Written by Valerie S. Prater, MBA, RHIA, Clinical Assistant Professor
Biomedical and Health Information Sciences
University of Illinois at Chicago
December 8, 2014
Three important and related concepts are often used interchangeably in discussing protection of health information within the U.S. healthcare system: confidentiality, privacy and security. Yet, each of these concepts has a different fundamental meaning and unique role.
Most frequently “HIPAA” comes to mind when health information privacy is discussed; however, the concept of patient confidentiality has been around for much longer. This article will briefly explore differences in meaning of privacy, security and confidentiality of health information. Selected examples of sources of law and guidelines will be offered with respect to these concepts. Challenges in balancing interests of individuals, healthcare providers and the public will be noted, as will the role of health information management professionals.
Confidentiality in health care refers to the obligation ofprofessionals who have access to patient records or communication to hold that information in confidence. Rooted in confidentiality of the patient-provider relationship that can be traced back to the fourth century BC and the Oath of Hippocrates, this concept is foundational to medical professionals’ guidelines for confidentiality (McWay, 2010, p. 174). This professional obligation to keep health information confidential is supported in professional association codes of ethics, as can be seen in principle I of the American Health Information Management Association Code of Ethics, “Advocate, uphold, and defend the individual’s right to privacy and the doctrine of confidentiality in the use and disclosure of information” (AHIMA, 2011).
Confidentiality is recognized by law as privileged communication between two parties in a professional relationship, such as with a patient and a physician, a nurse or other clinical professional (Brodnik, Rinehart-Thompson, Reynolds, 2012). As patients, we’ve come to expect confidential communication in these relationships. While application in legal proceedings is subject to evidentiary rules and consideration of the public need for information, support of privileged communication can be seen in case law. An example is the landmark Jaffee v. Redmond decision where the U.S. Supreme Court upheld a therapist’s refusal to disclose sensitive client information during trial (Beyer, 2000). In writing the majority opinion, Justice Stevens said:
Effective psychotherapy… depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure…The psychotherapist privilege serves the public interest by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem (Jaffee v. Redmond, 1996, p. 9).
When considering sensitive health information requiring special layers of confidentiality, such as with mental health treatment, state statutes provide guidance for health information management professionals. In Illinois, for example, the Mental Health and Developmental Disabilities Confidentiality Act offers detailed requirements for access, use and disclosure of confidential patient information including for legal proceedings (MHDDCA, 1997).
Privacy, as distinct from confidentiality, is viewed as the right of the individual client or patient to be let alone and to make decisions about how personal information is shared (Brodnik, 2012). Even though the U.S. Constitution does not specify a “right to privacy”, privacy rights with respect to individual healthcare decisions and health information have been outlined in court decisions, in federal and state statutes, accrediting organization guidelines and professional codes of ethics.
The top-of-mind example is the federal HIPAA Privacy Rule, establishing national standards for health information privacy protection and defining “protected health information” (HHSa, 2003, p. 1). A stated purpose of the HIPAA Privacy Rule “…is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed…”(HHSa, 2003, p. 4).
Established pursuant to the broader Health Insurance Portability and Accountability Act of 1996 (HIPAA), as described by the U.S. Department of Health and Human Services (HHS), the Privacy Rule, “…strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing” (HHSa, 2003, p. 1). Individuals are provided some elements of control, such as the right to access their own health information in most cases and the right to request amendment of inaccurate health information (HHSa, 2003, pp. 12-13). However, in that attempt to strike a balance, the Rule provides numerous exceptions to use and disclosure of protected health information without patient authorization, including for treatment, payment, health organization operations and for certain public health activities (HHSa, 2003, pp. 4-7).
While debate continues as to whether the HIPAA Privacy Rule has substantially strengthened individual privacy rights, it has certainly increased awareness of the topic of health information privacy, of issues surrounding its protection and of the patient’s role in the process. There is no question that health information management professionals’ roles have been impacted by responsibilities for HIPAA Privacy Rule compliance. In reflecting on the Privacy Rule’s tenth anniversary and its more recent amendments pursuant to theHealth Information Technology for Economic and Clinical Health (HITECH) Act, Daniel Solove noted:
HIPAA has evolved during the past decade and was greatly fortified by the 2009 HITECH Act and its HIPAA modification regulations released in January 2013. Whatever one might think about HIPAA, it is hard to dispute that it has had a vast impact on patients, the healthcare industry, and many others over the last 10 years—and will continue to shape healthcare and HIM professionals for many more years to come. (Solove, 2013)
Even before the healthcare privacy conversation was dominated by HIPAA, an important Supreme Court decision, Whalen v. Roe, recognized the right to health information privacy (1977). This case considered a state statute requiring that physicians report for entry into a New York Department of Health computerized database information on prescription of certain types of drugs likely to be abused or over-prescribed; information included patient, physician and pharmacy name, and drug dosage (McWay, 2010, p. 176). A group of patients and two physician associations filed suit, saying this violated the protected physician-patient relationship (Whalen v. Roe, 1977). In upholding this law, the Court recognized the individual’s interest in privacy protection while giving greater weight to the state’s right to address an issue of public concern; procedures in place at the Department of Health to protect information privacy were also noted as a factor in the decision (Whalen v. Roe, 1977).
