operations). Password discipline should be exercised, requiring users to change passwords on a regular basis and to select passwords that cannot be guessed easily. Procedures should be established to (1) revoke the identifiers of employees who leave the organization; (2) identify and revoke other unused identifiers as appropriate; (3) ensure that only legitimate users are granted access to the organization's information system; and (4) guarantee that authorized users can access needed information in emergency situations.

Access Controls. Procedures should be in place that restrict users' access to only that information for which they have a legitimate need. Ideally, such controls should be based on the needs of individual users, but in practice they may have to be based on job categories. Narrow job descriptions should be used, where possible, to allow more fine-grained control of access privileges. For example, job titles such as ''doctor," "nurse," or "physician's assistant" provide less control than titles such as "cardiologist" or "emergency room nurse."5 Any of the models discussed in Chapters 4 and 5 can be used for distributing access privileges. The committee recognizes that individual organizations will have to determine the appropriate job categories within their facilities and decide whether medical staff is allowed to access the records of all patients treated by the organization (which is often the case today) or only of patients under their direct care. Again, the proper balance between access and privacy will depend on the specific setting and on the need to ensure access to information in emergency situations.

Audit Trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of the access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care services to their own employees should implement the capability for employees to conduct audits of accesses to their own health records. Although self-audits will not necessarily identify large numbers of inappropriate accesses to health records, they have proved to be a cost-effective way of raising employees' awareness and appreciation of privacy concerns in organizations that have deployed them. In addition, all organizations should implement procedures for


It should be noted that the use of fine-grained access controls can exacerbate the difficulty of keeping the data in medical records organized so that they correspond with the access privileges of the users. A variety of software tools are under development to assist in managing this task (see Chapter 4).

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement