Contracts for Patient Privacy

Healthcare e-Records Law

Privacy Policy Contract Terms

As Google jumps into the competition to provide electronic health records, the World Privacy Forum frets that the management of health records by non-healthcare companies will undermine the legal privacy accorded to the records. The WPF warns that because HIPAA protection may not apply to Google-managed records, patient privacy will suffer.

To help mitigate this problem, here is an idea. Patients could mark their records with legal terms of use. Or they could otherwise post terms of use so the vendor managing their records (and anyone seeking access to the records) could be on notice of the terms.

Terms of use for a patient's records might be analogous to the end user license agreement or EULA that comes with software or corporate web sites. Well-crafted terms of use could legally limit or regulate how the vendor (or anyone else) uses the records, discloses them to others or alters its privacy practices pertaining to the records.

For example, the terms of use on a patient's record might say:

* By accessing the record (or by availing oneself to the conveniences afforded by the vendor’s management of the record), the person accessing it agrees by contract to abide by the terms.

* Vendor agrees to give patient 6-months advance notice (delivered via first class mail) before the vendor changes its privacy policy.

* Vendor agrees to notify patient before vendor complies with a subpoena (or similar order) seeking patient’s records.

* Vendor agrees to refrain from disclosing patient's record to third parties for commercial or marketing purposes.

* The fact the record is in the hands of the vendor does not undermine the legal privileges accorded communications between patient and physician.

* And so on.

Case Law

Click Here
Case law provides growing support for the legal enforcement of electronically-published contract terms, whether published on software, a website or a record. For example, Greer v. 1-800-FLOWERS.COM held that the terms of service a flower merchant posted on its web site were enforceable against a customer who placed an order by telephone.

The Greer case illuminates the power of contract law in this electronic age. This power is just as much available to individuals as it is to corporations.

Is this contract-law power perfect for protecting patient privacy? No. But it is substantial. And it can be supported in court by good public policy arguments. Further, many parties will honor terms of access for non-legal reasons, such as ethics, politics or public reputation.

The law of healthcare privacy is very complex. HIPAA does provide certain protection, but HIPAA is subject to many exceptions and nuances. The array of protections that apply to records managed by HIPAA-regulated healthcare providers is far from ideal.

Many patients may be attracted to records services from vendors like Google. As patients embrace these vendors, contract law affords patients power to take proactive steps to enhance their privacy.


I have written an example of Healthcare Terms of Access that a patient could post on his health record.

See my further discussion of privacy contract terms with Google and my further discussion of privacy contracts formed with automated systems.

--Benjamin Wright, Senior Instructor on Computer Privacy Law at the SANS Institute.

[The foregoing is not legal advice for anyone, but it is something to think about.]


  1. At Health Care Law Blog Bob Coffield raises an issue: can a patient mark his record with legal terms if he does not have enough control over the record to place the terms inside it? In response to that valid comment, I said: "I agree a patient will not always have direct control over his record. However, a patient can arguably publish his terms apart from the record itself, such as on his web site. And those web-published terms could be effective against a sophisticated party such as Google or an opposing attorney. In the 1-800-Flowers case, the company's terms of service posted on its web site were enforceable against a customer who called in by telephone!"

  2. Hi Ben,

    But is this enforceable in practice? For the sake of argument, say Google captures 1/3 of the market and maintains information on a population of 100 million. Are they going to be required to abide by 100 million EULA's? I agree in theory it's enforceable, but even if (and it's a big if) we can prove they used information inappropriately and against our wishes, would we be able to win a lawsuit?

  3. It is an interesting question whether in practice the terms a patient publishes for her record are enforceable against Google. Here are two thoughts:

    1. Why should the terms not be enforceable? Contract law serves individuals just as it does corporations. Corporations like Google tell us all the time what the legal terms are, and corporations expect those terms to be enforced. I've already cited some cases. Why can't individuals turn the tables and tell corporations what the terms are?

    2. Can Google realistically adhere to 100 million different EULAs? That is not a legal-enforceability question, it's a practical question for Google. Theoretically, Google can hire people to read and interpret the EULA in each record, though that makes Google's costs go up. Ultimately, this issue poses a risk to the Googles of the world. (In truth the same type of risk also applies to HIPAA "covered entities". People can publish the types of terms I have suggested and declare that the terms apply to their records held by hospitals.) Google can take steps (e.g., having a good privacy policy) to manage the risk. But to some degree this risk will always exist given the rules of contract law.

    [Again, no one should take what I say here as legal advice.]

  4. I love this idea, primarily, because it exposes the ridiculousness of EULAs. EULA's have almost become the common-law of the digital age: Noone ever knows what's in the EULA's until it comes time to litigate because it would be too costly for any consumer to know all of what's legally binding them. But the difference with EULA's is that the rules are not set by a neutral arbiter, but by the drafting party.
    By bringing EULA's to the consumer, we show just how ridiculous it is to expect anyone to read and understand multiple pages of legal drafting for every small transaction they undertake. If this is what it takes to kill the EULA, hooray for it!

  5. I think that 1-800-Flowers case is making a big conflict no?

  6. find physician job: The 1-800-Flowers case reflects how the Internet changes everything. In theory, the same type of result could have occurred before the Internet if a company like 1-800-Flowers published its terms of service every day in newspapers across the country. However, the publication of terms that broadly every day was impractical. It has become practical on the Internet! The Internet creates contact law scenarios that could not have happened in the past. The principles of contract law did not change under the 1-800-Flowers case. But the environment in which those principles apply did change, and that lesson has big implications for e-commerce as we sail deeper into the 21st Century. See relevant discussion at

  7. Ben, I'd like to think your website idea would work, but, as I wrote here, I think it has two problems. First, it would be very hard to show that anyone with sufficient authority ever "agreed" to the terms of use, even by visiting the website. In the case you cited it was easy because the consumer was trying to enforce the website's privacy policy, but in other cases this could be a serious issue. Second, while theoretically contracts bind both consumers and corporations, in practice consumers don't get very far when they try to enforce privacy protective contracts against big businesses (see, e.g., In re Northwest Airlines litigation).

  8. Perhaps putting the choice in the hands of the citizen as we do.
    We have a system where the patient authenticates to the doctor (via a third party).
    The doctor then has access to the patient's records wherever they may be, the insurer is also notified and can settle with the doctor in real time.

    No personal or identifiable(or useful to criminals) data is ever transmitted anywhere in any interaction.
    The patient does not carry their records and in theory those records could even be on the internet in plain text - minus any identifying data.

    Would it really matter if someone read them without being able to attach an identity? The doctor would of course be provided with the relevant records via an encrypted link so that an unauthorised observer would not be able to link the doctor and the patient.
    It isn't necessary to have the records in plain view but the idea is interesting for medical research and really if we could we should.

    A little imagination is all that is required to see that there is a way to do most of the things we do without risk of data breach or even consequence when we do lose data. Perhaps more attention to that course of action would be more productive. Just because we've been operating stone-age in a space-age world doesn't mean we can't change it.

    As for proving a consumer has visited a website and agreed to the terms and conditions in a legally binding way which is easy for the consumer - that's easy. It'll cost you for that one though.

    We've also come up with a way for consumers to anonymise themselves more effectively than they can do currently and that may change the data landscape somewhat.