Privacy and Health Research. Privacy and Confidentiality in Health Research(15)


The ethos surrounding research on humans was recast and codified after World War II, as the world coped with the revelation of the medical atrocities perpetrated by the Nazis. The resulting "Nuremberg Code"—the opening sentence of which was, "The voluntary consent of the human subject is absolutely essential"—established principles having to do with the purposes of the research, gauging of risk and benefit to the subject, qualifications of researchers, and subject rights generally.16 Consent is central in all privacy negotiations.

Initially in 1964, then through subsequent revisions, these ethical concepts were developed and disseminated much further by the World Medical Association's "Declaration of Helsinki: Recommendations Guiding Medical Doctors in Biomedical Research Involving Human Subjects."17 The Declaration's sixth principle is: "Every precaution should be taken to respect the privacy of the subject...." Over the years a number of groups have firmed-up the philosophical foundations and guided the application of the Helsinki principles.

In the U.S. one of the most influential inquiries was the 1979 "Belmont Report" of the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. It probed the (often, soft) distinctions between routine healthcare practice and medical experiment. Then it crystallized three principles of subject protection, and at length discussed their application to various research situations:18

  • Respect for persons (treating subjects as autonomous agents, and giving special protection to subjects whose autonomy is reduced)
  • Beneficence (maximizing benefits to subjects and minimizing harm)
  • Justice (distributing benefits and burdens of research fairly).

These Belmont principles have been elaborated upon in many settings, and they serve as guides to researchers and Institutional Review Boards. Explicitly and implicitly, they have been widely applied to privacy and confidentiality decisions.

In the early 1970s such prophets as Alan Westin raised the alarm about erosion of privacy as the world moved into the computer age.19 Partly out of concern about computerized (then also called "automated") data systems, in 1974 the U.S. passed the landmark "Privacy Act," covering personally identifiable data held by the Federal government (discussed on page 59).

A Privacy Protection Study Commission, which had been created by the Privacy Act, in 1977 issued a sweeping report on the way "records mediate relationships between individuals and organizations and thus affect an individual more easily, more broadly, and often more unfairly than was possible in the past."20 It covered most government and commercial activities.

With respect to medical data the Commission's conclusions and predictions were absolutely correct. It noted the rapid broadening of the scope of data covered, and the decrease in data control by medical practitioners. Regarding secondary use of data, and consent, the Commission was prescient:

It appears that the importance of medical-record information to those outside ofthe medical-care relationship, and their demands for access to it, will continue togrow. ... There appears to be no natural limit to the potential uses of medical-record information for purposes quite different from those for which it was originally collected.


As third parties press their demands for access to medical-record information, the concept of consent to its disclosure, freely given by the individual to whom the information pertains, has less and less meaning.

The Commission emphasized three privacy-policy objectives:21

  • Minimizing intrusiveness
  • Maximizing fairness
  • Legitimizing expectations of confidentiality.

That was in 1977. The broad public agreement with the Commission's findings was not—still has not been—matched by legislation to attend to the problems.

A very important step for Europe was the passing by the Council of Europe, in 1981, of a carefully worked out "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," the principles of which have become practice in most of the Member States (discussed on page 54).

Various bodies have examined the issues since then, especially as the U.S. debated healthcare reform and dashed/stumbled toward "managed care" in the early 1990s.22

(15) Classic sources are Robert J. Levine, Ethics and Regulation of Clinical Research, Second Edition (Urban and Schwarzenberg, Baltimore, 1986); and Tom L. Beauchamp and James F. Childress, Principles of Biomedical Ethics, Third Edition (Oxford University Press, New York and Oxford, 1989).

(16) Trials of War Criminals before the Nuremberg Military Tribunals under Control Council Law No. 10, volume 2, pp. 181–182 (U.S. Government Printing Office, Washington, DC, 1949).

(17) World Medical Association, "Declaration of Helsinki," latest revision 1989, available on the Internet at < >.

(18) U.S. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, "The Belmont Report: Ethical Principles for the Protection of Human Subjects," DHEW Publication No. (OS) 78-0012, with Appendices (OS) 78-0013 and (OS) 78-0014 (U.S. Government Printing Office, Washington, DC, 1978); the Report also was published in Federal Register 44, 23192–23197 (1979).

(19) Alan F. Westin, as cited in endnote (6).

(20) U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society, pp. 290–291 (U.S. Government Printing Office, Washington, DC, July 1977).

(21) Ibid., pp. 15–21.

(22) U.S. Congress, Office of Technology Assessment, Protecting Privacy in Computerized Medical Information, Report No. OTA-TCT-576 (U.S. Government Printing Office, Washington, DC, September 1993).