Protecting Privacy in Health Research: The Limits of Individual Choice

Privacy and Security

Article Snapshot


Fred H. Cate


California Law Review, Vol. 98, No. 6, pp. 1765-1804, 2010


This article analyzes the usefulness of relying on consent to regulate privacy in relation to health research.

Policy Relevance

Currently, privacy policy reform continues to focus on consent as an important aspect of protecting users from unwanted invasions of their privacy. However, in the arena of health care research, it appears that strict consent requirements may do more harm than good to both researches and users.

Main Points

  • As technology continues to progress and demand the use and storage of more and more personal information, privacy also becomes a more pressing issue to be dealt with. Since the mid 1960’s, the primary way of dealing with privacy concerns has been to place consent requirements on the collection and use of private information.
  • Consent allows for the individual user or consumer to theoretically control when their data is collected and how that data can be used. The concept of consensual data collection has led to the privacy policies that are now almost ubiquitous on websites and other forms of privacy contracts and notice.
  • However, while the concept of consent gives users the illusion of control over their private information, this may not comport to the reality. Studies indicate that users do not read privacy statements, and that the growing numbers of privacy policies users are confronted with have made them numb to these consent-based contracts.
  • In order to test the limits of consent in regulating privacy, the use of personal information for health research was studied. Health care privacy issues allow for the study of an area of privacy regulation that is both important to the user, whose files contain sensitive information about their medical history, and important to the data user, who is conducting important medical research.
  • Studies released in 2007 by the Committee on Health Research and Privacy of Health Information found two major problems with current health care privacy regulations.
    • First, the committee determined that current privacy rules do not sufficiently protect patient privacy.
    • Second, it was found that the privacy rules currently implemented impeded important health research by requiring either consent, which is often difficult to obtain, or by requiring removal of all identifying information, rendering the information far less useful.
  • Several options exist for limiting or removing personal choice from privacy issues while still protecting individual privacy concerns. Among these options are supplying health care information to licensed or registered research facilities without individual consent, while still requiring consent in other arenas; and creating central data depositories where large amounts of private information could be gathered and disseminated as necessary.
  • While the solution to growing privacy concerns remains unclear, it is becoming evident that simply codifying additional consent requirements is insufficient. Doing so only numbs users to the use of such contracts while transitioning the burden of protecting privacy from the organizations who want to use private information to the users themselves.


Get The Article

Find the full article online

Search for Full Article