be treated so as to respect privacy and maintain confidentiality.38
Justice Louis Brandeis' reference to privacy is "the right to be left alone" (Olmstead v. U.S., 1928).39 Health Services Research’s definition of privacy can be understood as a person's ability to restrict access to information about him or herself. Privacy is valued because respecting privacy in turn respects the autonomy of persons, protects against surveillance or intrusion, and allows individuals to control the dissemination and use of information about themselves. Privacy fosters and enhances a sense of self and also promotes the development of character traits and close relationships (IOM, 1994).40 The federal regulations governing human research (45 CFR 46.102 (f)) discuss privacy in the following terms: Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.40
The regulations therefore characterize privacy in terms of the expectations of the persons whose personally identifiable health information is being discussed and stipulate that the information must be specifically associated with the individual in order for the individual to have a legitimate interest in protecting it. Individuals may, however, be harmed or wronged by information associated with them probabilistically as well as specifically identifiable information.
Confidentiality refers to controlling access to the information that an individual has already disclosed, for example, a patient to a treating physician or to an insurance company paying for care. Confidentiality is a major expression of respect for persons, the person who has trusted the health care provider with private information in the belief that the information will be guarded appropriately and used only for that person's benefit. Maintaining confidentiality is important also because it encourages patients to seek needed care and to discuss sensitive topics candidly with their physicians. If patients do not believe they can trust their health care providers to maintain confidentiality, they may withhold information to the detriment of the best medical judgment and care they might receive.
Confidentiality is violated if the person or institution to which information is disclosed fails to protect it adequately or discloses it inappropriately without the patient's consent. The dilemma about HSR is that personally identifiable health information that is disclosed or collected for one purpose (clinical care, billing, etc.) is then used without consent for a different purpose (improving the state of knowledge to benefit future and current patients).
Confidentiality is also important to the continued success and vitality of the HSR effort. Just as in the case of medical treatment, research subjects may withhold information if they do not have confidence that what they disclose will be protected. Further, it is crucial to the HSR effort that researchers design studies so that the risk of harm to subjects is minimal, in order to allow the protocol to qualify for a waiver of the informed consent requirement. HSR projects often apply methods to large databases of previously collected information where individual informed consent would be impracticable or impossible. The effect of losing the population's trust in confidentiality may have serious repercussions both for the effective quality of medical care and for the quality of medical records research.
The risks of HSR are primarily violations of privacy and confidentiality, not physical risks. HSR thus differs from clinical research in which patients are at risk for physical harms because they undergo invasive medical procedures or receive unproven new therapies. Potential risks of violations of privacy or breaches of confidentiality are by no means limited to research, but can occur anytime personally identifiable health information has been collected. Potential risks include the following:
a. Risk of public (or private) disclosure of protected health secrets, which can lead to stigmatization or discrimination in employment or insurance, and/or shame: this is the fundamental issue and, for most people, probably the most serious.
b. Risk of disruption of, or interference in, patterns within families, which may result from unexpected and unauthorized communication of secrets within the family.
c. Risk that individuals may recognize (correctly or not) their own health history or anecdotes in results and interpretations of a study or may suffer anxiety simply from knowing that personal data may be in a database, without knowing whether adequate privacy protections are in place: this subjects the person to the perception of the first risk, even if it is not actually present.
d. Risk of future contact. Privacy is "the right to be left alone. Some HSR studies permit the collection of follow-up investigations that include contacting the individual whose data are studied. In this case, a stranger to the person or (perhaps less alarming but still disruptive) a care provider from long ago can suddenly intrude upon the subject's right to be left alone.
e. Risk of loss of trust in the health care system and/or scientific research, and thus loss of willingness to participate in future studies or perhaps even to seek needed health care.
These psychosocial harms can be avoided or mitigated if the research data are coded or encrypted in such a way that individual subjects cannot be identified. In addition, strong antidiscrimination laws can prevent some harm. However, subjects may be wronged by violations of privacy and confidentiality, even if they suffer no tangible harm. That is, even if persons do not suffer employment difficulties or can be compensated by law if they do, this does not change the fact that the subjects did not receive the respect due them as persons. The federal regulations on research on human subjects explicitly require IRBs to consider wrongs as well as harms in assessing the benefits and risks of research.
