Congress' New Infrastructural Model of Medical Privacy

70 Pages Posted: 30 Jul 2008 Last revised: 2 Jun 2013

See all articles by Barbara J. Evans

Barbara J. Evans

University of Florida Levin College of Law

Date Written: July 29, 2008


This article opens discussion of a starkly new approach for protecting the privacy of Americans' sensitive health information. Last year, Congress empowered the U.S. Food and Drug Administration (FDA) to oversee development of a major new national infrastructure: a large-scale data network, the Sentinel System, that aims to include health data for 100 million Americans by 2012. This marked the first time since the end of the New Deal that a wholly new infrastructure regulatory mandate had been issued at the federal level. This important development, buried in drug-safety provisions of the Food and Drug Administration Amendments Act of 2007 (FDAAA), went largely unnoticed, as did the fact that Congress cast medical privacy, a hot-button issue for many members of the American public, as an infrastructure regulatory problem. Individuals are not empowered to make autonomous decisions about permissible uses and disclosures of their health data. Instead, Congress authorized FDA to decide whether proposed disclosures meet a statutorily defined public-interest standard. If so, then the disclosures are lawful without individual privacy authorization or informed consent. Within limits that this article explores, FDA can approve the release of private health data, including data in identifiable form, to private operators of Sentinel System infrastructure and to outside data users, including academic and commercial entities.

This article describes the new privacy model, which was implicit in the statute Congress passed but far from obvious on its face. The goal is not to oppose the new approach. Congress was responding to serious public concern about the safety of FDA-approved products. This article accepts that this new privacy model exists and explores directions for implementing it in a manner that will be least corrosive of public trust. The goal is to elicit ongoing dialogue about appropriate institutional protections for the 100 million Americans whose data soon will be in this vast data network.

FDA is, in many respects, an accidental infrastructure regulator, thrust into a new role strikingly different from its longstanding product-safety mandate. Fortunately, the challenges FDA now faces are not new ones. U.S. infrastructure regulators, in a wide variety of industry contexts, have harnessed private capital to build new infrastructures to serve defined public interests while protecting vulnerable classes. Lessons from these other contexts can shed light on appropriate governance structures for the Sentinel System. For example, privacy protection may be enhanced by eschewing vertical integration in favor of segregating certain key infrastructure functions that require access to identifiable data. It may be better to establish core privacy protections via rulemaking rather than through contracts and to centralize certain key discretionary decisions rather than delegating them to private, commercial decision-makers. Public trust will require strong due-process protections, regulatory independence, and a well-funded system of regulatory oversight; approaches employed by other infrastructure regulators may help address these concerns. The single greatest threat to privacy will come as FDA faces pressure to approve wide ancillary sales of Sentinel System data to help defray costs of system development. To make this system financeable while enforcing strong privacy protections, FDA should deploy its limited available funds to support a well-thought-out infrastructure financing facility that backstops clear privacy policies with appropriate political risk guarantees for private infrastructure investors.

Keywords: Privacy, Sentinel System, health database, Nationwide Health Information Network (NHIN), public health, infrastructure regulation, infrastructure financing, Food and Drug Administration Amendments Act of 2007 (FDAAA), HIPAA Privacy Rule, privacy authorization, informed consent, drug safety, FDA

Suggested Citation

Evans, Barbara J., Congress' New Infrastructural Model of Medical Privacy (July 29, 2008). Notre Dame Law Review, Vol. 84, No. 3, 2009; U of Houston Law Center No. 2008-A-22. Available at SSRN:

Barbara J. Evans (Contact Author)

University of Florida Levin College of Law ( email )

P.O. Box 117625
Gainesville, FL 32611-7625
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
PlumX Metrics