mechanisms are redundant, that members of the profession are well intentioned, and that they would never violate a patient's privacy.

With the advent of modern telecommunications and computing technology, almost any business enterprise draws upon a vastly expanded, even global, spectrum of information and personal contacts, which help to shape the culture of the organization itself. Most health care organizations have increasingly permeable boundaries, and it cannot be assumed that once the culture of privacy and security is established within the organization's walls, there are no other risks. As health care organizations form alliances and other vertical or horizontal linkages and as communications by these component entities increasingly use modalities such as the Internet, not only are the proprietary interests of these organizations put at risk, but patient-specific data are also more widely exposed. The awareness and concern that health care organizations exhibit with regard to these matters are, to a large extent, products of the organizational culture within which these issues are addressed.

Individual organizations take on a distinctive pattern of dealing with issues such as privacy and security. To some extent, the way these issues are addressed can reflect an organization's response to issues involving all aspects of technology. For example, an organization whose leaders have thought of computers and information technology as beyond human capacity to control may accept on blind faith the claim that, once programmed and made operational, computer-based information systems require little human monitoring or oversight. The more that global cultural influences are felt in contemporary organizations of all types, the less likely is it that any individual organization will be dominated by the influence of one or a few leaders who exert their personal stamp on everyday business dealings.

Organizations whose leaders and participants generally deny the possibility of violations of patient privacy (e.g., "It can't happen here," or "We've never had a serious incident before") may engender a culture that essentially acts as a blinder to these issues. This represents one of the most important, and frequently observed, impediments to the adoption and effective implementation of risk reduction policies and structures. Yet, the cultural supports for an initiative involving privacy and security may constitute an essential ingredient for its success. Unless organizational leaders actively foster and nurture a security-enhancing culture, such policies and structures may be imposed but will have little influence on health care organizations.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement