JURISPRUDENTIAL ANALYSIS OF “CONFIDENTIALITY” AND “PRIVACY” IN MEDICINE’S FIELD – Jaideep Singh & Akankshu Sodhi

ABSTRACT

This research paper provides a comprehensive jurisprudential analysis of “confidentiality” and “privacy” in medicine. It delves into the significance of medical confidentiality and patient privacy in the doctor-patient relationship, emphasizing the need for trust and mutual respect. The paper examines the evolving concept of privacy, particularly in the context of the landmark K.S. Puttaswamy v. Union of India case, where the Right to Privacy was declared a Fundamental Right under Article 21 of the Indian Constitution.

The study explores the public/private sphere theory, discussing how the separation of state and non-state authority impacts medical privacy and confidentiality. It also examines the theories of Michel Foucault on power and otherization, analyzing their relevance to medical confidentiality and the potential for discrimination.

Furthermore, the paper critically analyzes existing medical privacy and confidentiality laws in India, highlighting their strengths and weaknesses. It identifies gaps in current regulations and the need for more robust enforcement mechanisms.

A cross-jurisdictional analysis compares medical privacy laws in India, the European Union, and the United States. The research emphasizes the need for stricter regulations, clear consent procedures, and improved training for healthcare professionals.

The paper concludes with recommendations for a new Medical Privacy and Confidentiality Bill or amendments to existing data protection laws in India. These recommendations aim to enhance patient privacy, protect marginalized communities, increase accountability, and unify existing laws for better enforcement.

Overall, this research paper seeks to contribute to the ongoing discussion on medical privacy and confidentiality, providing valuable insights for policymakers and healthcare professionals to protect patients’ rights and personal health information.

INTRODUCTION

The terms “privacy” and “confidentiality” carry special meaning in the doctor-patient interaction. This kind of trusting connection develops when there is a reasonable expectation of mutual trust between the doctor and the patient. “medical confidentiality” refers to the idea that medical professionals should not share any information learned about a patient during that person’s care.

A patient’s right to privacy in relation to their care is paramount. A person has a right to the privacy and confidentiality of their health records. The patient’s medical history is highly private and should not be shared with anyone other than his doctor, healthcare provider, or insurance provider. Without the patient’s express permission, a healthcare practitioner may not share the patient’s protected health information with any third parties. Patients trust their doctors to protect the privacy of their health information, so their doctors must keep their information secret to avoid any unnecessary hassles in their personal or work lives.

In the wake of the landmark case K.S. Puttaswamy v. Union of India, in which a nine-judge bench of the Indian Supreme Court ruled in favor of declaring the Right to Privacy to be a Fundamental Right in Part III of the Indian Constitution under Article 21, providing it an elevated level of protection and making it the rightful duty of the state to ensure its safety, privacy has become a topic of widespread public discussion around the world. While it is true that this is a fundamental right, it is not absolute like the other Rights in Part III of the Constitution. It can be violated if necessary and in accordance with established law.

Medical privacy and confidentiality are critical principles for safeguarding a patient’s personal health information. Confidentiality refers to the duty of healthcare providers to protect the privacy and security of their patient’s health information. In contrast, privacy relates to patients’ rights to gather, use, and disclose such information directly.

Privacy and secrecy in the medical field are essential. Firstly, they help build confidence between patients and doctors by protecting the confidentiality of patients’ medical records. Second, patients’ rights and autonomy are better safeguarded when afforded private privacy about their health information. Lastly, many legal systems insist on secrecy to protect patients’ personal information.

Confidentiality and privacy are essential in any connection built on trust between a patient and their doctor. In addition, the trust between a doctor and a patient is built on a foundation of privacy protection and confidentiality. By protecting patients from criticism and interference from third parties, medical confidentiality supports medical autonomy[1]People need to feel safe discussing sensitive topics like their health, sexuality, and other intimate behaviors. As a result, they will be more likely to seek out resources that will help them learn about and weigh their choices before settling on a course of treatment.

