me="_ednref55" title="">30

(2) Privacy of Personal Data

Many schemes require the provision of personal data to assist in the administration of the scheme. Some are operated in close conjunction with other data-rich systems such as personnel or welfare administration. This consolidation of data enhances the opportunity for the organization to exercise control over the population for whom it holds biometrics.30

(3) Privacy of Personal Behavior

The monitoring of people's movements and actions through the use of biometrics increases the transparency of individuals' behavior to organizations. Those organizations are in a better position to anticipate actions that they would prefer to prevent and communicating warnings to the predicted perpetrators. Furthermore, an organization that performs biometrics-aided monitoring is in a position to share personal data with other organizations, such as contracted suppliers and customers, 'business partners', and corporations and governments agencies with which it 'enjoys a strategic relationship'.28

The Forensic Use of DNA Profiling: Privacy Issues


DNA profiling has been described as a powerful breakthrough in forensic science. However the scientific validity of its application by individual laboratories has been questioned. The implementation of its of DNA profiling also raises the issues of privacy. The forensic use of DNA profiling is a major contribution to the debate on law reform.           Two major privacy issues arise in the implementation of any sort of DNA profiling and databank.31  First, is obtaining personal samples from individuals and the second is the issue of potential abuse of stored information.31 Part of the concern may be based on the flawed impression that DNA profiles contain the entire individual’s genotypic data including disease states and other genetic information that could be potentially is used against someone if the information were abused.  In reality, within our present scientific awareness, these areas are not diagnostic for either disease states or other genetic conditions.

            However, this is only true if the DNA of the individual is not retained, and only if their profile is kept in a computerized form. The question of “ what exactly should be stored-has had many conflicting responses from the scientific and forensic population. The American Society of Human Genetics believes that actual samples should be retained as long as the uses of the initial material are initially defined, and as long as adequate rules of access and disclosure are implemented.32

            The New York State Forensic DNA Panel disagrees with retaining DNA samples.33 Although they strongly recommend the use of a database to improve the ability of identifying suspects, they believe that the technique should match the DNA taken from an evidentiary sample with suspects DNA coded information stored in a database computer. This information would not be the print but only the data obtained from coding that print along with relevant demographic information. The panel also recommends that the DNA sample is not saved and that if a conviction is reversed, the computers software copy as well as the hard copy of that individuals profile should be destroyed.

            There is no doubt that a DNA databank could potentially violate someone’s civil liberties if; a) it contained sensitive and genetic revealing information, and b) confidentially were abused. However, steps can be taken legislatively and in the design of the database to reduce the possibility of any abuse or disclosure of information. Although keeping only coded profiles could eliminate privacy concerns, limitations would be placed on further analysis or the ability to create new profiles from the existing samples based on a change in the technology.






Figure 2. Shows the feedback between Databases and other variables. 31 















Figure 2. shows the reciprocal relationship between national databases of profiles and population frequencies, quality assurance programs, and standardization of all aspects of the technique. The latter would enable the development of regulations and norms that are a prerequisite for both programs of quality control and accreditation and databases. Concurrently, Quality assurances enhance the validity and reliability of the databases while they in turn increase the acceptability and value of the DNA forensic evidence.31

Protecting Data Privacy in Health Services Research

A. Health Services Research


            Health services research (HSR) is the study of the effects of different modes of organization, delivery, and financing of health care interventions in the real world settings, as contrasted with studies of the efficacy of interventions under controlled settings such as a clinical trial.34

HSR raises particular issues regarding the protection of human subjects that differ from the problems of clinical research, just as the methods of HSR differ from the methods of clinical research.  First, many HSR projects involve minimal risk of harm to subjects, so they may qualify for a waiver of informed consent and individual informed consent is often impractical or impossible in HSR projects.35  For example, an HSR project may carry out secondary analyses of data previously collected in the delivery of patient care or the payment for such care.

If the subjects whom the project will involve are enrollees in the federal Medicare program, the number of subjects may be as many as several million individuals. Additionally, many HSR projects use data that are already public and de-identified (de-identify refers to health information where some attempt has been made to provide confidentiality protections by making it difficult to link a record to a specific individual), so they may qualify for exemption from IRB review or for expedited review.35 Finally, many private organizations do HSR--or programs such as quality improvement that use similar data and methods--not covered by the federal regulations. These organizations may not have IRBs.

