- other purposes and impeding inappropriate linkages. This research should also address the extent to which a universal identifier is needed to facilitate improved care and health-related research and to simplify administration of benefits.
- Anonymous care and pseudonyms. Today, patients who wish to remain anonymous for purposes of care run a serious risk that the medical history information needed to provide quality medical care will be unavailable. Some approaches to solving this problem show promise for reducing the need to link patient records through the use of patient specific identification, thus potentially mitigating the need for assigning patients unique, universal identifiers.
- Audit tools. The generation of audit trails typically results in enormous amounts of data that must then be analyzed. Automated tools to analyze audit trail data would enable much more frequent examination of accesses and thus make audit trails a more effective deterrent.
- Tools for rights enforcement and management. The primary unsolved technical problem today relates to secondary recipients of information: today's access control tools can effectively limit the primary (first-person) access of any given individual to data stored on-line, but they are ineffective in controlling the subsequent distribution of data. More effective tools for control of secondary distribution of data, such as rights management technology, would go a long way toward enforcing restrictions imposed by primary data providers.
Recommendation 5.3: The Department of Health and Human Services should fund experimental testbeds that explore different approaches to access control that hold promise for being inexpensive and easy to incorporate into existing operations and that allow access during emergency circumstances. The trade-offs between access to health information and the potential benefits and harm resulting from greater access are not well understood. Research is needed to better explicate the costs and benefits of various levels and types of information protection so that decision makers have the information they need to make wise choices. Testbeds specifically for testing the efficacy of various security mechanisms should be developed on the scale necessary (single department within an organization, a single hospital, or a network of organizations) to mimic the types of behaviors expected in an actual operational environment.
The committee believes that these recommendations provide a robust framework for addressing many of the vulnerabilities of health informa-