Disclosure of private medical information could lead to shame, discrimination, or humiliation. In addition, many things, including jobs, lives, and health insurance, could be at risk if medical information were freely shared.[2]

Unfortunately, the right to privacy has received insufficient attention in India. India does not have any overarching privacy laws despite the existence of sector-specific laws.People who are already at a disadvantage, such as those living with HIV, children, women, members of sexual minorities, prisoners, and so on, people who need to know that sensitive information is protected the most.[3]

THEORY OF PUBLIC/ PRIVATE SPHERE

The separation of state and non-state authority over different facets of existence is based on the legal principle of “public” and “private” spheres. The public sphere refers to the realm of the state and its institutions, where laws and regulations are formulated, enacted, and enforced. In contrast, the private domain is where people, families, and other social groups make their own decisions and pursue their goals without the state’s interference.

The public-private division is a philosophical concept that dates back to ancient Greece, particularly Aristotle’s writings. Aristotle distinguished between the “Oikos,” or household, and the “polis,” or public society. According to him, the polis, or political community, was the public realm where citizens participated in politics, and the home was the private sphere where people exercised autonomy and took care of their own business.

The distinction between the public and private realms emerged as the state’s power expanded in medieval Europe. The contemporary state’s emergence in the seventeenth century was a turning point in the history of the public-private dividing line. The state expanded its authority beyond the realm of the public sphere and into the realm of the private, using the force of legislation to control previously uncontrollable behavior. This trend was particularly noticeable in property law, where the government started to regulate the acquisition, use, and disposition of private property.

Multiple schools of law, such as liberalism, legal positivism, and critical legal studies, have contributed to the development of today’s ideas of the public and private realms.

Liberalism places a premium on its subjects’ autonomy and freedom, especially in their personal lives. The liberal theory argues that the only acceptable reasons for state intervention in the private realm are protecting individual rights and preventing harm to others. On the other hand, the state can regulate and enforce laws in the public sphere because it is responsible for protecting the general welfare.

Especially in one’s personal life, liberalism places a premium on protecting one’s independence and freedom. The liberal theory argues that the only acceptable reasons for state intervention in the private realm are safeguarding individual rights and preventing harm to others. On the other hand, the state can regulate and enforce laws in the public sphere because it is responsible for protecting the general welfare.

However, legal positivism places more significant stress on the law’s function in establishing and maintaining the boundary between the public and private spheres. According to legal positivists, the state has the right to create and enforce laws that govern the public and private spheres because the law is the source of all rights and obligations.

FOUCAULT AND HIS THEORIES

Those in philosophy, sociology, and politics have all been affected by Foucault and his theories. He is well-known for his intricate and nuanced views on power.

The Theory of Power by Michel Foucault

Foucault argues that power is not something a person or a group can own but is enacted through networks and institutions. He argues that power is both an opposing force used to oppress and control people and a positive force that enables people to take the initiative and realize their objectives.

According to Foucault, power is evident in every social relationship, not just those involving the government or the police. Relationships of authority include those between parents and children, teachers and pupils, and bosses and employees.

Foucault goes even further, arguing that authority is both oppressive and beneficial. Thus, power limits and permits novel behaviors and social formations.

Foucault’s theory of power also incorporates the idea of inside/outside. He argues that power is exercised through the creation of binary categories that identify who belongs to a given group and who does not.

This means that people are segregated and subdivided based on their gender, ethnicity, socioeconomic status, and other identifiers to exert control over them. Inclusion in these categories fosters a feeling of identity and community for those included, while exclusion casts those on the periphery as Other or foreign.

AUTHORISATION

Foucault’s power theory ultimately includes otherization as a critical idea. He argues that power is exercised through the creation of the Other, which demarcates members of one group from those who are not.

This means that certain groups are excluded from society and marginalizedby promoting feelings of otherness and distinction. This includes racism, sexism, homophobia, and any other type of discrimination.