The great majority of occasions for breach of confidentiality occur in daily operations.41 Some instances of breaches of confidentiality are unintentional, for example, leaving a record that includes a patient's name out in the view of a visitor or discussing a patient by name in the hearing of other parties in an elevator or cafeteria. 42 Also, some breaches are not accidental, but are oversights. The committee heard of one incident in which the names of employees tested for HIV were displayed with the test results on a slide at a presentation, for example. The aim of the presentation was simply to describe a database of in-house health records. Some of the employees whose records were listed in the section displayed were actually attending the meeting. In this case the breach of confidentiality could have been avoided through more attention or training on the part of the research team and by the use of coded identifiers rather than direct identifiers such as names.
As our health care system becomes more complex, information flow is likewise increasingly complicated and the potential occasions for either a breach, or perception of a breach, of confidentiality are correspondingly multiplied. For example, a database-marketing firm received patient prescription records from two large pharmacies in the Washington, D.C. metro area.43 The firm then created mailings targeted to consumers of certain prescription drug products on behalf of the pharmacies (using the letterhead of the pharmacies), informing them of new products with similar indications. The manufacturers of the new products sponsored the project, though the manufacturers did not have access to patient data. Many of the recipients were disturbed at receiving the letters, since the action seemed to straddle or even cross the line between standard prescription medication compliance letters that are often sent by pharmacies to patients and product marketing.40
There are several important points to keep in mind about the risk of breaches in confidentiality: the risk is neither new nor research specific, and some level of risk is inevitable. First, the proper identification and disclosure of health information about individuals is not a unique risk from HSR, nor is it a new result from a widespread adoption of computer-based patient records, governmental or health care industry databases or the internet. Most instances occur outside of research. Breeches also occur with paper records. With the development of computing and communications technology, both intentional and unintentional identification and disclosure of electronic personally identifiable health information potentially involve more types of information and more individuals than were possible with paper records. At the most basic level, confidentiality always depends on conscious efforts by human agents to treat other human beings with respect and restraint, whether the activity is research or not, and whatever the state of the technology.
The protection of confidentiality is impossible to guarantee--some level of risk is inevitable. It is possible to make breaches less likely and to increase the probability that confidentiality will be maintained, but the protection of confidentiality is a matter of shifting the probabilities; it cannot be an absolute.44 The question really is what measures can be taken to enhance confidentiality protection, and thus retain public trust in HSR, and still allow research to proceed. Since it is not possible to guarantee the confidentiality of records in general, it is also not possible to guarantee absolute confidentiality in HSR. The measures we can take to increase the protection of privacy and confidentiality are varied, some simple and some complex, and the range of measures will change as computational and communications technologies develop.
Even with appropriate safeguards for confidentiality, it is acceptable to consider a great deal of HSR as minimal risk and appropriate to carry out without requesting consent for each reanalysis of data.
Many disclosures of personal health information are necessary for the effective delivery of and payment for health care. But who has access to this information? When should patients be able to limit the disclosure of their health information, even to providers and insurers? As sensitive health information changes hands, consumers may lose control over who has access, when, and for what purposes.
Alarmingly, there is no comprehensive federal law that protects the privacy of medical records. Instead, a loose collection of ethical guidelines, licensing requirements and state laws dictates who gets access under what conditions. For people with sensitive or stigmatizing conditions, this often-uneven protection can result in discrimination, unwelcome exposure, or threats to physical safety. A comprehensive federal law can provide a much-needed baseline of protections. Providers, advocates, administrators, and state policy makers also need to implement privacy safeguards that go beyond the federal standard in order to respond to the specific needs of their practices, communities, institutions, and states.
Recent national surveys document that rising fears about the lack of privacy protections for health information are leading people to withdraw from full participation in the health care system. One out of every six people engage in some form of privacy-protective behavior to shield themselves from unwanted disclosures- people withhold information from or lie to their providers, pay out-of-pocket or avoid submitting a claim, doctor-hop in an attempt to keep their records separate, and, in the most serious cases, avoid care altogether.45
For victims of domestic violence, the need for privacy is particularly acute. While battered women share concerns with other health care consumers around discrimination and privacy issues, real safety concerns make the disclosure of health information a significant risk. Information in the wrong hands can be used to further victimize a woman and may make her less likely to access health care services in the future. although all consumers have some concern about the disclosure of their health information, victims of domestic violence have some specific privacy concerns.