            The committee heard one account describing the situation as a continuum, with HSR at one end of the scale and operations at the other end (see Figure 2-3).

Intermountain Health Care's approach to operations: research spectrum.



Source: from a slide presented by Dr. Brent James at the Workshop on Institutional Review Boards and Health Services Research Data Privacy.



Some HSR projects are clear examples of research; applying scientific methods to test hypotheses and produce new, generalizable knowledge. Other projects are certainly clear examples of internal exercises to assess the quality of the operations of the specific organization with no intention of producing generalizable knowledge. At the same time, quality assessment and quality improvement (QA and QI) exercises sometimes reveal interesting and important data that the organization recognizes to be of general interest, and that therefore ought to be published. In addition, both scientific research in health services and investigations into the internal operation of a health services organization use many of the same methods (e.g., chart review, database analysis and linkage).

            Many projects may start out as operations assessment and then become more like research, and many research projects involve doing very much what would be done in an internal operations assessment. This continuum is one of the interesting, if problematic, features of HSR. The committee proceeded with a view to the clearer cases of research in health services, always aware of the less clear cases and closely related operations assessment exercises.

From the point of view of the patient or subject--the person whose personally identifiable health information may be reviewed or used--the continuum appears more like a widening circle of disclosure. At the center is the individual and health information not yet shared with anyone; then, according to Etzioni's description, is the inner circle of those with whom the individual shares information because they will use the information directly in the care of that individual.36 Next are the intermediate circle of payers, and finally the widest circle of everyone else who may have an interest in the individual's health information (but with whom the individual may or may not have an interest in sharing the information [Figure 1-1).   (Etzioni 1999.)

Circles of disclosure.





B. Privacy And Research

Federal policies on the protection of human subjects in all types of research rest on IRB (Institutional Review Board) review of the research proposals and protocols, and on obtaining the informed consent of subjects. (Both apply somewhat differently in HSR than in clinical research, which increases the scope and complexity of research oversight in general.37 IRB review is complicated because HSR studies often have characteristics that cause studies not to require full IRB review and discussion. On the other hand, such independent review of these studies may help ensure that confidentiality is adequately protected.

"Exemption" is a formal term in the regulations applied to studies that have such minimal impact on the subjects that no further oversight by an IRB is needed. For situations of somewhat more, but still small, impact, the proposal might receive expedited review from just one or a few members rather than the entire review board. In general, an IRB representative makes the determination of whether a project might be eligible for exemption or expedited review. Informed consent is complicated because many HSR projects involving analysis of personal health data collected previously for another purpose are eligible for waiver of informed consent. Indeed obtaining informed consent is not feasible for many HSR projects.38

The methods of HSR are varied and may include not only secondary analysis of previously collected data, but also primary data collection through surveys and interviews. This focus is on the secondary analysis of data, including personal health information, that have already been collected for some other purpose, because this type of analysis raises the most challenging ethical issues.

In research where investigators collect primary data through surveys and interviews, the subject knows that research is being conducted, can find out more about the research, and has an opportunity to decline to participate. In contrast, in secondary analyses of the type described, individuals may not know that they are subjects of research and may not have the opportunity to decline to participate. The researchers also may be unable to identify subjects individually and, therefore, unable to contact them for consent. Some people may, however, object if researchers have access to their health information without their knowledge or consent.

The committee recognized that important privacy and confidentiality concerns also arise in other forms of research using previously collected data (e.g., research using archival tissue specimens) and in many types of research in which new data are collected. Each of these areas merits careful study and the dissemination and adoption of best practices for protecting confidentiality. The committee affirms that all personally identifiable health information, no matter how it was collected or for what purpose, should be treated so as to respect privacy and maintain confidentiality.38

C. Privacy and Confidentiality

            Justice Louis Brandeis' reference to privacy is  "the right to be left alone" (Olmstead v. U.S., 1928).39 Health Services Research’s definition of privacy can be understood as a person's ability to restrict access to information about him or herself. Privacy is valued because respecting privacy in turn respects the autonomy of persons, protects against surveillance or intrusion, and allows individuals to control the dissemination and use of information about themselves. Privacy fosters and enhances a sense of self and also promotes the development of character traits and close relationships (IOM, 1994).40 The federal regulations governing human research (45 CFR 46.102 (f)) discuss privacy in the following terms: Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.40

            The regulations therefore characterize privacy in terms of the expectations of the persons whose personally identifiable health information is being discussed and stipulate that the information must be specifically associated with the individual in order for the individual to have a legitimate interest in protecting it. Individuals may, however, be harmed or wronged by information associated with them probabilistically as well as specifically identifiable information.

            Confidentiality refers to controlling access to the information that an individual has already disclosed, for example, a patient to a treating physician or to an insurance company paying for care. Confidentiality is a major expression of respect for persons, the person who has trusted the health care provider with private information in the belief that the information will be guarded appropriately and used only for that person's benefit. Maintaining confidentiality is important also because it encourages patients to seek needed care and to discuss sensitive topics candidly with their physicians. If patients do not believe they can trust their health care providers to maintain confidentiality, they may withhold information to the detriment of the best medical judgment and care they might receive.

Confidentiality is violated if the person or institution to which information is disclosed fails to protect it adequately or discloses it inappropriately without the patient's consent. The dilemma about HSR is that personally identifiable health information that is disclosed or collected for one purpose (clinical care, billing, etc.) is then used without consent for a different purpose (improving the state of knowledge to benefit future and current patients).

            Confidentiality is also important to the continued success and vitality of the HSR effort. Just as in the case of medical treatment, research subjects may withhold information if they do not have confidence that what they disclose will be protected. Further, it is crucial to the HSR effort that researchers design studies so that the risk of harm to subjects is minimal, in order to allow the protocol to qualify for a waiver of the informed consent requirement. HSR projects often apply methods to large databases of previously collected information where individual informed consent would be impracticable or impossible. The effect of losing the population's trust in confidentiality may have serious repercussions both for the effective quality of medical care and for the quality of medical records research.

D. Risks Of Harm From Health Services Research

The risks of HSR are primarily violations of privacy and confidentiality, not physical risks. HSR thus differs from clinical research in which patients are at risk for physical harms because they undergo invasive medical procedures or receive unproven new therapies. Potential risks of violations of privacy or breaches of confidentiality are by no means limited to research, but can occur anytime personally identifiable health information has been collected. Potential risks include the following:

a. Risk of public (or private) disclosure of protected health secrets, which can lead to stigmatization or discrimination in employment or insurance, and/or shame: this is the fundamental issue and, for most people, probably the most serious.

b. Risk of disruption of, or interference in, patterns within families, which may result from unexpected and unauthorized communication of secrets within the family.

c. Risk that individuals may recognize (correctly or not) their own health history or anecdotes in results and interpretations of a study or may suffer anxiety simply from knowing that personal data may be in a database, without knowing whether adequate privacy protections are in place: this subjects the person to the perception of the first risk, even if it is not actually present.

d. Risk of future contact. Privacy is "the right to be left alone. Some HSR studies permit the collection of follow-up investigations that include contacting the individual whose data are studied. In this case, a stranger to the person or (perhaps less alarming but still disruptive) a care provider from long ago can suddenly intrude upon the subject's right to be left alone.

e. Risk of loss of trust in the health care system and/or scientific research, and thus loss of willingness to participate in future studies or perhaps even to seek needed health care.

These psychosocial harms can be avoided or mitigated if the research data are coded or encrypted in such a way that individual subjects cannot be identified. In addition, strong antidiscrimination laws can prevent some harm. However, subjects may be wronged by violations of privacy and confidentiality, even if they suffer no tangible harm. That is, even if persons do not suffer employment difficulties or can be compensated by law if they do, this does not change the fact that the subjects did not receive the respect due them as persons. The federal regulations on research on human subjects explicitly require IRBs to consider wrongs as well as harms in assessing the benefits and risks of research.

The great majority of occasions for breach of confidentiality occur in daily operations.41 Some instances of breaches of confidentiality are unintentional, for example, leaving a record that includes a patient's name out in the view of a visitor or discussing a patient by name in the hearing of other parties in an elevator or cafeteria. 42 Also, some breaches are not accidental, but are oversights. The committee heard of one incident in which the names of employees tested for HIV were displayed with the test results on a slide at a presentation, for example. The aim of the presentation was simply to describe a database of in-house health records. Some of the employees whose records were listed in the section displayed were actually attending the meeting. In this case the breach of confidentiality could have been avoided through more attention or training on the part of the research team and by the use of coded identifiers rather than direct identifiers such as names.

