right to demand enforcement of these obligations and responsibilities; and require disclosure of data collection activities to make the sharing of health information more transparent to patients. Such disclosure would educate patients about the flows of health data and their rights in controlling those flows, thereby facilitating the discussion of privacy and security issues and the development of consensus. The committee believes that personal awareness of privacy rights and potential abuses is one of the best countervailing pressures against the economic incentives that drive organizations to share information. Moreover, public awareness and concern may be an essential prerequisite to the passage of necessary legislation of any strength.
Recommendation 3.2: The Department of Health and Human Services should work with state and local governments, health care researchers, and the health care industry to establish a program to promote consumer awareness of health privacy issues and the value of health information for patient care, administration, and research. It should also conduct studies that will develop a series of recommendations for improving the level of consumer awareness of health data flows. Patients appear to be less informed than care providers and other users of health information about the various ways in which health care information is used, the potential benefits of such uses, and the implications for patient privacy. Having a neutral party educate patients would be a first step toward elevating the level of debate.
Recommendation 3.3: Professional societies and industry groups8 should continue and expand their leadership roles in educating members about privacy and security issues in their conference discussions and publications. These groups represent a wide variety of health care professionals who must address questions of access and privacy on a regular basis. They would make good platforms for educating many of these professionals about patient privacy and ongoing initiatives in government and industry.
Recommendation 3.4: The Department of Health and Human Services should conduct studies to determine the extent to which—and the conditions under which—users of health information need data containing patient identities. Patients, providers, and other users of health information continually question each other's needs for patient-identifiable data. Limiting the use of such data to those cases in which there is a
These include, but are not limited to, the American Hospital Association, American Medical Informatics Association, American Health Information Management Association, College of Health Information Management Executives, Healthcare Information and Management Systems Society, Computer-based Patient Record Institute, and American Medical Association.