If an abusive
spouse discovers that his victim has disclosed violence to a provider it can
pose serious safety threats to her. Not understanding the consequences of such
disclosure, many institutions may directly or indirectly provide sensitive
medical and health information to immediate family members. For example, the
perpetrator may access documentation of domestic violence in a child's medical
record if he is a parent or legal guardian.46
Records may also include current contact information (such as a phone and
address), which may be obtained by a spouse whose partner has fled. In
addition, bills or explanations of benefits may be mailed to a shared home
alerting a perpetrator of care received for domestic violence injuries.
Law enforcement officials may obtain health information in three circumstances. First, many states require health care providers to report instances of domestic abuse to law enforcement or other government bodies. States have different rules regarding mandatory reporting and there is a great deal of disagreement about how effective these laws are in promoting patient safety and documenting abuse.
Several studies, including a 1998 report by The National Research Council and the Institute of Medicine,47 have questioned whether mandatory reporting requirements limit the ability to care appropriately for victims by reducing patient willingness to disclose violence or by decreasing safety through unnecessary or inappropriate intervention. Many laws do not allow patients to object and may not require providers to inform patients of these reporting practices prior to screening for abuse. As such, victims may not be able to plan for their safety before a report is made.
Second, law enforcement officials regularly audit and investigate health care providers and insurers. In these fraud and abuse investigations, law enforcement officials obtain patient information -- including claims information and medical records.48 Most often, individual patients are never aware that their information has been obtained by law enforcement. Here, the danger is that information obtained for the fraud and abuse investigation against a provider, instead may be used against the patient.
Third, law enforcement officials may obtain health information in criminal investigations against an individual. Some states require law enforcement to present a warrant or court order before they can obtain medical records. Other states allow much more liberal access.48 Patients may or may not be informed about the disclosure to law enforcement.
Privacy Principals For Maximizing And Maintaining Quality Health Care For Domestic Violence Victims
A victim of domestic violence, concerned for her safety, may be discouraged from seeking health care services because she fears that her health information will not remain confidential. Health care practice and policy, in many areas, has not implemented privacy protections that adequately address the health care, safety, and discrimination concerns of domestic violence victims. Given the consequences of inappropriate disclosures, it is crucial that everyone interested in improving the safety and health status of battered women get involved to ensure adequate privacy protections at every level, from institutional policies to federal laws.
The following guiding principle is designed to improve and build upon existing confidentiality safeguards to ensure that domestic violence victims are not placed at an increased risk of retaliatory violence, discrimination, harassment, denial of insurance benefits, and other harm. Advocates, providers, administrators, oversight agencies, and policy makers can use these principles to improve health care delivery through health care practice, institution, and system reforms, as well as Federal and State legislation.
A. Guiding Principal: All policy, protocol, and practice surrounding the use and disclosure of health information regarding victims of domestic violence should respect patient autonomy and confidentiality and serve to improve the safety and health status of victims of domestic violence.49
Adopting and implementing effective legislative, institutional, clinical practice guidelines, and protocols at every level of the health care system is a necessary step to adequately address the privacy concerns of domestic violence victims. Federal legislation is crucial to establish comprehensive baseline protections for the use and disclosure of sensitive health information. State and local statutes are also necessary to respond to the specific needs of different communities.
Even when federal and state protections are in place, legislation alone cannot ensure that a victim's privacy is protected. Advocates, policy makers, providers, and health care administrators must work together to develop policies and protocols for different health care entities. Community clinics, for example, handle health information very differently from large HMO's, so internal privacy policies need to be tailored accordingly. Likewise, technological capacity will also differ between health care facilities. While numeric or alpha coding (a code assigned to a sensitive medical record that de-links a patient's name from sensitive information) may be a practical solution in a large computer based hospital, it may not work in a very small rural clinic. Regardless, policies and protocols should respect a victim's autonomy to make health care decisions that increase her safety and health status. Policies and protocols that have adequate privacy protections will encourage victims to discuss domestic violence with their health care providers.
While the health care system clearly offers a unique and critical opportunity for responding to domestic violence, the widespread use and disclosure of health information can put victims at risk. Efforts to improve the health care system's response to victims of domestic violence need to address the unique safety and privacy needs of victims of domestic violence. Advocates, state and federal policy makers, administrators, providers, and survivors must work together to protect patient privacy while still promoting domestic violence identification, documentation and response.
The protection of personally identifiable health information is critical to ensuring public trust and confidence in the emerging health information infrastructure. Health care reform cannot move forward without assuring the public that the highly sensitive personal information contained in their medical records will be protected from abuse and misuse. People are highly suspicious of large-scale computerization and believe that their health records are in dire need of privacy protection. If people are expected to participate in a reforming health environment, the price of their participation must not be the loss of control of sensitive personal information.
