Health Law and Ethics
October 20, 1999

Legal Issues Concerning Electronic Health InformationPrivacy, Quality, and Liability

Author Affiliations

Author Affiliation: Georgetown University Law Center, Washington, DC (Messrs Hodge and Gostin) and the University of Michigan School of Public Health, Ann Arbor (Mr Jacobson).


Health Law and Ethics Section Editors: Lawrence O. Gostin, JD, the Georgetown/Johns Hopkins University Program in Law and Public Health, Washington, DC, and Baltimore, Md; Helene M. Cole, MD, Contributing Editor, JAMA .

JAMA. 1999;282(15):1466-1471. doi:10.1001/jama.282.15.1466

Personally identifiable health information about individuals and general medical information is increasingly available in electronic form in health databases and through online networks. The proliferation of electronic data within the modern health information infrastructure presents significant benefits for medical providers and patients, including enhanced patient autonomy, improved clinical treatment, advances in health research and public health surveillance, and modern security techniques. However, it also presents new legal challenges in 3 interconnected areas: privacy of identifiable health information, reliability and quality of health data, and tort-based liability. Protecting health information privacy (by giving individuals control over health data without severely restricting warranted communal uses) directly improves the quality and reliability of health data (by encouraging individual uses of health services and communal uses of data), which diminishes tort-based liabilities (by reducing instances of medical malpractice or privacy invasions through improvements in the delivery of health care services resulting in part from better quality and reliability of clinical and research data). Following an analysis of the interconnectivity of these 3 areas and discussing existing and proposed health information privacy laws, recommendations for legal reform concerning health information privacy are presented. These include (1) recognizing identifiable health information as highly sensitive, (2) providing privacy safeguards based on fair information practices, (3) empowering patients with information and rights to consent to disclosure (4) limiting disclosures of health data absent consent, (5) incorporating industry-wide security protections, (6) establishing a national data protection authority, and (7) providing a national minimal level of privacy protections.