Skip to main content Accessibility help

An Architecture for Privacy in a Networked Health Information Environment



As we move toward the creation of a networked health information environment, the potential of privacy intrusions increases, with potentially devastating impact on quality and access to healthcare. This paper describes the risks we face and proposes a framework to minimize those risks. In particular, it proposes nine principles to protect privacy in an information age.



Hide All

1 United Nations. Universal Declaration of Human Rights, Article 12. Available at

2 Naser C, Alpert S. Protecting the privacy of medical records: An ethical analysis (White Paper). Lexington, MA: National Coalition for Patient Rights; 1999.

3 The EU Directive mentioned above similarly treats medical violations of privacy as particularly egregious cases.

4 See note 2, Naser, Alpert 1999.

5 Alpert SA. Protecting medical privacy: Challenges in the age of genetic information. Journal of Social Issues 2003;59(2):301–22; Goffman E. Behavior in Public Places: Notes on the Social Organization of Gatherings. New York: Free Press; 1966; Westin A. Privacy and Freedom. New York: Atheneum; 1967.

6 Goldman J. Protecting privacy to improve health care. Health Affairs 1998;17:47–60.

7 See note 6, Goldman 1998.

8 Goldman J, Hudson Z. Virtually exposed: Privacy and e-health. Health Affairs 2000;19:140–8.

9 These and more survey results can be found at the Electronic Privacy Information Center (EPIC), 27 April 2007; available at (accessed 27 May 2008).

10 See note 5, Alpert 2003.

11 See note 6, Goldman 1998.

12 Bennett CJ. Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Ithaca, NY: Cornell University Press; 1992.

13 Goldman J. Privacy and individual empowerment in the interactive age. In: Bennett C, Grant R, eds. Visions of Privacy: Policy Choices for a Digital Age. Toronto: University of Toronto Press; 1999.

14 Brandeis LD, Warren SD. The right to privacy. Harvard Law Review 1890;4:193–7.

15 See note 14, Brandeis, Warren 1890.

16 See note 5, Westin 1967.

17 The U.S. National Information Infrastructure Task Force defines the term as follows: “Information privacy is an individual's claim to control the terms under which personal information—information identifiable to an individual—is acquired, disclosed, and used.” Available at

18 Miller A. The Assault on Privacy: Computers, Data Banks, and Dossiers. Ann Arbor: University of Michigan Press; 1971.

19 See note 5, Westin 1967.

20 See note 5, Alpert 2003.

21 See note 5, Alpert 2003.

22 See note 5, Alpert 2003.

23 Of course the illicit use of data is not particular to the networked environment. What has changed, however, is the scope of potential violations: As the network expands and as the amount of data increases, so does the possibility of confidentiality violations. In addition, a networked environment facilitates the illicit acquisition (e.g., through theft) and dissemination of data. This is in large part due to digitalization of information, which is easier to store and to steal without its original owner even noticing.

24 Health Privacy Working Group. Best Principles for Health Policy; 1999; available at

25 The Register; available at (accessed 27 May 2008).

26 United States Senate Committee on the Judiciary, 13 Apr 2005; available at (accessed 27 May 2008).

27 United States Senate Committee on the Judiciary, 13 Apr 2005; available at (accessed 27 May 2008).

28 For a listing of recent security breaches and data violations, see Privacy Rights Clearinghouse, 20 April 2005; avaliable at (accessed 27 May 2008).

29 See note 24, Health Privacy Working Group 1999.

30 In particular, we have reviewed laws in three jurisdictions: The United States, including the 1973 Fair Information Practices and the 1974 Privacy Act; the OECD, including the 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and Canada, including the 1995 Canadian Standards Association Model Code for the Protection of Personal Information. More information about these and other existing Fair Information Practices can be found at the web site for The Privacy Rights Clearinghouse, a non-profit consumer group located in California; updated Feb 2004; available at (accessed 27 May 2008).

31 Any provisions for informed consent need to be drafted in such a way that ensures the sharing of information is not unduly cumbersome on data users. It is probably unrealistic to assume that patients can or should give their assent to each and every use of their medical data.

32 Valid concerns have been raised, however, that such a centralization may create additional security vulnerabilities.

33 Sometimes, it is important to recognize that the flexibility of opt-out provisions is limited by what is technologically feasible. It goes without saying that any steps or provisions taken to protect confidentiality need to take account of what is possible with our existing technology. At the same time, however, technical limitations should never be used to justify breaches of confidentiality or privacy.

34 Solove D, Hoofnagle C. A model regime of privacy protection. Public Law Research Paper No. 132. Washington, DC: George Washington University Law School; 2005; available at:

35 It is also worth noting that some observers have suggested that penalties for abuses should be strengthened in order to act as a deterrent against future abuses.

This essay is a shortened version of a policy paper drafted by Stefaan Verhulst for Connecting for Health, a public–private collaborative supported by the Markle Foundation and the Robert Wood Johnson Foundation as part of The Connecting for Health Common Framework: Resources for Implementing Private and Secure Health Information Exchange, available at

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Cambridge Quarterly of Healthcare Ethics
  • ISSN: 0963-1801
  • EISSN: 1469-2147
  • URL: /core/journals/cambridge-quarterly-of-healthcare-ethics
Please enter your name
Please enter a valid email address
Who would you like to send this to? *


Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed