Recommendation 2: Government and the health care industry should take action to create the infrastructure necessary to support the privacy and security of electronic health information. The comprehensive protection of electronic health information would benefit from an industry-wide infrastructure that would develop and promote adoption of proven practices for protecting privacy and security and would facilitate greater sharing of security-related information among organizations that collect, process, and store health information. Many of these tasks are currently conducted in a fragmented manner, with little coordination between standards-development bodies and accrediting agencies or between organizations responsible for different sectors of the industry, such as hospitals, managed care organizations, and insurers. The committee believes that greater coordination of these disparate efforts would help address many of the systemic concerns about the privacy of health information and would provide clear leadership to individual health care organizations regarding the standards with which they should comply. While health care organizations have strong incentives to develop health care applications of national information infrastructure, they do not necessarily have strong incentives to improve privacy and security. The committee makes three subrecommendations described below to support this goal.
Recommendation 2.1: The Secretary of Health and Human Services should establish a standing health information security standards subcommittee within the National Committee on Vital and Health Statistics to develop and update privacy and security standards for all users of health information. Membership should be drawn from existing organizations that represent the broad spectrum of users and subjects of health information. The Secretary of Health and Human Services has already charged the National Committee on Vital and Health Statistics (NCVHS) with recommending standards for the security of electronic health information as called for in the Health Insurance Portability and Accountability Act of 1996. NCVHS should appoint a standing subcommittee that would monitor changing concerns regarding the privacy of health information and new approaches to protecting such information. Although a number of disparate organizations are currently attempting to develop standards for the security of health information systems and patient privacy (including the American National Standards Institute's Health Informatics Standards Board and its members, the Computer-based Patient Record Institute, and the American Health Information Management Association), none of these organizations represents the broad spectrum of users of health information as well as NCVHS does, and none has demonstrated clear leadership in setting and promulgating