As our health care system becomes more complex, information flow is likewise increasingly complicated and the potential occasions for either a breach, or perception of a breach, of confidentiality are correspondingly multiplied. For example, a database-marketing firm received patient prescription records from two large pharmacies in the Washington, D.C. metro area.43 The firm then created mailings targeted to consumers of certain prescription drug products on behalf of the pharmacies (using the letterhead of the pharmacies), informing them of new products with similar indications. The manufacturers of the new products sponsored the project, though the manufacturers did not have access to patient data. Many of the recipients were disturbed at receiving the letters, since the action seemed to straddle or even cross the line between standard prescription medication compliance letters that are often sent by pharmacies to patients and product marketing.40

There are several important points to keep in mind about the risk of breaches in confidentiality: the risk is neither new nor research specific, and some level of risk is inevitable. First, the proper identification and disclosure of health information about individuals is not a unique risk from HSR, nor is it a new result from a widespread adoption of computer-based patient records, governmental or health care industry databases or the internet. Most instances occur outside of research. Breeches also occur with paper records. With the development of computing and communications technology, both intentional and unintentional identification and disclosure of electronic personally identifiable health information potentially involve more types of information and more individuals than were possible with paper records. At the most basic level, confidentiality always depends on conscious efforts by human agents to treat other human beings with respect and restraint, whether the activity is research or not, and whatever the state of the technology.

The protection of confidentiality is impossible to guarantee--some level of risk is inevitable. It is possible to make breaches less likely and to increase the probability that confidentiality will be maintained, but the protection of confidentiality is a matter of shifting the probabilities; it cannot be an absolute.44 The question really is what measures can be taken to enhance confidentiality protection, and thus retain public trust in HSR, and still allow research to proceed. Since it is not possible to guarantee the confidentiality of records in general, it is also not possible to guarantee absolute confidentiality in HSR. The measures we can take to increase the protection of privacy and confidentiality are varied, some simple and some complex, and the range of measures will change as computational and communications technologies develop.

Even with appropriate safeguards for confidentiality, it is acceptable to consider a great deal of HSR as minimal risk and appropriate to carry out without requesting consent for each reanalysis of data.


Health Privacy For Protecting Victims of Domestic Violence
A. The Risk of Disclosure

Many disclosures of personal health information are necessary for the effective delivery of and payment for health care. But who has access to this information? When should patients be able to limit the disclosure of their health information, even to providers and insurers? As sensitive health information changes hands, consumers may lose control over who has access, when, and for what purposes.

Alarmingly, there is no comprehensive federal law that protects the privacy of medical records. Instead, a loose collection of ethical guidelines, licensing requirements and state laws dictates who gets access under what conditions. For people with sensitive or stigmatizing conditions, this often-uneven protection can result in discrimination, unwelcome exposure, or threats to physical safety. A comprehensive federal law can provide a much-needed baseline of protections. Providers, advocates, administrators, and state policy makers also need to implement privacy safeguards that go beyond the federal standard in order to respond to the specific needs of their practices, communities, institutions, and states.

Recent national surveys document that rising fears about the lack of privacy protections for health information are leading people to withdraw from full participation in the health care system. One out of every six people engage in some form of privacy-protective behavior to shield themselves from unwanted disclosures- people withhold information from or lie to their providers, pay out-of-pocket or avoid submitting a claim, doctor-hop in an attempt to keep their records separate, and, in the most serious cases, avoid care altogether.45

For victims of domestic violence, the need for privacy is particularly acute. While battered women share concerns with other health care consumers around discrimination and privacy issues, real safety concerns make the disclosure of health information a significant risk. Information in the wrong hands can be used to further victimize a woman and may make her less likely to access health care services in the future. although all consumers have some concern about the disclosure of their health information, victims of domestic violence have some specific privacy concerns.


B. Spousal Access

If an abusive spouse discovers that his victim has disclosed violence to a provider it can pose serious safety threats to her. Not understanding the consequences of such disclosure, many institutions may directly or indirectly provide sensitive medical and health information to immediate family members. For example, the perpetrator may access documentation of domestic violence in a child's medical record if he is a parent or legal guardian.46 Records may also include current contact information (such as a phone and address), which may be obtained by a spouse whose partner has fled. In addition, bills or explanations of benefits may be mailed to a shared home alerting a perpetrator of care received for domestic violence injuries.


