Introduction

While Chapter 2 explores the philosophical underpinnings of the concept of privacy in detail, it is important to revisit an observation about life: there is a fundamental ontological gap among individuals. Whether philosophers conceive of us as fundamentally connected social beings or radically atomic beings, we recognize that each of us is a unique part of the experiences we have, perhaps even those we share. The “private,” then, is one way of expressing that realm of experience that each of us uniquely possess, in which others only partake when we choose to share it with them. Even then, the very act of sharing transforms that private realm into something else, as the experience is changed in the very act of sharing.

Whatever, in connection with my professional practice or not, in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.

—Hippocratic Oath

The sharing of our private realm occurs frequently throughout our lives, with every relationship or connection with others demanding that we express what we might otherwise keep to ourselves. This chapter explores relationships that occur between patients and providers within the realm of healthcare in the United States (US). Healthcare is a professional domain primarily dedicated to hel** individuals (and sometimes, by extension, the public) to live healthily (Hester, 2001). People seek assistance from healthcare professionals (HCPs) are referred to as patients, and the act of someone assuming the role of a patient is, even if in a small way, an act of trust in what HCPs can do that the patient themselves cannot do on their own. Consequently, a fundamental obligation that arises for HCPs is to demonstrate trustworthiness in howto collaborate with and serve patients.

Privacy, as it has been treated in healthcare, signifies a patient’s entitlement to maintain control over the personal, both mundane and intimate, details of their life. This entitlement is placed firmly under the authority of the patients themselves. What follows for healthcare, then, is an obligation, which arises for the professionals and personnel working in medicine (referred to as HCPs). This obligation is typically labeled confidentiality, and requires that HCPs safeguard certain identifying information within the protective confines of the healthcare relationship. This principle has been recognized as an integral part of medicine for a considerable time, at least since the days of Hippocrates. In this context, the patient, as Richard Zaner aptly describes, has always possessed “peculiar vulnerabilities” (Zaner, 1988), and the “secrets” of their lives should not be “spoken of abroad” by the professional.

Privacy and confidentially, then, are two sides of the same coin, though the former functions as a right in light of a particular kind of vulnerability experienced by patients, while the latter is a responsibility to be fulfilled by providers and the institutions for/in which they work. The expectation of privacy should be upheld through the trustworthy actions of HCPs in holding private patient information in confidence.

Expressed in this way, the conceptual relationship and expectations surrounding privacy and confidentiality may appear straightforward on the surface. However, this apparent simplicity is based on an overly simplistic view of healthcare as a bidirectional and exclusive collaboration between an individual patient and a specific healthcare provider. In reality, these relational rights and obligations are not absolute. The complexities of modern healthcare and the interconnectedness of today’s electronic age confound this traditional model, making the preservation of privacy and the fulfillment of confidentiality difficult, if not impossible, to maintain.

Over 40 years ago, clinician and bioethicist Mark Siegler (1982) examined the state of medical practice and declared confidentiality a “decrepit concept.” In his well-known work, Siegler argues that the supposed dual relationship between physician and patient is a myth, as numerous people inevitably have access to intimate patient information. It is worth noting that this declaration preceded the advent of Health Maintenance Organizations (HMOs), Accountable Care Organizations (ACOs), electronic health records, social media, 24-hour news cycles, and many other factors both within and outside the medical culture that have significant implications for privacy and confidentiality. Given these developments, one might wonder how much more “worn-out” and “useless” the concept must be today.

It is the case, of course, that medical information about a patient is accessed by many people and shared with many institutions. The federal government, confronted by the challenge of sharing personal information in healthcare, even recognized the need to address concerns that such sharing raises when it produced the Healthcare Information Portability and Accountability Act (HIPAA) regulations, passed in 1996. And while all this seems to continue to support Siegler’s argument, his concern (and others who have raised similar issues) simply miss the point. Privacy, as an expectation (even a right) of patients, and confidentiality as an obligation of providers, provide moral parameters that set the tone and tenor of medical relationships. Within the relationship, patients should have confidence that the intimacies of their lives can be expressed and exposed openly in order to receive the support they need to live healthily. Thus, clinicians must operate with the understanding that the release of patient information—intended or accidental—fails to fulfill a duty they hold to the patient. It is a moral wrong—be it about a trivial condition or momentous disorder. But this is not the only moral transgression that might occur. Moral harm can follow from revelations that impact patient lives through exposure that leads to loss of work, tensions in or dissolution of relationships, stigmatization, and even avoidance of future medical care.