There is a school of thought in law known as “inside-outside jurisprudence” that places more weight on the inherent consistency of legal principles than on ideas of how they might play out in the larger social, political, or economic context. It highlights the significance of interpreting legal rules and principles consistently and coherently in accordance with their underlying structure and reasoning.

Inside-out jurisprudence holds that legal concepts and principles have their internal structure and reasoning that must be respected and followed for the sake of the legal system as a whole. This means that the design and logic of legal rules and principles should be followed, even if doing so results in unintended negative societal or policy consequences.

Supporters of an “inside-out” strategy to the law contend that it is more stable, predictable, and consistent and protects the judicial process from being swayed by politics or social values. One problem, according to its detractors, is that it can make people too set in their ways and less able to adapt to shifting societal norms and priorities.

CRITICAL ANALYSIS OF EXISTING MEDICAL PRIVACY AND CONFIDENTIALITY

The Indian healthcare system places a premium on patient privacy and confidentiality. All medical information must be kept confidential to keep the confidence between a patient and their healthcare provider intact. Several statutes and case rules in India regulate patient privacy and confidentiality in the medical field. This, however, was granted based on the K.S. Puttaswamy Judgement, which included the right to medical privacy within the definition of Right to Privacy, which was considered inherent to Article 21 of the Indian Constitution[4].

Statutes Governing Medical Privacy and Confidentiality in India

1. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[5]:

The Ministry of Communications and Information Technology released these regulations to establish parameters for the gathering and archiving of sensitive personal data, such as medical records. According to Rule 5(1), “the sensitive personal data or information shall not be kept for longer than is required for the purposes for which the information may legally be used or is otherwise required under any other law for the time being in force.”

2. The Right to Information Act, 2005[6]:

According to the terms of this law, citizens have the legal right to view records kept by government agencies. However, Information likely to impact an individual’s privacy is exempt from the right to access. The Right to information act may limit access to medical records because of the sensitive nature of the material contained within them.

3. The Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations, 2002[7]:

The Indian Medical Council published these rules to standardize the behavior of its members. The registered medical practitioner shall not reveal the secrets of a patient learned in the practice of their profession except in a court of law under orders of the presiding judge, as stated in Regulation 7.14[8]

One of the changes made to the 2002 rule by the Indian Medical Council (Professional Conduct, Etiquette and Ethics) (Amendment) Regulations, 2013, is a requirement that doctors protect the privacy of their patient’s health records.

4. The Indian Penal Code, 1860[9]

The Indian Criminal Code from 1860 has laws protecting the privacy of patient’s medical records. Defaming someone by attributing their illness or disability to them is a crime under Section 499 of the Indian Penal Code. Criminal penalties for libel are outlined in Section 500[10]. Disclosure of a raped victim’s name is a crime under IPC[11] Section 228[12].

IMPORTANT CASE LAWS GOVERNING MEDICAL PRIVACY

1. S. Puttaswamy v. Union of India[13]

The case resulted in the Indian Supreme Court ruling that privacy is a fundamental right protected by the country’s constitution. The court also ruled that patients have a constitutional right to protection of their medical records and anonymity.

2. Selvi v. State of Karnataka[14]

The Indian Supreme Court ruled that the right to confidentiality in medical care is a fundamental right protected by Article 21 of the Indian Constitution. The court further determined that forced narcoanalysis, polygraph, or brain mapping constitutes an invasion of privacy.

3. State of Punjab v. Ram Lubhaya Bagga[15]

The Supreme Court of India ruled in this case that doctors must keep their patients’ medical records private and that any disclosure of such documents can result in judicial action against the doctor who disclosed them.

4. People’s Union for Civil Liberties vs. Union of India[16]

The court held that the right to privacy includes the right to medical confidentiality and that patients have a right to keep their medical information confidential.

5. X v. Hospital Z[17]

Unless disclosure is needed by law or is in the public interest, the Supreme Court of India ruled that patients’ medical records must remain private and cannot be shared without their permission.

6. State of Punjab vs. Ramdev Singh[18]

The Supreme Court of India ruled in this case that physicians must protect their patient’s medical records, even after their patients have passed away.

