The ongoing transition from paper medical files to electronic health records will provide unprecedented amounts of data for biomedical research, with the potential to catalyze significant advances in medical knowledge. But this potential can be fully realized only if the data available to researchers is representative of the patient population as a whole. Thus, allowing individual patients to exclude their health information, in keeping with traditional notions of informed consent, may compromise the research enterprise and the medical benefits it produces.

This Article analyzes the tension between realizing societal benefits from medical research and granting individual preferences for privacy. It argues for a shift in the conceptual and regulatory frameworks that govern biomedical research. When studies involve electronic record review rather than human experimentation, the traditional, autonomy-dominated model should give way to one that emphasizes the common good. In record-based studies, the limited benefits of individual informed consent come at too high a cost - difficult administrative burdens, significant expenses, and a tendency to create selection biases that distort study outcomes. Other mechanisms can better protect data subjects’ privacy and dignitary interests without compromising research opportunities.

In this Article, we formulate a novel, mufti-faceted approach to achieve these ends. This approach recognizes that technical means for achieving identity concealment and information security are necessary but not sufficient to protect patients’ medical privacy and foster public trust while facilitating research. Hence, we call for supplementing such means with (1) an oversight process that is tailored to record-based research and applies even to De-identified patient records, which are currently exempt from scrutiny, and (2) public notice and education about the nature and potential benefits of such research.


Privacy, Clinical research, Human subject autonomy, Electronic health records, Informed consent, HIPAA Privacy Rule, HIPAA Security Rule, Records-based research, De-identification, Re-identification, Common good, Research oversight, Human subject protections, Informational risks

Publication Date


Document Type


Place of Original Publication

SMU Law Review

Publication Information

65 SMU Law Review 85 (2012)


COinS Sharona Hoffman Faculty Bio