In the end, any system that fails to win the public's trust will fail to win the public's support, and risk having individuals withdraw from full and honest participation in their own health care. To allow people to fall through the cracks because their privacy is not fully protected is too serious a matter to continue to go undressed by the Congress.
1. Goldman J. Medical Records Confidentiality: Center for Democracy and Technology,
House Committee on Government Reform and Oversight, June 14 1996. p. 1-5
2. Harter-Feutz S.A, Nursing and the Law, Fifth Edition, Professional Educational Systems, INC, (1993) p.73-83
3. Gostin L. Health Care Information and Protection of Personal Privacy: Ethical and Legal Considerations: Annals of Internal Medicine, Part 2, The Databases, October 15, 1997 p.1-15
4. Goldman J. Hudson Z. Exposed, A Health Privacy Primer for Consumers: Health Privacy Project: Institute for Health Care Research and Policy: Georgetown University, December 1999. p. 8-12
5. 5 U.S.C. § 552(b)(4) (1994 & Supp. IV 1998).
6. (21 C.F.R. 606.170.).
7. Smith, S National Center for Health Statistics Data Line. Public Health Rep. 1993; 108:408-409
8. United States Nuclear Regulatory Commission, Low-Level Waste Regulations, Guidance, and Communications.
9. 241 So. 2d 752 (Fla. App. 1970)
10. 551 P2d. 334 (California 1976)
11. Gostin L. Hodge J. Privacy and Security of Public Health Information: Model State Public Health Privacy Project, February, and 1999 p. 1-8
12. 460F. Supp. 713 (D.Ill. 1978).
13. Gostin Lo. Genetic Privacy. Journal of Law, Medicine & Ethics 1995; 23:320-330
14. Gostin, L and Curran, Williams J. “Aids Screening, Confidentiality, and the Duty to Warn,” American Journal of Public Health, Vol.77 No3 March 1987; p. 361-365
15. Baker R. Private Acts, Social Consequences: Aids and the Politics of Public Health. New Brunswick, New Jersey: Rutgers University Press. 1996, p.1-8
16. Center for Disease Control and Prevention. National HIV Sero-surveillance Summary: 1992. MMWR.1996
17. Donaldson M, Lohr K. Committee on Regional Health Data Networks, National Academy of Sciences, Health Data in the Information Age: Use, Disclosure and Privacy: 1994.
18. Rybowksi, L. Protecting the Confidentiality of Health Information, National Health Policy Forum 1, July 1998 p.16-17
19. 652 S.W.2d 240 (MO. App. 1983
20. Joint Commission on the Accreditations of Health Care Organizations (JCAHO), Accreditation Manual for Hospitals Chicago, Illinois, 1998
21. American Hospital Association, Department of Health and Human Services, Standards for Privacy of Individuals Identifiable Health Information: vol. 67, No. 59, March, 2002: p. 2-40
22. .Banisar, D. Davies, S. Privacy and Human Rights, An International Survey of Privacy Laws and Practice: Global Internet Liberty Campaign: p. 1-13
23. International Covenant on Civil and Political Rights, http://www.hrweb.org/legal/cpr.html
24. Universal Declaration of Human Rights, http://www.hrweb.org/legal/udhr.html
25. Directive 95/EC of the European Parliament and the Council of the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data.
26. Banisar, D. Davies, S. Privacy and Human Rights, An International Survey of Privacy Laws and Practice: Global Internet Liberty Campaign: p. 1-13
27. Davies S, Hosein, “Liberty on the Line” in Liberating Cyberspace, Pluto Press, London, 1998
28. Clark R. Biometrics and Privacy: Xamax Consultancy Pty Ltd, April 2001, p. 4-8
29. Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7, 4 (December 1994), p. 1-5 http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html
30. IPCO (1999b) 'Privacy and Biometrics' Information and Privacy Commissioner, Ontario, September 1999, p. 3-7 http://www.ipc.on.ca/english/pubpres/sum_pap/papers/pri-biom.htm
31. Easteal Weiser P. Easteal S., The Forensic Use of DNA Profiling: Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology: Nov. 1990, p. 7-8
32. American Society of Human Genetics 1990, Individual Identification By DNA Analysis: Points to Consider’ American Journal of Human Genetics, vol. 46, p. 632-4
33. New York State Forensic Analysis Panel, 1989, DNA Report, September 6
34. Committee on the Role of Institutional Review Boards, In Health Services Research Data Privacy Protection, Protecting Data Privacy in Health Services Research, National Academy of Science, 2000: p. 1-23
35. Brown Gibbs J, Inspector General. Protecting Human Research Subjects: Status of Recommendations. Department of Health and Human Services, Office of Inspector General. April 2000.
