health record has implications for care: it is often difficult to determine a priori what information will be important to later delivery of care. Separate, or secret, records can hinder care in emergency situations and may have legal implications if a record is subpoenaed. But physicians may choose to negotiate with patients over the content of the record if it means the patient will continue to seek care.
A small number of health care organizations allow patients considerable control over access to their health information. One particular organization that works with people with AIDS allows patients to determine which providers are allowed to access their records and which portions of the record they are authorized to see. Another organization that manages a state health program (but does not provide care) lets patients (or clients as they are referred to by the site) allow only their case worker to access patient records. As these examples demonstrate, technology is available for creating fine-grained access controls by the patient, but these controls appear to be applicable only in a limited set of circumstances with a narrow patient base. It does not appear that these practices could be applied easily to health care organizations with more diverse, transient patients who receive episodic care.
An alternative approach that is used successfully by some health care organizations is to avoid segregating sensitive information from the rest of the medical record and to instead improve the security of the entire, integrated medical record through the use of well-designed authentication procedures, access controls, audit procedures, and other mechanisms. The goal of this approach is raise the level of protection for all health information, not just sensitive information. The advantage of this approach is that it ensures the medical record contains all available information that a care provider may need to make sound decisions about a patient's condition or treatment plan. The disadvantage is that it might require overly burdensome security practices for some applications or make organizations reluctant to offer some types of information services. For example, organizations may not want to allow Internet access to its clinical information systems if such access will be provided to the full medical record. In such cases, however, it may be possible to relax the security on some limited subsets of data. For example, one organization allows physicians to access information on patients in the intensive care unit from home or during travel. Screens show current laboratory results and vital signs for patients in the intensive care unit, but refer to them only as, for example, the "37-year-old, white male in bed 4." This information is insufficient to identify the patient to a casual intruder but is enough for a physician familiar with his or her patient profiles. Such a process works well in a controlled setting such as the intensive care unit, where a limited number of patients are under close and frequent supervi-