BOX 2-1 Overview of Privacy Protections in the Law

Constitutional Protections

Both federal and state constitutions generally afford citizens some protection for the privacy of their health information. However, with limited exceptions, individuals are only protected against governmental intrusions into their personal health information and may not raise constitutional concerns about private action. Even when state action is involved, individuals rarely prevail on claims premised on constitutional rights to informational privacy because state interests generally outweigh the individual’s privacy interest.

The U.S. Constitution does not expressly provide a right to privacy, but the courts have determined that various constitutional provisions implicitly create zones of privacy that are protected by the Constitution. The privacy interests recognized include both the individual’s interest in making certain kinds of important decisions, and the individual’s interest in avoiding disclosure of personal matters. With respect to informational privacy, the courts have afforded limited constitutional protections, although the right is not absolute, with the courts weighing factors such as the type of record and information that it contains, the potential for harm in an unauthorized disclosure and the injury from disclosure to the relationship in which the record was generated against the public interest or need for the disclosure, and the adequacy of safeguards to prevent unauthorized access or disclosure. Several federal courts have expressly recognized the constitutional right of privacy in connection with medical and prescription records.

All states have constitutional provisions similar to those in the U.S. Constitution, which give rise to an implied right of privacy. Unlike the U.S. Constitution, however, constitutions in 10 states grant individuals an express right to privacy. Courts have consistently determined that health or medical information is an area of privacy that is protected by state constitutions.

Common Law Protections

State common law generally recognizes that some health care relationships are based on maintaining the confidentiality of information obtained in the course of care and affords a remedy when that confidentiality is breached. Traditionally, the law’s regulation of “privacy” consisted essentially of the protection of confidentiality within the doctor–patient relationship. Courts have found that actions may be maintained against private parties for unauthorized disclosures of health information under a number of legal theories, including invasion of privacy, implied breach of contract, breach of confidentiality, and breach of fiduciary relationship. Obtaining a remedy for disclosure of health information under any of these theories, however, is difficult.

In the health care context, the promise of confidentiality is intended to encourage patients to fully disclose their most personal information to assist in accurate diagnosis and treatment. Courts have thus found the duty of confidentiality applies to physicians, hospitals, psychiatrists, and social workers. The underlying duty of confidentiality is not absolute, and the courts have indicated that there is no breach of confidentiality when a disclosure is made as required by statute (e.g., mandatory reporting to state officials of infectious or contagious diseases) or common law (e.g., a duty to disclose information concerning the safety of third persons). The extent to which state common law protects the confidentiality of health information in the evolving health care paradigm, where many people and organizations that receive and maintain health information do not have a direct relationship with the patient, is unclear. In most states, common law protections, particularly in tort, have been codified in statute.

Statutory and Regulatory Protections

Since the 1970s, the trend has been to augment existing constitutional and common law rights with statutory protections specifically designed to protect the privacy and confidentiality of health information (see Table 2-1). Although the common law continues to be important, the federal and state governments have increasingly focused on promulgating distinct standards for the protection of health information.

The shift to statutory and regulatory protections for health information was largely a response to the changing nature of recordkeeping in general, and of the nature of the provision of health care. As noted by the 1977 Privacy Protection Study Commission, “The emergence of third-party payment plans; the use of health care information for non-healthcare purposes; the growing involvement of government agencies in virtually all aspects of health care; and the exponential increase in the use of computers and automated information systems for healthcare record information have combined to put substantial pressure on traditional confidentiality protections.”

TABLE 2-1Federal Health Privacy Statutes and Executive Orders That Regulate the Collection and Disclosure of Information

StatuteYearPrivacy Protection
Freedom of Information Act (FOIA)1966Prevents personally identifiable health information from being included in the release of information as part of a FOIA request
Privacy Act1974Protects the privacy of health, research, and other records held by federal agencies
Family Educational Rights and Privacy Act1974Requires schools to have written permission from a parent or student prior to releasing information from a student’s education record
Veterans Omnibus Health Care Act1976Protects the privacy of medical records relating to the treatment of drug abuse, alcohol abuse, infection with AIDS or sickle cell anemia, in the Department of Veterans Affairs
Protection of Pupil Rights Amendment1978Protects the rights of pupils and the parents of pupils in programs funded by the Department of Education
Social Security Act, Section 11061986Prohibits unauthorized disclosure of individually identifiable records held by the Department of Health and Human Services, the Social Security Administration, and their contractors
Clinical Laboratory Improvement Amendments1988Requires clinical laboratories to protect the confidentiality of test results and reports, including information on patient and clinical study subjects; medical information may only be disclosed to authorized persons as defined by state or federal law
Public Health Service Act, Health Omnibus Program Extension1988Provides for Certificates of Confidentiality that protect personally identifiable research information
Americans with Disabilities Act1990Employers must treat employees’ and applicants’ medical information and medical conditions confidentially
Public Health Service Act, Section 543, Federal Confidentiality Requirements for Substance Abuse Patient Records1992Federally assisted alcohol or substance abuse programs must keep patient alcohol and drug abuse treatment records confidential, absent patient consent or a court order
Health Insurance Portability and Accountability Act (HIPAA), Privacy Rule1996Protects the privacy of individually identifiable information held by covered entities
Balanced Budget Act1997Added language to the Social Security Act to require Medicare+Choice organizations to establish safeguards for the privacy of individually identifiable patient information
Clinton’s Executive Order 131452000Bans the use of genetic information in federal hiring and promotion decisions
Confidential Information Protection and Statistical Efficiency Act2002Ensures that information supplied by individuals or organizations to a federal agency for statistical purposes under a pledge of confidentiality is used exclusively for statistical purposes
Medicare Prescription Drug, Improvement and Modernization Act2003Requires prescription drug plan sponsors to comply with the HIPAA Privacy Rule and the Security Rule requirements
Genetic Information Nondiscrimination Act2008Prohibits discrimination against individuals based on their genetic information in health insurance and employment

SOURCES: Bodger (2006); Gostin (1995); Magnussen (2004); NCSL (2008); Pritts (2002, 2008); Privacy Protection Study Commission (1977); Richards and Solove (2007); Terry and Francis (2007).

From: 2, The Value and Importance of Health Information Privacy

Cover of Beyond the HIPAA Privacy Rule
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors.
Washington (DC): National Academies Press (US); 2009.
Copyright © 2009, National Academy of Sciences.

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.