DOI: https://doi.org/10.20529/IJME.2008.057
Privacy is a key component of individual autonomy, and a voluminous literature has established both its practical value in healthcare contexts and its status as a fundamental, but not absolute ethical right. Because the Right to Information Act (2005) permits citizens to gain information under government control, it might be thought to threaten the privacy of patients and research subjects, especially those in government institutions. It is important for clinicians, administrators, information officers, patients, and research subjects to understand that the RTI Act generally does not require or permit disclosure of personal health information to third parties. Only under unusual circumstances when the larger public interest is properly certified to warrant it, would information shared or created within the fiduciary relationships of clinical care or research be required to be disclosed. Against this background concerning the right to privacy and the RTI Act, we consider a 2007 legal case that used the RTI Act to expose patient information of a public official and argue that the "public interest" claimed in this case did not justify disclosure of the official`s private health information. We conclude that the provisions of the RTI Act, when properly interpreted, are compatible with the important value of safeguarding patient privacy.
A vast body of literature argues in favour of the individual`s right to privacy in general, and especially in health-related matters (1, 2, 3). Within fiduciary relationships, like the doctor-patient relationship, the fiduciary`s (doctor`s) duty of confidentiality allows people (patients) to share private information in a limited manner while still maintaining its privacy vis à vis other parties.
With the passage of the Right to Information Act 2005, a measure that is designed to enable the public to obtain information held in government records of various sorts, some may wonder whether the privacy and confidentiality of individuals is under threat, as for example in the case of those who have disclosed private information when receiving healthcare in government hospitals. This paper explains that patients, the public and public information officers (PIOs) should not misunderstand the Right to Information Act to require or permit the breach of patient confidentiality except in very rare circumstances.
Privacy is valuable because it helps individuals maintain their autonomy and develop their individuality. Physical privacy allows people to act and to express themselves alone or with a group of chosen others, without shame or fear of public censure. A small child may dance or play with imaginary friends when adults are not watching but may become self-conscious and stop such expression when adults begin to observe. Similarly, a mature adult may act freely among friends, or express sexual desires with a spouse, in a way she or he would not in front of other people.
Privacy of information is also important because people define themselves by exercising control over information about themselves. A free society permits people to make their own choices about what information is shared and what is held close. Respect for privacy and the duty to safeguard information as confidential are also important for practical, consequence-oriented reasons (4). The right to confidentiality, and the related duty, allows the sharing of information within a specified sphere. The person who initially shares the information can gain the benefit of this limited sharing without incurring the risk of the information becoming more generally known.
In the healthcare context, the importance of maintaining patients` confidentiality is clear. Patients must feel comfortable sharing private information about their bodily functions, physical and sexual activities, and medical history. This is information that they would not want widely known because it may be embarrassing or may have negative practical consequences.
If an individual has poor health and if the condition of his health is made public, he may have difficulty in finding a spouse, obtaining health or life insurance, or obtaining employment. Some health conditions are stigmatising and, if known, may cause an individual embarrassment or difficulty in interpersonal relations. Therefore, healthcare providers need to keep patients` health information confidential.
Respect for the confidentiality of personal health information requires that healthcare providers do not disclose this information to others without the individual`s permission. Sometimes even acknowledging that a particular person is, in fact, one`s patient may constitute a harmful breach of that person`s confidentiality. Medical professionals should not disclose any health information of the patient unless required by law or given permission by the patient (4).
The Medical Council of India`s Code of Ethics Regulations (5) protects patient confidentiality by stating that the physician "shall not disclose the secrets of a patient that have been learnt in the exercise of his/her profession except in a court of law under orders of the Presiding Judge; in circumstances where there is a serious and identified risk to a specific person and/or community; [or in case of] notifiable diseases."
In addition to the treating doctors, administrators and the public information officer of a healthcare institution are also ethically required not to disclose health information of a patient. Similarly, researchers must maintain the confidentiality of their subjects` health and other personal information, especially as the promise of preserving confidentiality is appropriately part of the informed consent agreement (6).
The Right to Information (RTI) Act 2005 is widely seen as a watershed development in Indian democracy. It provides citizens the right to secure access to information under the control of public authorities in order to promote transparency and accountability (7). It is often held to be an effective tool to control corruption, make government accountable, and curb the arbitrary use of power. The question here is whether it can be used to justify the breach of a patient`s or research subject`s confidentiality.