As highlighted by Ken Goodman (2022), the challenges that healthcare faces in light of the use of electronic medical records bring into stark relief concerns regarding both moral wrongs and harms,

In the clinical setting, a patient can be wronged, harmed, or both by incautious and unguarded conversations, by failures to follow basic electronic health record (EHR) hygiene (do not share your password, log off, do not make copies), and by efforts to trick users or attack systems…. Breaches of any kind or size can erode trust and undermine universal values that shape the clinician-patient relationship.

Clinical medicine (as well as medical research) operates as a professional space precisely because the relationship between patients and providers comes with expectations that the relationship is a special kind—not one of family or friendship nor of a simple business transaction or “mechanical” service. It is a space devoted to hel** human beings live healthily, meeting their own individual vision of what living healthily means to them (Hester, 2001). That requires an understanding among all the parties that the personal intricacies of individual lives “ought not to be spoken of abroad.”

Limitations and the Scope of Privacy

While it is clear that privacy is important, even fundamental, to healthcare relationships, it is not without its limits. From logistical to public health to criminal to moral reasons there are times when a patient’s privacy must give way to other forces and the confidentiality that providers protect must be abandoned. We have already noted that the essential flow of information within healthcare institutions often necessitates that numerous people whom patients would not otherwise have considered to be within the scope of healthcare practice gain legitimate access to intimate details of a patient’s life. That is, not just the physician or nurse knows medical details about a patient, but respiratory therapists, social workers, chaplains, and even clinical ethicists may see a patient’s chart—not to mention medical transcriptionists, medical records clerks, insurance providers, and many more. Again, this is all falls within the scope of medical privacy, even if patients are not fully aware of it.

Beyond the general scope of medical privacy, there are instances when the confidentiality inherent in medicine may be intentionally breached for the sake of public health. States have laws, for example, requiring that certain communicable diseases—such as Tuberculosis, Ebola, and HIV—be reported to state agencies. These requirements are born out of a concern for the common good, and often these same laws also impose limitations on what personal information state agents can disclose, and to whom. The range of state-based concerns expands even further when other safety and protection factors come into play. For instance, healthcare providers are mandated reporters, legally obligated to report reasonable suspicion of child or elder abuse. Similarly, injuries suspected to be the result of criminal activity often have to be reported. These exceptions to typical privacy protections balance individual privacy with broader societal interests in safety and public health.

Wider legal factors may burst open the privacy bubble, as well. Courts may require medical records to be disclosed or healthcare providers to testify in court. Cases regarding workers’ compensation require that medical records be examined by insurance providers, lawyers, and others. Such circumstances demonstrate that while medical privacy is a principle in healthcare, it is not inviolable and can be overridden by a number of broader societal concerns.

Some of the harder cases for patients and providers, however, are so-called “duty to warn” situations. The paradigmatic legal case, known as the Tarasoff case in California, emerged from mental health practice in the 1970s. The case arose after the tragic death of Tatiana Tarasoff who was murdered by her ex-boyfriend, Prosenjit Poddar. A few months earlier, Poddar told a psychotherapist at the University of California at Berkeley that he intended to kill Tarasoff. Seven years later, the Supreme Court of California Supreme Court ruled that in some cases the provider has an obligation to break confidentiality, specifically when there was a clear threat of imminent harm to an identifiable third party. Subsequent to this ruling, many states have passed “Tarasoff” laws, and even where no such law exists, many legal experts and ethicists believe that the Tarasoff ruling does identify a limit to privacy and confidentiality in healthcare relationships.

This “duty to warn” has, at times, been expanded upon by ethicists, courts, and state legislatures to include other forms of medical danger. The most prominent example arose in the 1980s and 90 s with HIV and AIDS. Due to concerns about the communicable nature of HIV—especially before the development of effective antiviral treatments that could reduce or eliminate viral loads—states passed laws requiring either practitioners or state agencies to contact known, or even just potential, intimate partners of individuals testing positive to HIV.

Whether or not we agree with each category or instance of supported breaches of privacy and confidentiality, the point of all this is that privacy does have limits. Consequently, providers may confront moments in their practice when they are required to forego kee** patient information confidential because of some other, more pressing (and typically social, legal) obligation. One ethical framework to understand better when breaching confidentiality may be acceptable includes the following criteria:

  1. 1.

    There is strong reason to believe that a serious threat of physical harm exists to an identifiable individual.