7. The Medical Council of India vs. Dr. Sushil Kumar Aggarwal[19]

A physician was disciplined by the Medical Council of India (MCI) for revealing a patient’s HIV status without permission. The MCI revoked the doctor’s license for six months after concluding that he had broken the Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Rules, 2002.

CRITICISM

Examining India’s current medical privacy and confidentiality provisions reveals a problem with failing to handle the two as distinct and independent concerns. The Indian legal system places a premium on privacy protections. Still, it glosses over important issues like the “Right to be Forgotten,” which states that personal data should be deleted once it has served its purpose. This problem occurs because patients lose control of their data when their doctors are switched, but the former doctor is not penalized for keeping their records even after they are no longer his patients.

The legal structure has also been criticized for needing to be updated and prepared to deal with the rapid development of new technologies. The laws were written before electronic health records became commonplace, so they need to handle the privacy issues that arise from their use.

The rules have been criticized because they need more clarity and provide clear guidelines for safeguarding patient privacy. Sensitive personal data, such as medical records, must be defined in the Personal Data Protection Bill, 2019, which is anticipated to replace the current Information Technology Act.

In addition, medical privacy and confidentiality laws have no enforcement mechanisms or penalties in effect. The penalties for unauthorized disclosure of medical data, such as fines and jail time, are not severe enough to deter would-be offenders.

It’s also worrisome that many medical professionals must be conscious of the problem or have received adequate training to address it. The lack of accountability on the part of both the government and healthcare providers contributes to the problem, as does the fact that many healthcare professionals need to be made aware of the legal requirements for safeguarding patient privacy. Unfortunately, there have been cases of medical data being leaked without any accountability being meted out to those responsible.

CROSS-JURISDICTIONAL ANALYSIS OF MEDICAL PRIVACY AND CONFIDENTIALITY

Medical Privacy and Confidentiality Laws in India:

In India, the Constitution protects an individual’s right to privacy as a fundamental freedom. Indian medical privacy and confidentiality regulations are based on the Information Technology Act of 2000 (IT Act), the Indian Medical Council Regulations of 2002 (IMCR), and the Indian Penal Code of 1860. (IPC). Electronic health data are subject to the provisions of the IT Act, which regulates their handling, storage, and transmission (EMRs). Additional sanctions are in place for the unauthorized use, alteration, or loss of electronic medical records. The IMCR sets standards that medical facilities must meet when storing patient data. Patient’s medical data must be kept private unless the patient gives permission or the disclosure is legally mandated. The IMCR also includes punishments for intentionally or negligently releasing protected health information. IPC also has protections in place to ensure the safety of patient information and medical records. Disclosure of the victim’s name in cases of rape, kidnapping, or wrongful confinement is a crime under Section 228 of the IPC. This clause safeguards the confidentiality of victims.

Medical Privacy and Confidentiality Laws in the EU:

The EU’s central medical privacy and confidentiality law is the General Data Protection Regulation (GDPR). The General Data Protection Regulation (GDPR) applies across the European Union (EU) to handle all personally identifiable information. This includes medical information.

According to the General Data Protection Regulation (GDPR), healthcare providers need patients’ permission before processing their health data. The law mandates using suitable technical and organizational safeguards to protect the privacy, security, and availability of patient information. Thanks to the General Data Protection Regulation, patients also have the right to view and have their medical records erased.

Medical Privacy and Confidentiality Laws in the USA:

In the United States, medical privacy and secrecy are primarily governed by the Health Insurance Portability and Accountability Act (HIPAA). The act applies to all medical treatment entities, such as hospitals, clinics, and insurance companies. Electronic health records and other forms of individually identifiable health information are protected by HIPAA, establishing national standards for doing so (EHRs).

A patient’s signed permission is required before their medical records can be used or disclosed. The act lays out the parameters for when and how doctors and hospitals can exchange patient data, such as during medical emergencies and for therapy purposes. The health information privacy and security act (HIPAA) also mandates using administrative, technical, and physical safeguards to secure patient data.

