Intended for healthcare professionals


Maintaining privacy and the health of the public

BMJ 1998; 316 doi: (Published 02 May 1998) Cite this as: BMJ 1998;316:1331

Should not be seen as in opposition

  1. Jan P Vandenbroucke, Professor of clinical epidemiology
  1. Leiden University Medical School, Leiden 9600 RC, Netherlands

    By a twist of irony one of America's foremost resources of clinical and epidemiological research has been struck by a growing concern about patient privacy.1 Since the early 1900s the Mayo Clinic Foundation at Rochester, Minnesota, has maintained a medical record system that amounts to a population registry on health and disease.2 Hundreds of clinical, biochemical, and epidemiological research papers have used old records and added new analyses or follow up data. Recent legislation in the state of Minnesota has made such use next to illegal. Minnesota is not the only place where privacy legislation is jeopardising the use of patient data for research. It is time to reassess the terms of the privacy debate.

    In response to the Minnesota law the New England Journal of Medicine has devoted no fewer than four pages to a cry from the heart from Rochester.1 The Mayo Clinic Foundation is setting up a heroic effort to obtain “broad informed consent” from all patients for future use of their data. Predictably, this will fall short of the requirements of those who demand specific informed consent for each piece of research—even retrospectively.3 The mere possibility of litigation recently prevented the description of an epidemic of drug resistant tuberculosis by the Centers for Disease Control.4

    How is the European situation evolving? Several years ago strongly worded editorials warned against a forthcoming European Community directive that, if applied literally, would have banned observational clinical and epidemiological research using old data from the old world.5-7 Through a great lobbying effort by leading clinicians and epidemiologists the greatest danger was averted. The directive now has a clause permitting each member state to make exceptions for (public) health research. Is that progress? In the country I know best, the Netherlands, it seems not.

    A document from the Dutch Health Council stipulates that informed consent is necessary even for completely anonymised record linkage. Strict laws regulating the privacy of patient-doctor encounters have been passed. A health inspector responsible for monitoring adverse drug reactions voiced his concern that to protect the public he might have to break the law. Within Dutch hospitals, administrators have questioned whether giving names of patients to health authorities responsible for tuberculosis contact tracing (when patients have been in the same room as a patient with tuberculosis) is still permitted under the new privacy laws. The same laws encourage doctors to destroy records older than 10-15 years—even if the diagnosis was vital, such as cancer—thereby making long term follow up impossible. Restrictive laws on the secondary use of body material are being prepared.

    Despite newspaper publicity and questions in parliament, the issue seemed to have withered away, and the attempts of the Dutch Epidemiological Society to discuss the very real benefits from using old data were ignored by ministerial departments. Privacy issues have strong political attraction: right and left meet in a common distrust of big government and corporate medicine, and to promote autonomy. Quite recently, however, the Dutch Health Council chaired a (closed) meeting to assess the situation: it became clear that to steer and improve health care, authorities need linked information about healthcare processes—that is, about patients. Opinion remained divided whether some of the recent laws should be revised or whether the exceptions might be interpreted more liberally—for example, in cases where it is physically impossible to seek informed consent, where patients may be harmed by being told about a quite hypothetical hazard, or through the use of intermediate parties to anonymise the data but allow information to be traced back if necessary.

    Medical journals are sensitive to the same fashionable pressures as politicians. Some (including the BMJ) have taken extreme views on informed consent in the rare case of publication of material that might identify a patient. In a recent debate in JAMA the public health community convincingly argued that overly restrictive positions might prevent important health information being disclosed any more: a consensus seems to be emerging that some balance needs to be restored.4-9

    Pharmacoepidemiologists have been concerned with this issue for years. They study the effects and side effects of drugs by coupling existing data on treatments with records of disease. In a recent paper the International Society for Pharmaco-Epidemiology reiterated several often forgotten points. 10 11 Firstly, pharmacoepidemiological reports almost never identify individual patients: typically, they report rates and proportions in groups. Secondly, high quality research requires that the responsible researchers can go back to individual records: existing safeguards for discouraging the spread of information about individual patients by these researchers or their staff have sufficed. Finally, for completely anonymised record linkage no informed consent should be necessary.

    A basic difficulty is that all parties too readily adopt an adversarial model which puts individual rights in opposition to public protection. The classic example is infectious disease, where freedom of movement for an individual can be curtailed for the greater good. Is the same opposition also true for the use of past records and material? The typical reaction of the lawyer or administrator who argues against the misuse of stored information, and therefore emphasises the need for privacy, is that “everyone agrees with the principle, and then asks for exceptions for themselves.”

    Perhaps we should stop the exceptions game. An important clarification came from the US Health and Human Services Secretary, Donna Shalala, who said: “We will recommend that a hospital be able to use personal health information to teach, train, conduct research, provide care, and ensure quality. But, on the other hand, employers who get health information to pay claims cannot use it for any non-health purposes, like hiring, firing, and promotions.”12 This makes the right distinction. Medicine evolves thanks to continuous learning from past mistakes and successes. The use of stored medical records, images, or body material should not be a matter of exceptions but should be seen as a monitoring task that is as necessary as individual patient care: neither can exist without the other. Given proper safeguards to protect the real interests of patients, society should understand that learning from the past is a task that has to be promoted positively, rather than a doubtful activity that has to jump ropes between litigation and legalistic loopholes.


    1. 1.
    2. 2.
    3. 3.
    4. 4.
    5. 5.
    6. 6.
    7. 7.
    8. 8.
    9. 9.
    10. 10.
    11. 11.
    12. 12.