purpose-based protections (HIPAA et al)

Many information privacy and security laws tailor their protections according to the purpose of the use or disclosure, rather than basing that solely to the particular characteristics of the data itself. This is also sometimes referred to as role-based protections, since the work-related role of the user of the data sets the range of legitimate purposes.

HIPAA, for example, sets different limits on use or disclosure of protected health information (PHI), depending on whether the access is for treatment, payment or health care operations (the "big three" under HIPAA); for government functions like public health, law enforcement, or national security; or certain "extra" functions like research, marketing and fundraising.

Consequently, there may be entirely different requirements for use and disclosure of the same piece of information, depending on the reason for accessing it. Such laws may care only secondarily about the professional credentials and organizational affiliations of the persons doing that accessing. (Professional credentials and organizational affiliations may still give strong clues about which purposes are legally plausible in a particular circumstance.)

Purpose-based protections can co-exist with limitations that are based on the nature of the information itself. For example, HIPAA gives extra protections to psychotherapy notes. Many states' laws also provide extra protections for mental health information, as well as for information in such categories as HIV/AIDS, STDs and pregnancy, genetic tests and substance abuse. (That is the case in Florida, for example.)

Last modified: 12-May-2005 [RC]