HIPAA’s rules were strengthened in 2009 with the passage of the HITECH Act. It increased fines for HIPAA violations and made it obligatory to report any security breaches. The HITECH Act also established new regulations for the use of EMRs, and healthcare providers were mandated to adopt security measures to safeguard patients’ electronic medical records.

Comparative Analysis:

The principles of patient anonymity and confidentiality in the medical field are governed in various ways in the EU, the US, and India. The United States and the European Union have extensive federal regulations, while India depends on professional ethics codes and data security laws. The United States Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) offer comprehensive regulations for handling and securing patient information. In contrast, India’s Personal Data Protection Bill is still in the works, so in the meantime, privacy and confidentiality in India are governed by ad hoc professional rules with no uniform or severe consequences.

In addition, the three jurisdictions have notably different regulations concerning the type of consent that must precede the handling of health data. Regarding patient permission, the United States and Europe are stricter than India, where the Code of Ethics Regulations is ambiguous. Patients have the right to be forgotten under GDPR, which differs in the United States and India.

ANALYSIS THROUGH THE LENS OF JURISPRUDENCE

PUBLIC/PRIVATE SPHERE

A patient’s right to the confidentiality of their health information should be disclosed only with the patient’s consent or when required by law is a fundamental tenet of medical privacy. This idea is often linked to the broader notion of privacy, which refers to an individual’s right to determine who has access to what data about them.

The public/private sphere principle is connected to this idea, stating that people’s personal lives and activities should be kept confidential from the general public. This tenet of law protects the right to privacy in intimate interactions, at home, and in one’s body.

Following the public/private sphere concept, medical records belong to the former and should not be disclosed to the latter without the patient’s permission. The United States Health Insurance Portability and Accountability Act and similar regulations reflect this concept in their rules for collecting, using, and disclosing patients’ medical records (HIPAA).

Individuals should be afforded some measure of privacy and autonomy over their personal information, including medical records, in accordance with the public/private sphere concept. This principle is fundamental to preserving confidence in the healthcare system and empowering people to make educated choices about their health.

Foucault’s Theories

Medical privacy refers to the protection of personal health details and medical records. It’s a crucial part of medical treatment because it guarantees patients won’t be put off talking about their health problems out of shame or fear of discrimination. Maintaining patient confidence in their healthcare providers and stopping the inappropriate use of personal health information necessitates protecting patients’ right to privacy in their medical records.

Medical professionals have long been in the position of deciding what constitutes “regular” and “abnormal” behavior in society, as suggested by Michel Foucault’s “inside-outside” theory. This power imbalance between doctors and their patients can be dangerous, as doctors are often viewed as more knowledgeable and authoritative than their customers.

Foucault argues that the hierarchical structure of medical facilities contributes to this power dynamic. Generally, hospitals are built with a wall or other obstacle between the “inside” and the “outside,” symbolically isolating patients from the rest of society.

Because of this connection, the more significant problem of inequality in distributing social power and information is intrinsically linked to medical privacy. Foucault argues that this power dynamic is embedded in the very structure of medical organizations. The “inside” of the hospital is often separated physically and symbolically from the “outside” world to provide patients with a sense of privacy and safety.

As such, the issue of medical confidentiality is intrinsically linked to the more significant problem of information and power in society. An individual’s ability to exercise control over who has access to their health records is a form of resistance to the authority of the medical establishment and an expression of bodily sovereignty.

However, as Foucault notes, the medical field contributes significantly to the nation’s health and prosperity. Developing a healthcare system that is both efficient and respectful of individual autonomy requires finding a middle ground between the need for medical knowledge and the right to privacy.

However, when patients are “otherwise,” their right to confidentiality in healthcare is often breached. Labeling a group of people as “different” or “other” based on their ethnicity, gender, religion, or any other distinguishing feature is known as “authorization.” This has the potential to foster bias, prejudice, and intolerance. Patients become easy prey when subjected to discrimination, abuse, and other forms of shame.