The logic behind the Act is clear and straightforward. The government is run on public money. Moreover, the concept of democracy revolves around the basic idea of citizens at the centre of governance, the rule of the people. So the people, who elect the government and pay taxes, have a right to know the conduct or day-to-day functioning of the government. The greater the access of citizens is to information about the government`s activities, the more likely it is that the government will respond to community needs. Alternatively, the more restricted the public`s access, the greater the citizens` feelings of "powerlessness" and "alienation". Without information about the government`s activities, people cannot adequately exercise their rights as citizens or make informed choices about government policies or participate in elections.
The RTI Act 2005 establishes the right of citizens to "inspection of works, documents, records; taking notes, extracts or certified copies of documents or records" held by "public authorities", which include any body owned, controlled, or substantially financed by the appropriate government (7). Under Act, information is understood to mean "any material in any form including records, documents, memos, e-mails, opinions, advice, press releases, circulars, orders, log books, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by public authority under any other law for the time being in force but does not include ‘file noting` " (7).
These provisions raise the question of whether the right to information extends to the right to obtain personal medical information generated within government hospitals and research projects, as well as who may have access to such information under the Act. As there are stiff penalties prescribed under the RTI Act if an institutionally designated PIO does not comply with a legitimate request for information, some PIOs may be concerned about the legitimacy or consequences of refusing requests by third parties for the confidential information of patients or research subjects. Moreover, when the PIO is a physician, he or she might be appropriately concerned that the RTI Act could require a breach of the professional duty of confidentiality.
Indeed, it might seem ethically appropriate for the Act to guarantee a patient or research subject the right to see his or her own medical or research record. But if other parties are entitled to have access to medical information concerning anyone so long as it is held in government documents, the confidentiality of medical and research records and of the doctor-patient relationship would be threatened.
The RTI Act was designed to promote transparency in government, not to permit the invasion of the privacy of individuals who use government hospitals or who altruistically participate in government-funded research. The Act generally does not threaten the confidentiality of the doctor-patient or researcher-subject relationship.
Under section 8 (1) entitled "What is not open to disclosure", the Act says that "(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individuals should not be disclosed." (7) In addition, the same section stipulates that "(e) information available to a person in his fiduciary relationship"-such as the relationship of a physician or researcher with a patient or subject-should not be disclosed "unless a competent authority is satisfied that the larger public interest warrants the disclosure of such information."
The Act does not grant others the right to request information about an individual that is generated within fiduciary relationships, even if the doctor or researcher is a government employee and the medical or research record is housed in a government institution, unless public interests outweigh the individual`s interest in the privacy of the information. Thus, the degree to which the RTI Act threatens patient or subject confidentiality depends greatly on what would count under the Act as a "public activity or interest" and as an "unwarranted invasion" of privacy.
Due to this need to interpret "public activity or interest", patients, subjects, clinicians, and PIOs have reason to be confused-and concerned-about the degree to which the RTI Act threatens the confidentiality of medical and research records.
In a 2007 judgement, the Central Information Commission (CIC) specifically upheld that information regarding the purpose and results of medical testing was exempted from disclosure under the RTI Act because it was, as the PIO had initially determined, "personal information the disclosure of which has no relationship to any public activity or interest and would cause unwarranted invasion of the privacy of the individual (8)". Further, the CIC held the information had been made available within the doctor-patient fiduciary relationship, and was also exempt from disclosure on that ground. The party seeking the test results in this case did not allege a public interest in the information, but a "genuine right to seek" it as the estranged parent of the patient. This CIC judgement therefore provides little guidance in deciding what would constitute a relevant and overriding public interest.
Traditionally, protection of the health and safety of specific individuals or the public from serious risks is the most justifiable interpretation of a public interest to permit breaching patient confidentiality (4). Examples of breach typically justified by overriding interests are breaching a psychiatric patient`s confidentiality to prevent him from committing suicide; breaching a patient`s confidentiality to prevent him from transmitting a serious communicable disease to identified others; or reporting a patient as being unfit for particular work (eg, as an airline pilot) because of a medical condition.
In the first case, the state`s interest in protecting life may override the person`s own interest in confidentiality. In the latter two examples, it is others` interests in health and safety that might justify breaching confidentiality. In the second case, the others are identifiable-the patient`s family or coworkers-while in the third example, the others are simply whoever might some day fly in the plane.
