Contracts for Patient Privacy

Healthcare e-Records Law

Privacy Policy Contract Terms

As Google jumps into the competition to provide electronic health records, the World Privacy Forum frets that the management of health records by non-healthcare companies will undermine the legal privacy accorded to the records. The WPF warns that because HIPAA protection may not apply to Google-managed records, patient privacy will suffer.

To help mitigate this problem, here is an idea. Patients could mark their records with legal terms of use. Or they could otherwise post terms of use so the vendor managing their records (and anyone seeking access to the records) could be on notice of the terms.

Terms of use for a patient's records might be analogous to the end user license agreement or EULA that comes with software or corporate web sites. Well-crafted terms of use could legally limit or regulate how the vendor (or anyone else) uses the records, discloses them to others or alters its privacy practices pertaining to the records.

For example, the terms of use on a patient's record might say:

* By accessing the record (or by availing oneself to the conveniences afforded by the vendor’s management of the record), the person accessing it agrees by contract to abide by the terms.

* Vendor agrees to give patient 6-months advance notice (delivered via first class mail) before the vendor changes its privacy policy.

* Vendor agrees to notify patient before vendor complies with a subpoena (or similar order) seeking patient’s records.

* Vendor agrees to refrain from disclosing patient's record to third parties for commercial or marketing purposes.

* The fact the record is in the hands of the vendor does not undermine the legal privileges accorded communications between patient and physician.

* And so on.

Case Law

Click Here
Case law provides growing support for the legal enforcement of electronically-published contract terms, whether published on software, a website or a record. For example, Greer v. 1-800-FLOWERS.COM held that the terms of service a flower merchant posted on its web site were enforceable against a customer who placed an order by telephone.

The Greer case illuminates the power of contract law in this electronic age. This power is just as much available to individuals as it is to corporations.

Is this contract-law power perfect for protecting patient privacy? No. But it is substantial. And it can be supported in court by good public policy arguments. Further, many parties will honor terms of access for non-legal reasons, such as ethics, politics or public reputation.

The law of healthcare privacy is very complex. HIPAA does provide certain protection, but HIPAA is subject to many exceptions and nuances. The array of protections that apply to records managed by HIPAA-regulated healthcare providers is far from ideal.

Many patients may be attracted to records services from vendors like Google. As patients embrace these vendors, contract law affords patients power to take proactive steps to enhance their privacy.


I have written an example of Healthcare Terms of Access that a patient could post on his health record.

See my further discussion of privacy contract terms with Google and my further discussion of privacy contracts formed with automated systems.

--Benjamin Wright, Senior Instructor on Computer Privacy Law at the SANS Institute.

[The foregoing is not legal advice for anyone, but it is something to think about.]