Privacy in the medical context is complex, not least because it requires operationalization of a concept that has variously been referred to as vague and indefinable (Thomson 1975), but also and primarily because it depends on the creation and maintenance of a sphere in which privacy and other norms function to achieve particular objectives relating to the effective delivery of healthcare. That is, medical approaches to privacy adopt a somewhat instrumental view to the role of privacy in the provision of healthcare. Even where a clear deontological imperative to respect persons is evident, for example, in the use of drapes and sheets to cover the body during sensitive examinations, the instrumental goal of treating patients in such a way that they will not feel humiliated and forgo necessary medical exams, operates in the background to motivate preservation of a private sphere. This is equally true of sensitive patient data such as a potentially stigmatizing diagnosis. The objective of the medical domain is to provide health-enhancing interventions at both the individual and population level (clinical care and public health, respectively). Privacy is essential to achieving this objective. As the examples of bodily and data privacy illustrate, the nature of privacy in the medical domain is multifaceted and consists not of a single type of privacy nor does it rest on a single legal basis. Rather, privacy in the medical setting is much like a protective encasement where the adage ‘what happens here, stays here’, has long been the prevailing norm.

I find it useful to think of medical privacy as a construct formed by intersecting strands of normative frameworks that create a conceptual sphere of privacy that is designed to protect a spectrum of privacy interests in the medical context. These privacy norms are derived from multiple sources. For example, the Article 8 of the EU Charter of Fundamental Rights recognizes a right to data protection, and Article 8 of ECHR, recognizes a right to respect for private life, which supports multiple dimensions of medical privacy. Article 9 of the General Data Protection Regulation (GDPR) provides for the protection of personal data and specifically classifies health data as sensitive data that merits heightened protection. Yet, the basis for privacy in the medical context extends beyond mere protection of health data.