In addition to standards for patient data, medical knowledge must be encoded in CPR systems with decision support capability. The Arden syntax has been used to exchange medical knowledge encoded as simple rules (Hripcsak et al., 1990). Further work must be undertaken to represent medical knowledge in standard, transferable form.

Leadership at the federal level is required to ensure that standards necessary to preserve and enhance health care in the United States are developed. Until standards exist for uniquely identifying individuals and coding and exchanging health data, the value from capturing and aggregating data will go unrealized and each organization will be its own pioneer.

Security, privacy, and confidentiality concerns have become major barriers to widespread implementation of CPR systems and sharing data. There is, as yet, no agreement on what must be done to establish the balance between appropriate use of health care data and the individual patient's rights to privacy (Detmer and Steen, 1996). The issue of who owns the data in a CPR is still being debated. Of equal importance to preserving patient privacy and confidentiality is the necessity of preserving institutional privacy. No institution will be willing to share data if those data can be used to provide a business advantage for a competitor. Again, the human factors outweigh the technical solutions in dealing with this issue (Barrows and Clayton, 1996).

Privacy and confidentiality are concepts that involve people, policies, and legislation. Information security technology plays an enabling and facilitating role by helping organizations prevent unauthorized access to confidential information. In addition, properly designed and monitored audit trails can enhance user accountability by detecting and recording unauthorized access to confidential information. CPRI has produced position papers on user authentication and access to patient data and provided substantive guidelines on security policies, security education programs, job descriptions for information security managers, model confidentiality policies, and security functionality requirements for CPR systems (CPRI, 1995a,b, 1996b,d). CPRI and the American Health Information Management Association have been instrumental in developing model policies and legislation regarding confidentiality and privacy. Public Law 104-191 establishes legal sanctions for wrongful disclosure of individually identifiable health information. It also calls on the secretary of Health and Human Services to provide detailed recommendations on privacy of health data and procedures and rules for authorized disclosure of such information. The recently revitalized National Committee on Vital and Health Statistics (NCVHS) advises the secretary on this and other standards related to health information. Federal legislation is necessary to overcome many of the inadequacies and inconsistencies between the state regulations and laws that are described in this report.