The Supreme Court’s holding in Whalen v. Roe addressed the notion of balanced interest seen in the later HIPAA Privacy Rule. In saying “…disclosures of private medical information to doctors, to hospital personnel, to insurance companies, and to public health agencies are often an essential part of modern medical practice”, the court did not give individuals absolute control over sharing of their own health information (Whalen v. Roe, 1977). Interestingly, the Whalen decision also noted growing concern with collection of private information in electronic format, and the role of regulatory guidelines. As stated by the Justices:
We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks….The right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures (Whalen v. Roe, 1977).
Security refers directly to protection, and specifically to the means used to protect the privacy of health information and support professionals in holding that information in confidence. The concept of security has long applied to health records in paper form; locked file cabinets are a simple example. As use of electronic health record systems grew, and transmission of health data to support billing became the norm, the need for regulatory guidelines specific to electronic health information became more apparent. The HIPAA Security Rule provided the first national standards for protection of health information. Addressing technical and administrative safeguards, the HIPAA Security Rule’s stated goal is to protect individually identifiable information in electronic form—a subset of information covered by the Privacy Rule—while allowing healthcare providers appropriate access to information and flexibility in adoption of technology (HHS, 2003b). Again, that notion of balance appears in the law: necessary access by healthcare providers vs. protection of individuals’ health information.
Breaches to confidentiality now face more serious penalties given modifications to both the HIPAA Privacy and Security Rules following publication of final rule provisions of the HITECH Act. In announcing publication of these changes, known collectively as the Omnibus Rule, then HHS Secretary Kathleen Sebelius acknowledged change impacting health care since initial enactment of HIPAA: “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age” (HHS, 2013).
The sources of law and guidelines noted here are only samples of many considerations in health information confidentiality, privacy and security. Managing electronic health information presents unique challenges for regulatory compliance, for ethical considerations and ultimately for quality of care. As electronic health record system “meaningful use” expands, and more data are collected, such as from mobile health devices, that challenge for healthcare organizations expands.
A response to the challenge is information governance, described as the strategic management of enterprise-wide information including policies and procedures related to health information confidentiality, privacy and security; this includes the role of stewardship (Washington, 2010). Health information managers are uniquely qualified to serve as health information stewards, with an appreciation of the various interests in that information, and knowledge of the laws and guidelines speaking to confidentiality privacy and security. The role of the steward encompasses not only ensuring the accuracy and completeness of the record, but also protecting its privacy and security (Washington, 2010).
All who work with health information— health informatics and health information management professionals, clinicians, researchers, business administrators and others— have responsibility to respect that information. And as patients, we have privacy rights with regard to our own health information and an expectation that our information be held in confidence and protected. As citizens, our public interest in health information may prevail, such as in situations involving public health or crime. Balancing the various interests in health information and upholding its confidentiality, privacy and security present ongoing and important challenges within the U.S. healthcare and legal systems, and career opportunities for health information management professionals.
AHIMA. (2011). American Health Information Management Association Code of Ethics.
Beyer, Karen. (2000). “First Person: Jaffee v. Redmond Therapist Speaks.” American Psychoanalyst,
Volume 34, no. 3. Retrieved from http://jaffee-redmond.org/articles/beyer.htm
Brodnik, M., L. Rinehart-Thompson and R. Reynolds (2012). Fundamentals of Law for Health Informatics
and Information Management Professionals. Chicago: AHIMA Press. Chapter 1.
Jaffee v. Redmond. 518 U.S. 1; 116 S. Ct. 1923; 135 L. Ed. 2d 337 (1996). LEXIS 3879. Retrieved from
Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) (740 ILCS 110). Effective
July 1, 1997. Illinois General Assembly. Retrieved from
McWay, Dana. (2010). Legal and Ethical Aspects of Health Information, Third Edition. New York: Cengage Learning. Chapter 9.
Solove, D. (2013).HIPAA Turns 10. Analyzing the Past, Present and Future Impact. Journal of AHIMA 84, no.4 (April 2013): 22-28.
The American Psychoanalytic Association. (2014). Landmark Cases. Retrieved from
U.S. Department of Health and Human Services (HHSa), Office for Civil Rights. (2003). Summary of the HIPAA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
U.S. Department of Health and Human Services (HHSb), Office for Civil Rights. (2003). Summary of the HIPAA Security Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
U.S. Department of Health and Human Services (HHS), Office for Civil Rights. (2013). Omnibus HIPAA Rulemaking, http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
Washington, L. (2010). “From Custodian to Steward: Evolving Roles in the E-HIM Transition.”
