Creating a health care organization that is fully committed to safeguarding personal health information is difficult. It requires managers and employees, both individually and collectively, to engage in an ongoing process of learning, evaluation, and improvement to create an environment—and an organizational culture3—that values and respects patients' rights to privacy. Managers must provide leadership by heightening awareness of privacy and security issues and by determining how the organization can achieve the most appropriate balance between access to electronic health information and patient concerns over privacy.4 As front line caregivers, employees are responsible for the actual implementation of policies and procedures, and they may also participate in their development. Individual employees are the most likely sources of minor and accidental breaches of patient privacy, whereas inadequate policies or a lack of technical mechanisms are probably responsible for larger breaches.

As the committee's site visits attest, health care organizations have developed a number of policies and practices for protecting electronic health information. These include formal policies regarding information system security and patient privacy, formalized structures for developing and implementing policies and procedures, employee training practices, and procedures for monitoring and penalizing breaches of privacy and security policies. Nevertheless, additional progress needs to be made to improve organizational protections for electronic health information. Few, if any, health care organizations have developed an integrated approach to organizational managment that addresses all aspects of information security and patient privacy. Numerous obstacles must be overcome in order to provide organizations with the incentives and motivation to adopt stronger practices.

Formal Policies

Health care organizations have adopted a range of formal policies to outline their goals with regard to patient privacy and security. These include policies related to authorized uses and exchanges of health information and patient-centered policies that are intended to promote a stron-


"Organizational culture" is a term inclusive of the values, norms, understandings, and experiences of organizational employees, as well as patients, payers, and purchasers.


Valuing patient privacy does not follow from a proclamation by an organization's managers; values can be effective only when they are individually held. Some organizational researchers suggest that management should communicate facts about policies and then demonstrate a strong commitment to that policy through their own behavior. See Larkin, T.J., and Sandar Larkin. 1996. "Reaching and Changing Frontline Employees," Harvard Business Review, May-June, pp. 95-104.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement