protection and often apply only to limited kinds of health information. In some instances, federal law facilitates the private-sector collection of patient-identifiable health information (e.g., the federal Employee Retirement and Income Security Act, or ERISA, allows self-insured employers to collect such information on their employees by preempting state laws). As a consequence, many organizations within the health care system are free to collect and use large amounts of patient-identifiable health information for purposes that suit their economic interests, and patients lack legal standing to bring suit against those they allege have breached their privacy. Data collected for one benign and stated purpose can be used for different, unstated purposes that may run contrary to the interests or understandings of the parties from which the data were collected. For example, self-insured companies that request patient data to monitor benefits programs have few legal constraints to prevent them from using such information in employment or promotion decisions.
In organizations that are subject to formal privacy protections, such as hospitals with mandatory institutional review boards that oversee research uses of health information (see Chapter 5) and government agencies subject to the Privacy Act of 1974 (see Chapter 2), privacy concerns seem greatly diminished. These types of structures appear to have been effective in ensuring uses of health information that are consistent with privacy concerns.
Finding 6: Within individual organizations, electronic health information is vulnerable to both authorized users who misuse their privileges and perform unauthorized actions (such as browsing through patient records) and outsiders who are not authorized to use the information systems, but break in with the intent of malicious and damaging action. Health care organizations have been working for many years to develop mechanisms for protecting health information (in both paper and electronic form) from abuse by authorized users, but they must continue to strengthen their protections by, for example, implementing auditing capabilities and strengthening disciplinary sanctions. As with other types of organizations, health care organizations will become more vulnerable to attacks by outsiders as they expand their networking activities. System vulnerabilities are not limited to breaches of privacy. If realized, the most serious vulnerability might well be a skilled individual with malicious intentions who can "crash" an important health information system and deny service to health care providers that rely on that system.4