Journal of AHIMA. (Volume 81, no.5: 42-43).
Whalen v. Roe. 429 U.S. 589; 97 S. Ct. 869; 51 L. Ed. 2d 64 (1977). LEXIS 42. Retrieved from
Per HHS and FDA Regulations (45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7)), the IRB shall determine that where appropriate, there are adequate provisions to protect the privacy of subjects and to maintain confidentiality of data in order to approve human subjects research. The committee must consider the sensitivity of the information collected and the protections offered the subjects.
Privacy and confidentiality are also supported by two principles of the Belmont Report:
Respect for persons – Individuals should be treated as autonomous agents able to exercise their autonomy to the fullest extent possible, including the right to privacy and the right to have private information remain confidential.
Beneficence – Maintaining privacy and confidentiality helps to protect participants from potential harms including psychological harm such as embarrassment or distress; social harms such as loss of employment or damage to one‘s financial standing; and criminal or civil liability.
Maintaining privacy and confidentiality helps to protect participants from potential harms including psychological harm such as embarrassment or distress; social harms such as loss of employment or damage to one‘s financial standing; and criminal or civil liability. Especially in social/behavioral research the primary risk to subjects is often an invasion of privacy or a breach of confidentiality.
What is Privacy?
Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. For example, persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center clearly identified by signs on the front of the building. The evaluation of privacy also involves consideration of how the researcher accesses information from or about potential participants (e.g., recruitment process). IRB members consider strategies to protect privacy interests relating to contact with potential participants, and access to private information.
- About people
- A sense of being in control of access that others have to ourselves
- A right to be protected
- Is in the eye of the participant, not the researcher or the IRB
What is Confidentiality?
Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.
During the informed consent process, if applicable, subjects must be informed of the precautions that will be taken to protect the confidentiality of the data and be informed of the parties who will or may have access (e.g., research team, FDA, OHRP). This will allow subjects to decide about the adequacy of the protections and the acceptability of the possible release of private information to the interested parties.
- Is about identifiable data
- Is an extension of privacy
- Is an agreement about maintenance and who has access to identifiable data
- In regards to HIPAA, protects patients from inappropriate disclosures of "Protected Health Information" (PHI)
Privacy is about people. Confidentiality is about data.
What Should Researchers Know?
The IRB must decide on a protocol-by-protocol basis whether there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the identifiable data at each segment of the research from recruitment to maintenance of the data.
Issues Related to Privacy
In regards to privacy, the following issues should be considered and addressed in the protocol narrative as needed:
- The proposed subject population?
- What are the cultural norms of the proposed subject population? Some cultures are more private than others.
- What are the ages of the proposed subject population? There may be age differences in privacy preferences (e.g., teenagers less forthcoming than older adults)
- The proposed recruitment methods: How are potential participants identified and contacted?
- advertisements, notices, and/or media
- Send introduction letter to colleagues to distribute to eligible individuals – interested individuals contact researcher
- Primary care staff contact those patients that qualify to determine interest
- search through medical records for qualified subjects or existing database (e.g., registry); then have a researcher with no previous contact with potential subject recruit; this method violates the individuals' privacy
- recruit subjects immediately prior to sensitive or invasive procedure (e.g., in pre-op room)
- retain sensitive information obtained at screening without the consent of those who either failed to qualify or refused to participate for possible future studies participation
- Sensitivity of the information being collected – the greater the sensitivity, the greater the need for privacy
- Method of data collection (focus group, individual interview, covert observation)
- Will subjects feel comfortable providing the information in this manner?
- If passively observing the subject; could the individual have an expectation of privacy (e.g., chat room for breast cancer patients)?
- Will the researcher collect information about a third party individual that is consider private (e.g., mental illness, substance abuse in family)? If yes, informed consent should be obtained from third party?
- Privacy is in the eye of the participant, not the researcher or the IRB
Protocols should be designed to minimize the need to collect and maintain identifiable information about research subjects. If possible, data should be collected anonymously or the identifiers should be removed and destroyed as soon as possible and access to research data should be based on a “need to know” and "minimum necessary" standard.
When it is necessary to collect and maintain identifiable data, the IRB will ensure that the protocol includes the necessary safeguards to maintain confidentiality of identifiable data and data security appropriate to the degree of risk from disclosure.
In regards to when it is appropriate to require provisions to maintain confidentiality of data, the following issues should be considered:
- Will confidentiality of identifiable data be offered?
- Are there legal/ethical requirements (e.g., HIPAA)?
- Will release of data cause risk of harm?
If yes to the above, measures to maintain confidentiality should be incorporated into the protocol. For more information on whether your activity may involve HIPAA, please see Protected Health Information (HIPAA). Please see Data Security for examples of different ways to help maintain confidentiality.