C. Law Enforcement


Law enforcement officials may obtain health information in three circumstances. First, many states require health care providers to report instances of domestic abuse to law enforcement or other government bodies. States have different rules regarding mandatory reporting and there is a great deal of disagreement about how effective these laws are in promoting patient safety and documenting abuse.

Several studies, including a 1998 report by The National Research Council and the Institute of Medicine,47 have questioned whether mandatory reporting requirements limit the ability to care appropriately for victims by reducing patient willingness to disclose violence or by decreasing safety through unnecessary or inappropriate intervention. Many laws do not allow patients to object and may not require providers to inform patients of these reporting practices prior to screening for abuse. As such, victims may not be able to plan for their safety before a report is made.

Second, law enforcement officials regularly audit and investigate health care providers and insurers. In these fraud and abuse investigations, law enforcement officials obtain patient information -- including claims information and medical records.48 Most often, individual patients are never aware that their information has been obtained by law enforcement. Here, the danger is that information obtained for the fraud and abuse investigation against a provider, instead may be used against the patient.

Third, law enforcement officials may obtain health information in criminal investigations against an individual. Some states require law enforcement to present a warrant or court order before they can obtain medical records. Other states allow much more liberal access.48 Patients may or may not be informed about the disclosure to law enforcement.

Privacy Principals For Maximizing And Maintaining Quality Health Care For Domestic Violence Victims


A victim of domestic violence, concerned for her safety, may be discouraged from seeking health care services because she fears that her health information will not remain confidential. Health care practice and policy, in many areas, has not implemented privacy protections that adequately address the health care, safety, and discrimination concerns of domestic violence victims. Given the consequences of inappropriate disclosures, it is crucial that everyone interested in improving the safety and health status of battered women get involved to ensure adequate privacy protections at every level, from institutional policies to federal laws.

The following guiding principle is designed to improve and build upon existing confidentiality safeguards to ensure that domestic violence victims are not placed at an increased risk of retaliatory violence, discrimination, harassment, denial of insurance benefits, and other harm. Advocates, providers, administrators, oversight agencies, and policy makers can use these principles to improve health care delivery through health care practice, institution, and system reforms, as well as Federal and State legislation.

A. Guiding Principal: All policy, protocol, and practice surrounding the use and disclosure of health information regarding victims of domestic violence should respect patient autonomy and confidentiality and serve to improve the safety and health status of victims of domestic violence.49


Adopting and implementing effective legislative, institutional, clinical practice guidelines, and protocols at every level of the health care system is a necessary step to adequately address the privacy concerns of domestic violence victims. Federal legislation is crucial to establish comprehensive baseline protections for the use and disclosure of sensitive health information. State and local statutes are also necessary to respond to the specific needs of different communities.

Even when federal and state protections are in place, legislation alone cannot ensure that a victim's privacy is protected. Advocates, policy makers, providers, and health care administrators must work together to develop policies and protocols for different health care entities. Community clinics, for example, handle health information very differently from large HMO's, so internal privacy policies need to be tailored accordingly. Likewise, technological capacity will also differ between health care facilities. While numeric or alpha coding (a code assigned to a sensitive medical record that de-links a patient's name from sensitive information) may be a practical solution in a large computer based hospital, it may not work in a very small rural clinic. Regardless, policies and protocols should respect a victim's autonomy to make health care decisions that increase her safety and health status. Policies and protocols that have adequate privacy protections will encourage victims to discuss domestic violence with their health care providers.

While the health care system clearly offers a unique and critical opportunity for responding to domestic violence, the widespread use and disclosure of health information can put victims at risk. Efforts to improve the health care system's response to victims of domestic violence need to address the unique safety and privacy needs of victims of domestic violence. Advocates, state and federal policy makers, administrators, providers, and survivors must work together to protect patient privacy while still promoting domestic violence identification, documentation and response.


The protection of personally identifiable health information is critical to ensuring public trust and confidence in the emerging health information infrastructure. Health care reform cannot move forward without assuring the public that the highly sensitive personal information contained in their medical records will be protected from abuse and misuse. People are highly suspicious of large-scale computerization and believe that their health records are in dire need of privacy protection. If people are expected to participate in a reforming health environment, the price of their participation must not be the loss of control of sensitive personal information.