As an illustration, Asian Americans were subjected to harsher forms of prejudice and violence during the 2009 COVID-19 pandemic because they were unfairly accused of the epidemic’s spread. Asian Americans were reluctant to seek medical care or reveal their COVID-19 status for fear of discrimination and stigma. Also, the untouchable caste system was reinstated in India.

Medical confidentiality for marginalized groups may also be compromised by otherization. For example, transgender and non-binary people may experience discrimination and stigma from healthcare providers, leading to a lack of trust and an unwillingness to share personal information.

Therefore, it is crucial to acknowledge the impact of otherization on medical privacy and work towards establishing a welcoming and non discriminatory healthcare environment. This includes providing patients a place to discuss their health issues without worrying about being judged or discriminated against, protecting their privacy, and recognizing and addressing systemic biases.

RECOMMENDATIONS

I propose the following recommendations for a new Medical Privacy and Confidentiality Bill or amendments to the existing Personal data protection Bill. They are as follows –

1. Increase the representation of Marginalised communities within the healthcare profession – Healthcare positions need individuals from marginalized communities because they are more likely to empathize with patients and be less prejudiced.
2. Special protections for weaker sections of society – It is essential to protect people’s right to privacy when it comes to their medical records, so regulations should be in place to ensure that no identifying information, such as race or faith, is revealed without consent.
3. Strict Punishments – Maintaining a high standard when it comes to Privacy and Confidentiality requires the presence and use of strict punishments when Privacy is breached, and such penalties should be implemented.
4. Increased accountability of Hospitals, both Public and Private – To motivate hospitals to keep up with better Privacy laws and guarantee compliance among medical professionals, the new Data Protection needs to provide for increased accountability of the Hospital and the medical professional causing the leak.
5. Imposed Training of Medical Professionals – The lack of training of Medical Professionals is a significant problem regarding the breach of Patient Data, and there must be required additions to the training classes of Medical Professionals regarding Privacy and Confidentiality.
6. Unification of Existing Laws – A simple understanding is complex due to the Dispersed nature of the Existing Legislation on Medical Privacy and transparency laws. There is a need for a unified direction when it comes to Privacy, and the only hope currently is the speedy and effective enforcement of the upcoming Data Privacy Bill 2022(2019).

CONCLUSION

Therefore, It is reasonable to conclude that the United States and Europe have legal structures to protect the privacy and confidentiality of patients’ medical records. Aside from some differences in the details, the two legal systems consistently emphasize the patient’s right to privacy and the patient’s right to be left alone when discussing their medical history. Keeping to these guidelines allows medical professionals to control their patients’ confidence while safeguarding their privacy. In this regard, India could learn something from these nations and implement the Personal Data Protection Bill 2022 more quickly and efficiently.

[1]Allen, A. (2011). Privacy and Medicine. in E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy (2011st ed.). Retrieved from http://plato.stanford.edu/archives/spr2011/entries/privacy‐medicine/

[2]Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79(1), 101‐139.

[3]Allen, A. (2011). Privacy and Medicine. In E. N. Zalta (Ed.), The Stanford Encyclopedia of Philosophy (2011st ed.). Retrieved from http://plato.stanford.edu/archives/spr2011/entries/privacy‐medicine/

[4] Supra 2

[5]The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[6] Right to Information Act, 2005, No. 22, Acts of Parliament, 2005 (India).

[7] The Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations, 2002.

[8] The Indian Medical Council (Professional Conduct, Etiquette, and Ethics) Regulations, 2002, Reg. 7.14.

[9] Indian Penal Code (Act No. 45 of 1860).

[10] Indian Penal Code § 500 (Act No. 45 of 1860).

[11] Indian Penal Code § 499 (Act No. 45 of 1860).

[12] Indian Penal Code § 228 (Act No. 45 of 1860).

[13] Supra 1

[14](2010) 7 SCC 263

[15](1998) 4 SCC 117

[16](1997) 1 SCC 301

[17] (1998) 8 SCC 296

[18](2004) 1 SCC 421

[19](2011) 4 SCC 474