  2. 2.

    After careful consideration, there is a strong likelihood that a tangible and true benefit will result from breaking confidentiality.

  3. 3.

    The breach is a last resort, pursued only after other alternatives have been considered and deemed inadequate.

  4. 4.

    It would be reasonable to support a breach of confidentiality by a healthcare provider in any case involving a patient under relevantly similar conditions and circumstances.

A Note on HIPAA

We now see how the law plays into delimiting the scope of privacy in medical practice, but as alluded to earlier, the law also seeks to constrain the use of private information in order to protect patients’ personal information as much as health systems can allow. The primary instrument for achieving this has been the Health Insurance Portability and Accountability Act (HIPAA) developed in 1996 but not fully implemented until 2003. As the title suggests, HIPAA was developed to facilitate the transfer of information among the many institutions, companies, and providers that require access to a patient’s health information. But this “portability” also brings with it the risk of information being easily accessible to others who do not need access to it. To address this issue, the “accountability” side of HIPAA is manifest in the HIPAA Privacy Rule. This rule provides guidelines and restrictions on how health information should be shared among the various stakeholders involved. The Privacy Rule targets individually identifiable health information, details about a person’s mental or physical health, treatment history, or payment for healthcare services. This is known as “protected health information” (PHI), and PHI not only includes health information but also “common identifiers” such as name, address, birth date, and so forth.

Important requirements from HIPAA’s Privacy Rule include:

  • Patients should have easy and secure access to their own health information, and have the right to request an accounting of who has accessed their health records. HECs should work to foster improved ease of access to electronic health record (EHR) information.

  • The sharing and exchange of health information should be guided by the “minimum necessary standard.” This means that one should not share more information than needed for a particular purpose.

  • Institutions must establish policies to govern interactions between people or organizations that provide or pay for health care (“covered entities”).

Breaches of HIPAA confidentiality requirements—where Protected Health Information (PHI) is disclosed to parties who do not have a legitimate need for it—can lead to both institutional and individual penalties. In cases of serious negligence or willful disregard for HIPAA regulations, criminal charges may even be filed. Such consequences underscore the importance of safeguarding patient privacy and maintaining the integrity of healthcare systems.

Technology and Data: The Promises and Perils to Privacy

HIPAA regulations underscore the importance of and concern for the sharing of health data within and across complex healthcare, insurance, and legal systems. And while this data can be provided on paper, through hardcopies handed directly to individuals or delivered by human carriers, the reality is that in contemporary healthcare, all information is digitized. From lab values, to point-of-care testing, to online mental health forms, and more, information by and about patients resides in servers, computers, chips, and drives. Wearable devices monitor heart rate, blood pressure, glucose levels, and electronic health records (EHR) store demographic information alongside the results of MRIs, serum tests, and digitized consent forms. And while digitizing this data supports ease of use in a variety of ways, it also introduces new risks concerning the maintainability of personal privacy.

Digitized data is pervasive in healthcare, and there are any number of ways such data can be captured—both by those who need access and those who simply want access (authorized or unauthorized). Consider, for example, telehealth “visits” that are streamed over the Internet. Aside from the simple logistics of understanding who is participating in the encounter real-time—with the possibility of people standing “outside the frame”—the medium used for streaming must be properly encrypted to mitigate the risk of the feed being hacked or hijacked.

To address challenges that monitoring devices, EHRs, telehealth encounters, and more create, all systems should utilize HIPAA-compliant software to safeguard patient information and maintain the integrity of the virtual healthcare environment. But as importantly, humans develo** and using such technologies must do so in ways that mitigate, if not eliminate, the possibility of unauthorized exposure of private data.

EHRs, PHRs, and Portals

Of course, records captured for long-term use, like the information in an EHR, can be all the more challenging to protect. The widespread use of EHRs has been of great benefit to healthcare providers, offering convenient and searchable access to extensive patient information. This data can also be organized, analyzed, and cross-referenced using tables, lists, and values drawn from evidence-based sources. Of course, any online data is at some risk of technological breaches through hacking or mistaken data-dum**, and along with good security must exist good policies for how any unauthorized access would be handled.

But further, most EHR systems have made personal health records (PHRs) available, making the task of securing EHR data increasingly complex. Particularly, with the Twenty-first Century Cures Act of 2016 (finalized in 2022), there is widespread access to PHRs through patient portals. A clear challenge, for example, is the records of minors or those of patients’ deemed to lack decisional capacity.