36. Etzioni, Amitai. Medical Records: Enhancing Privacy, Preserving the Common Good. Hastings Center Report. 1999 Mar–1999 Apr 30:14–23.
37. Brown, June Gibbs, Inspector General. Institutional Review Boards: The Emergence of Independent Boards. Department of Health and Human Services, Office of Inspector General. 1998a Jun.
38. Brown, June Gibbs, Inspector General. Protecting Human Research Subjects: Status of Recommendations. Department of Health and Human Services, Office of Inspector General. April 2000.
39. Lowrance, 1997; NRC, 1997; Buckovich, et al., 1999; OPRR, 1993; Bradburn, 2000.
40. IOM (Institute of Medicine). Committee on Regional Health Data Networks and Molla Donaldson, and Kathleen N. Lohr, editors. Health Data in the Information Age: Use, Disclosure, and Privacy 1994. Washington, DC: National Academy Press.
41. Goldman J. Hudson Z. Exposed, A Health Privacy Primer for Consumers: Health Privacy Project: Institute for Health Care Research and Policy: Georgetown University, December 1999. p. 8-12
42. Ubel, PA: Zell, MM: Miller, DJ; Fisher, GS; Peters-Stefani; D; Elevator Talk: Observational Study of Inappropriate Comments in a Public Place. American Journal of Medicine. 1995; 99; 190-194
43. Lo, Bernard, and Alpers, Ann. Uses and Abuses of Prescription Drug Information in Pharmacy Benefits Management Programs. JAMA. 2000 Feb 9; 283(6): 801–806.
44. GHPP (Health Privacy Working Group). Best Principles for Health Privacy. Health Privacy Project; Institute for Health Care Research and Policy, Georgetown University.1999.p. 15-16
45. California HealthCare Foundation, National Survey: Confidentiality of Medical Records, January 1999. The survey is available at http://www.chcf.org.
46. Zink, T, "Should Children Be in the Room When the Mother is Screened for Partner Violence?" Journal of Family Practice, Vol. 49, February 1, 2000.
47. National Research Council and Institute of Medicine, Violence in Families: Assessing Prevention and Treatment Programs. Washington D.C.: National Academy Press, 1998.
48. Straus, M., Gelles, R., and Smith, C., Physical Violence in American Families: Risk Factors and Adaptations to Violence in 8,145 Families. New Brunswick: Transaction Publishers, 1990.
49. Goldman J. Hudson R. Hudson Z. Sawires P., Health Privacy Principles for Protesting Victims of Domestic Violence: Family Violence Prevention Fund, October, 2000 p.
“Computerized Medical Records: Legal and Administrative Changes Necessary.” Healthspan, Vol. 8, No. 11 December 1991, p. 3-6
Davies, S. “Re-Engineering The Right to Privacy: How Privacy Has Been Transformed From a Right to Commodity”, in Agre and Rotenberg (ed) “Technology and Privacy: the new landscape”, MIT Press, 1997 p.143
Straus, M., Gelles, R., and Smith, C., Physical Violence in American Families: Risk Factors and Adaptations to Violence in 8,145 Families. New Brunswick: Transaction Publishers, 1990.
Gostin, L. Health Information Privacy, 80 Cornell L. Review. 451-463 (1995)
Hiller, M. D. Beyda, V. “Computers, Medical Records, and the Right to Privacy,” in Medical Ethics and the Law, Cambridge, Massachusetts, 1981
Killion, S.W. “Patients” Right to their Medical Records,” Health Span, Vol. 2, No. 2 February 1985. p. 28-33
Mandatory Reporting of Domestic Violence by Health Care Providers: A Policy Paper by Ariella Hyman for the Family Violence Prevention Fund, November 1997.
Nimmich, K. Structure of the FBI Laboratory’ DNA and Criminal Justice Conference Proceedings, No. 2
Office of Technology Assessment. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. Washington DC: 1993
Rose, Stanley D, & Tim K, 1989, Standardization of Systems: Essential or Desirable?” Banbury Report no.32; DNA Technology and Forensic Science, p. 319-24