In the end, any system that fails to win the public's trust will fail to win the public's support, and risk having individuals withdraw from full and honest participation in their own health care. To allow people to fall through the cracks because their privacy is not fully protected is too serious a matter to continue to go undressed by the Congress.












1. Goldman J. Medical Records Confidentiality: Center for Democracy and Technology,

House Committee on Government Reform and Oversight, June 14 1996. p. 1-5



2. Harter-Feutz S.A, Nursing and the Law, Fifth Edition, Professional Educational Systems, INC, (1993) p.73-83


3. Gostin L. Health Care Information and Protection of Personal Privacy: Ethical and Legal Considerations: Annals of Internal Medicine, Part 2, The Databases, October 15, 1997 p.1-15 Html


4. Goldman J. Hudson Z. Exposed, A Health Privacy Primer for Consumers: Health Privacy Project: Institute for Health Care Research and Policy: Georgetown University, December 1999. p. 8-12


5. 5 U.S.C. § 552(b)(4) (1994 & Supp. IV 1998).


6. (21 C.F.R. 606.170.).


7. Smith, S National Center for Health Statistics Data Line. Public Health Rep. 1993; 108:408-409


8. United States Nuclear Regulatory Commission, Low-Level Waste Regulations, Guidance, and Communications.



9. 241 So. 2d 752 (Fla. App. 1970)


10. 551 P2d. 334 (California 1976)


11. Gostin L. Hodge J. Privacy and Security of Public Health Information: Model State Public Health Privacy Project, February, and 1999 p. 1-8


12. 460F. Supp. 713 (D.Ill. 1978).


13. Gostin Lo. Genetic Privacy. Journal of Law, Medicine & Ethics 1995; 23:320-330


14. Gostin, L and Curran, Williams J. “Aids Screening, Confidentiality, and the Duty to Warn,” American Journal of Public Health, Vol.77 No3 March 1987; p. 361-365


15. Baker R. Private Acts, Social Consequences: Aids and the Politics of Public Health. New Brunswick, New Jersey:  Rutgers University Press. 1996, p.1-8


16. Center for Disease Control and Prevention. National HIV Sero-surveillance Summary: 1992. MMWR.1996


17. Donaldson M, Lohr K. Committee on Regional Health Data Networks, National Academy of Sciences, Health Data in the Information Age: Use, Disclosure and Privacy: 1994.


18. Rybowksi, L. Protecting the Confidentiality of Health Information, National Health Policy Forum 1, July 1998 p.16-17


19. 652 S.W.2d 240 (MO. App. 1983


20. Joint Commission on the Accreditations of Health Care Organizations (JCAHO), Accreditation Manual for Hospitals Chicago, Illinois, 1998


21. American Hospital Association, Department of Health and Human Services, Standards for Privacy of Individuals Identifiable Health Information: vol. 67, No. 59, March, 2002: p. 2-40


22. .Banisar, D. Davies, S.  Privacy and Human Rights, An International Survey of Privacy Laws and Practice: Global Internet Liberty Campaign: p. 1-13


23. International Covenant on Civil and Political Rights,


24. Universal Declaration of Human Rights,


25. Directive 95/EC of the European Parliament and the Council of the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data.


26. Banisar, D. Davies, S.  Privacy and Human Rights, An International Survey of Privacy Laws and Practice: Global Internet Liberty Campaign: p. 1-13


27. Davies S, Hosein, “Liberty on the Line” in Liberating Cyberspace, Pluto Press, London, 1998


28. Clark R. Biometrics and Privacy: Xamax Consultancy Pty Ltd, April 2001, p. 4-8


29. Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7, 4 (December 1994), p. 1-5


30. IPCO (1999b) 'Privacy and Biometrics' Information and Privacy Commissioner, Ontario, September 1999, p. 3-7


31. Easteal Weiser P. Easteal S., The Forensic Use of DNA Profiling: Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology: Nov. 1990, p. 7-8


32. American Society of Human Genetics 1990, Individual Identification By DNA Analysis: Points to Consider’ American Journal of Human Genetics, vol. 46, p. 632-4


33. New York State Forensic Analysis Panel, 1989, DNA Report, September 6


34. Committee on the Role of Institutional Review Boards, In Health Services Research Data Privacy Protection, Protecting Data Privacy in Health Services Research, National Academy of Science, 2000: p. 1-23


35. Brown Gibbs J, Inspector General. Protecting Human Research Subjects: Status of Recommendations. Department of Health and Human Services, Office of Inspector General. April 2000.