For minors, parents may have ready access to their child’s patient portal, and restricted access to the child’s information should follow legal and ethical norms, requiring purposeful programming of the EHR/PHR systems. For example, some states do protect minor privacy when minors are legally allowed to consent to certain treatments for conditions like sexually transmitted diseases (STDs). Professionally, the American Academy of Pediatrics (AAP) has recommended, as well, that “Adolescents should have the right to exclude parents from their PHRs when law dictates that they may be treated without parental consent. When these features are used, health care professionals need to know that these exclusions are in place” (AAP, 2009). However, ready access to PHRs with no systematic thought regarding exclusion criteria for parental access means that parents may learn about a child’s STD or birth control prescription (and so forth) when the child would otherwise wish this information to remain private.

Similarly, when an adult patient lacks decisional capacity, often family members are granted access to their information, even if those family members are not the legally identified surrogate decision maker. And even when they are legal decision makers, once granted access, this usually includes access to all records within the chart, not just those relevant to the current illness or injury.

Of course, these access issues are not unique to EHR data, but having ready access from almost anywhere through a patient portal magnifies the risks to privacy compared to that of paper-only copies of medical records. The AAP itself notes, “most systems are not capable of allowing …restrict[ions] to different portions of a patient’s electronic health information,” (AAP, 2012). As such, patient information not germane to current conditions may be accessible to parents of minors, surrogates of adults, or even just family granted temporary access by the patient for a specific purpose and timeframe.

Biobanking and the Specter of Datamining

Though there are a great deal of ways in which technology in medicine can undercut personal privacy and professional obligations to confidentiality biobanking serves as a particularly illustrative example. Originally established as storage facilities for human blood and tissue, biobanks have become crucial for medical research largely due to the data associated with these materials. A large amount of data can be garnered from a wide variety of banked materials, but genetic data, in particular, demonstrates well the risk to patient/participant privacy, because while much of the stored material is purposefully “deidentified” before it is made available to researchers, it remains possible to reconnect PHI with some of those banked materials. This vulnerability arises from several forces at play.

Given the growing use and importance of biobanking, in 2018 the US federal government finalized a revision of what is known as The Common Rule—the federal regulations governing much of the human subjects research done in the United States. The updated regulatory language explicitly permits the extensive use of biobanked materials in research without the need for consent, so long as the material is deidentified. While this change has been hailed as a major advancement for research, facilitating smoother compliance with regulations, it also has the consequence of easing the passing of genetic material around the globe in the service of research while the individuals whose material is being used know nothing of its use.

Since the material is deidentified, it might be reasonable to suggest that little-to-no risk exists for the people whose genetic material is being used. But the technical reality is that each individual’s privacy is at risk. In 2013, using the data from the biobanking project known as the 1000 Genome Project (launched in 2008), bioinformatics researchers used the genetic markers in the databank and publicly available records—from genetic databanks within the US National Institutes of Health (NIH) to local public health and city director records—to reidentify roughly 5% of the genomes in the project (Gymrek et al., 2013). Subsequently, new techniques (grounded in new AI and machine learning technologies) have been developed that indicate that the vast majority of material stored with genetic markers can be re-identified. And while research consent forms do indicate the risk of privacy breaches when participating in biobanks, the language hardly describes the possibilities of identification accurately, revealing limitations in our current systems to safeguard individual privacy in medical research.

Of course, careful security measures and strict protocols can mitigate the risks to privacy in cases like these, but hacking is a reality in our culture, and mistakes can also occur. The digital nature of our personal information simply makes identifying individuals in clinical and research settings possible, even if not probable. It is important that institutions, investigators, and providers are vigilant in their attempts to eliminate breaches while being transparent to patients and participants about the real possibilities of losing privacy because of the technologies employed by healthcare.

Conclusion

In the years to come, the ubiquity of technology will only increase across various areas and practices within healthcare institutions and among personnel—from the application of data-driven artificial intelligence to the expansion in the use of implantable devices for monitoring, and even adjusting, aspects of our physiology. All this technology relies on and feeds into stores of data—data that originates from specific individuals and often retains enough markers to identify uniquely the sources from which it came. As such, the privacy of these individuals will always be at some risk. Therefore, it remains imperative for healthcare to foster a culture of confidentiality, even if it cannot guarantee it. Only by championing a culture of confidentiality will institutions and providers practice in ways that deliberately and effectively mitigate the very real risks to the privacy of the patients, participants, and people they serve.