{"title":"个人隐私与共同利益:国家卫生信息隐私规则下的平衡框架。","authors":"L. Gostin, J. Hodge","doi":"10.2139/SSRN.346506","DOIUrl":null,"url":null,"abstract":"The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to \"covered entities\" (health providers, health insurance plans and health care clearinghouses) and their business associates. Privacy safeguards are needed because of the personal nature of health data, the rapid shift from paper to electronic records, and actual and perceived risks of unwarranted disclosures. Existing health information privacy legal protections at the federal and state levels are fragmented, inconsistent, and variable. The new standards endeavor to protect patient privacy by limiting disclosures of individually-identifiable medical information (or \"protected health information\" (PHI)). Disclosure and use of PHI can only occur upon patient consent, subject to several exceptions outside the health care transaction setting. The regulations also implement fair information practices, which have long been a feature of existing federal laws. Fair information practices allow patients to (1) inspect and amend their records, (2) receive notice of covered entities' privacy practices and potential uses and disclosures of health information, and (3) request confidential communications and an accounting of actual disclosure. Through the regulations, HHS attempts to set a \"floor\" for protections that, it suggests, \"balance[s] the needs of the individual with the needs of society.\" Reaching this balance, however, is precarious. The national privacy rule does not always achieve a fair and reasonable allocation of benefits and burdens for patients and the community. We suggest a framework for balancing that values privacy and common goods, without a priori favoring either. We instead seek to maximize privacy interests where they matter most to the individual and maximize communal interests where they are likely to achieve the greatest public good. Thus, where the potential for public benefit is high and the risk of harm to individuals is low, we suggest that public entities should have discretion to use data for important public purposes. Provided that the data are used only for the public good (e.g., research or public health), and the potential for harmful disclosures are negligible, there are good reasons for permitting data sharing. Conversely, if data are disclosed in ways that are unlikely to achieve a strong public benefit, and the personal risks are high, individual interests in autonomy should prevail. Consequently, for these kinds of disclosures, the law should strictly prohibit the release of information without the patient's consent. Through this framework we attempt to maximize individual and communal interests in the handling of identifiable health data.","PeriodicalId":47393,"journal":{"name":"Minnesota Law Review","volume":"86 6 1","pages":"1439-79"},"PeriodicalIF":3.0000,"publicationDate":"2002-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"46","resultStr":"{\"title\":\"Personal privacy and common goods: a framework for balancing under the national health information privacy rule.\",\"authors\":\"L. Gostin, J. Hodge\",\"doi\":\"10.2139/SSRN.346506\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to \\\"covered entities\\\" (health providers, health insurance plans and health care clearinghouses) and their business associates. Privacy safeguards are needed because of the personal nature of health data, the rapid shift from paper to electronic records, and actual and perceived risks of unwarranted disclosures. Existing health information privacy legal protections at the federal and state levels are fragmented, inconsistent, and variable. The new standards endeavor to protect patient privacy by limiting disclosures of individually-identifiable medical information (or \\\"protected health information\\\" (PHI)). Disclosure and use of PHI can only occur upon patient consent, subject to several exceptions outside the health care transaction setting. The regulations also implement fair information practices, which have long been a feature of existing federal laws. Fair information practices allow patients to (1) inspect and amend their records, (2) receive notice of covered entities' privacy practices and potential uses and disclosures of health information, and (3) request confidential communications and an accounting of actual disclosure. Through the regulations, HHS attempts to set a \\\"floor\\\" for protections that, it suggests, \\\"balance[s] the needs of the individual with the needs of society.\\\" Reaching this balance, however, is precarious. The national privacy rule does not always achieve a fair and reasonable allocation of benefits and burdens for patients and the community. We suggest a framework for balancing that values privacy and common goods, without a priori favoring either. We instead seek to maximize privacy interests where they matter most to the individual and maximize communal interests where they are likely to achieve the greatest public good. Thus, where the potential for public benefit is high and the risk of harm to individuals is low, we suggest that public entities should have discretion to use data for important public purposes. Provided that the data are used only for the public good (e.g., research or public health), and the potential for harmful disclosures are negligible, there are good reasons for permitting data sharing. Conversely, if data are disclosed in ways that are unlikely to achieve a strong public benefit, and the personal risks are high, individual interests in autonomy should prevail. Consequently, for these kinds of disclosures, the law should strictly prohibit the release of information without the patient's consent. Through this framework we attempt to maximize individual and communal interests in the handling of identifiable health data.\",\"PeriodicalId\":47393,\"journal\":{\"name\":\"Minnesota Law Review\",\"volume\":\"86 6 1\",\"pages\":\"1439-79\"},\"PeriodicalIF\":3.0000,\"publicationDate\":\"2002-11-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"46\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Minnesota Law Review\",\"FirstCategoryId\":\"90\",\"ListUrlMain\":\"https://doi.org/10.2139/SSRN.346506\",\"RegionNum\":3,\"RegionCategory\":\"社会学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"LAW\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Minnesota Law Review","FirstCategoryId":"90","ListUrlMain":"https://doi.org/10.2139/SSRN.346506","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
Personal privacy and common goods: a framework for balancing under the national health information privacy rule.
The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to "covered entities" (health providers, health insurance plans and health care clearinghouses) and their business associates. Privacy safeguards are needed because of the personal nature of health data, the rapid shift from paper to electronic records, and actual and perceived risks of unwarranted disclosures. Existing health information privacy legal protections at the federal and state levels are fragmented, inconsistent, and variable. The new standards endeavor to protect patient privacy by limiting disclosures of individually-identifiable medical information (or "protected health information" (PHI)). Disclosure and use of PHI can only occur upon patient consent, subject to several exceptions outside the health care transaction setting. The regulations also implement fair information practices, which have long been a feature of existing federal laws. Fair information practices allow patients to (1) inspect and amend their records, (2) receive notice of covered entities' privacy practices and potential uses and disclosures of health information, and (3) request confidential communications and an accounting of actual disclosure. Through the regulations, HHS attempts to set a "floor" for protections that, it suggests, "balance[s] the needs of the individual with the needs of society." Reaching this balance, however, is precarious. The national privacy rule does not always achieve a fair and reasonable allocation of benefits and burdens for patients and the community. We suggest a framework for balancing that values privacy and common goods, without a priori favoring either. We instead seek to maximize privacy interests where they matter most to the individual and maximize communal interests where they are likely to achieve the greatest public good. Thus, where the potential for public benefit is high and the risk of harm to individuals is low, we suggest that public entities should have discretion to use data for important public purposes. Provided that the data are used only for the public good (e.g., research or public health), and the potential for harmful disclosures are negligible, there are good reasons for permitting data sharing. Conversely, if data are disclosed in ways that are unlikely to achieve a strong public benefit, and the personal risks are high, individual interests in autonomy should prevail. Consequently, for these kinds of disclosures, the law should strictly prohibit the release of information without the patient's consent. Through this framework we attempt to maximize individual and communal interests in the handling of identifiable health data.
期刊介绍:
In January 1917, Professor Henry J. Fletcher launched the Minnesota Law Review with lofty aspirations: “A well-conducted law review . . . ought to do something to develop the spirit of statesmanship as distinguished from a dry professionalism. It ought at the same time contribute a little something to the systematic growth of the whole law.” For the next forty years, in conjunction with the Minnesota State Bar Association, the faculty of the University of Minnesota Law School directed the work of student editors of the Law Review. Despite their initial oversight and vision, however, the faculty gradually handed the editorial mantle over to law students.