36. Etzioni, Amitai. Medical Records: Enhancing Privacy, Preserving the Common Good. Hastings Center Report. 1999 Mar–1999 Apr 30:14–23.


37. Brown, June Gibbs, Inspector General. Institutional Review Boards: The Emergence of Independent Boards. Department of Health and Human Services, Office of Inspector General. 1998a Jun.


38. Brown, June Gibbs, Inspector General. Protecting Human Research Subjects: Status of Recommendations. Department of Health and Human Services, Office of Inspector General. April 2000.


39. Lowrance, 1997; NRC, 1997; Buckovich, et al., 1999; OPRR, 1993; Bradburn, 2000.


40. IOM (Institute of Medicine). Committee on Regional Health Data Networks and Molla Donaldson, and Kathleen N. Lohr, editors. Health Data in the Information Age: Use, Disclosure, and Privacy 1994. Washington, DC: National Academy Press.


41. Goldman J. Hudson Z. Exposed, A Health Privacy Primer for Consumers: Health Privacy Project: Institute for Health Care Research and Policy: Georgetown University, December 1999. p. 8-12


42. Ubel, PA: Zell, MM: Miller, DJ; Fisher, GS; Peters-Stefani; D; Elevator Talk: Observational Study of Inappropriate Comments in a Public Place. American Journal of Medicine. 1995; 99; 190-194


43. Lo, Bernard, and Alpers, Ann. Uses and Abuses of Prescription Drug Information in Pharmacy Benefits Management Programs. JAMA. 2000 Feb 9; 283(6): 801–806.


44. GHPP (Health Privacy Working Group). Best Principles for Health Privacy. Health Privacy Project; Institute for Health Care Research and Policy, Georgetown University.1999.p. 15-16


45. California HealthCare Foundation, National Survey: Confidentiality of Medical Records, January 1999. The survey is available at


46. Zink, T, "Should Children Be in the Room When the Mother is Screened for Partner Violence?" Journal of Family Practice, Vol. 49, February 1, 2000.


47. National Research Council and Institute of Medicine, Violence in Families: Assessing Prevention and Treatment Programs. Washington D.C.: National Academy Press, 1998.


48. Straus, M., Gelles, R., and Smith, C., Physical Violence in American Families: Risk Factors and Adaptations to Violence in 8,145 Families. New Brunswick: Transaction Publishers, 1990.


49. Goldman J. Hudson R. Hudson Z. Sawires P., Health Privacy Principles for Protesting Victims of Domestic Violence: Family Violence Prevention Fund, October, 2000 p.






Computerized Medical Records: Legal and Administrative Changes Necessary.” Healthspan, Vol. 8, No. 11 December 1991, p. 3-6


Davies, S. “Re-Engineering The Right to Privacy: How Privacy Has Been Transformed From a Right to Commodity”, in Agre and Rotenberg (ed) “Technology and Privacy: the new landscape”, MIT Press, 1997 p.143


Straus, M., Gelles, R., and Smith, C., Physical Violence in American Families: Risk Factors and Adaptations to Violence in 8,145 Families. New Brunswick: Transaction Publishers, 1990.


Gostin, L. Health Information Privacy, 80 Cornell L. Review. 451-463 (1995)


Hiller, M. D. Beyda, V. “Computers, Medical Records, and the Right to Privacy,” in Medical Ethics and the Law, Cambridge, Massachusetts, 1981



Killion, S.W. “Patients” Right to their Medical Records,” Health Span, Vol. 2, No. 2 February 1985. p. 28-33


Mandatory Reporting of Domestic Violence by Health Care Providers: A Policy Paper by Ariella Hyman for the Family Violence Prevention Fund, November 1997.


Nimmich, K. Structure of the FBI Laboratory’ DNA and Criminal Justice Conference Proceedings, No. 2


Office of Technology Assessment. Protecting Privacy in Computerized Medical Information, OTA-TCT-576. Washington DC: 1993


Rose, Stanley D, & Tim K, 1989, Standardization of Systems: Essential or Desirable?”  Banbury Report no.32; DNA Technology and Forensic Science, p. 319-24