Even where other interests justify breach of privacy and confidentiality, the breach should be as limited as possible (4). While it might be impossible to prevent the unfit pilot from flying without reporting to the airline the name and specific condition of the pilot-patient, for some communicable conditions and work situations, it would be possible to warn a group of employees that they have been exposed to a communicable disease and should seek treatment. Within a family, however, it may be impossible to issue a similar warning while protecting the identity of the person who is already ill.
The April 2007 judgement by the Maharashtra State Information Commission (SIC) departed from this traditional interpretation of what constitutes an overriding public interest that may outweigh patients` interests in confidentiality. The SIC directed a PIO to comply with an RTI Act request for the medical record of a prominent former public official who had been incarcerated. The "public interest" allegedly served in this case was not a forward-looking health-related interest typically invoked in such weighings against medical confidentiality. Instead, it was suspected that the incarcerated individual used his political clout to falsify medical symptoms and serve the majority of his one-month sentence in a hospital rather than a prison. The RTI Act request was filed in the public interest of exposing corruption in the political or penal system (9)
We believe that this SIC finding was unfortunate because the public`s interest in the integrity of the penal system could have been adequately served by a measures less intrusive than breaching patient confidentiality by making the prisoner`s medical record public in order to address "a feeling in the minds of people" regarding corruption in the penal system.
An independent commission, for example, could have been appointed to investigate allegations that prison and hospital officials collaborated to enable the prisoner to evade prison incarceration. In support of this view, we draw on an established principle from public health ethics-the principle of the least restrictive alternative-whereby "public health agents should seek to minimise the infringement of general moral considerations. For instance, when a policy … infringes privacy, they should seek the least intrusive alternative; and when it infringes confidentiality, they should disclose only the amount and kind of information needed, and only to those necessary, to realise the goal." (10) The use of the RTI Act to force public disclosure of a medical record in order to expose potential corruption in a penal system is too blunt an instrument. The "public interest that the truth should come out" could have been served by a more limited inquiry into the prisoner-patient`s medical record.
Moreover, ethically-speaking, prisoners constitute a vulnerable population because of their status as dependents of the State who are deprived of the usual resources of self-protection (such as being able to walk away from circumstances contrary to their interests). As such, they deserve equal, if not special protection of their rights as patients. Incarceration does not negate one`s ethical right to seek medical care and to receive standard care and the benefits of a doctor-patient relationship.
Furthermore, as those using the RTI Act in this case would likely agree, all prisoners should be treated equally; being powerful or wealthy should not result in a prisoner being treated differently from other prisoners. Therefore, the rights and duties of the fiduciary relationship between a doctor and a prisoner-patient, even a powerful former public official as in this case, should not be negated if other means of serving the public interest in investigating corruption could be pursued.
Poor patients who seek care in government hospitals similarly lack resources to go to other institutions that might better protect their interests, including their privacy interests in virtue of not being subject to the RTI Act. This decision by the SIC gives those who must seek their care in government hospitals, or who participate in research there, reason for concern by interpreting the "public interest" too broadly to include interests beyond protection of the health and safety of the public.
PIOs similarly have reason for concern, as they may be forced to violate their professional ethical duties of confidentiality to comply with legal orders they consider ethically unjustified. Clinicians have reason to be concerned that some patients may be reluctant to share important information if they fear breaches of their confidentiality. Finally, as people realise their medical or research records could be subject to RTI Act requests, clinical researchers at government institutions may experience a decline in enrolment in studies-especially on the part of prominent people whose medical information might be of special interest to others.
Privacy and confidentiality are important values, linked to the protection of autonomy and individuality, which are themselves highly prized in a democratic society like India. Protection of privacy and confidentiality in the fiduciary doctor-patient relationship serve important individual and public health interests as their guarantee encourages people to seek necessary medical care and disclose information necessary for personal and public health. The RTI Act promotes other values critical in a democracy-transparency and accountability of government actions. None of these values is absolute.
Indeed, application of the RTI Act in specific cases requires balancing of these values when a request is made for information contained in medical or research records. We suggest that the notion of "public interest" employed in the Act should be interpreted conservatively when it is being balanced against the protection of information shared with an expectation of confidentiality within a fiduciary relationship. Moreover, when a breach of confidentiality is contemplated, only the least intrusive and most limited disclosure of information possible should be permitted.
We would like to acknowledge support from the Fogarty International Center NIH Training Program for Psychiatric Genetics in India, grant #5D43 TW006167-02.