entail.2 As health care organizations collect, process, and store more health information in computerized form and use both private and public telecommunications systems to transmit this information between different entities, they must ensure that adequate mechanisms are in place to protect the information.

This report investigates ways of protecting health information in an era of increasing computerization and far-reaching communications. It concentrates primarily on protecting patient-identifiable health information, that is, health records that contain information from which the patient's identity can be deduced or inferred.3 It assesses technical and organizational practices currently in use for protecting electronic health information, identifies other technologies worthy of testing in health care settings, and outlines areas for future research. In addition, the report discusses the privacy concerns that stem from the increasing exchanges of information among different types of organizations involved in providing care, paying for care, or conducting analyses of health information for a wide range of societal purposes. As the report notes, such sharing of information may pose greater privacy concerns than unauthorized access to health information stored at any individual location.

The Growing Use Of Information Technology In Health Care

Expenditures on information technology for health care are growing rapidly. The health care industry spends approximately $10 billion to $15 billion a year on information technology, and expenditures are expected to grow by 15 to 20 percent a year for the next several years.4 Health care organizations are developing electronic medical records (EMRs) for stor-


The terms privacy, confidentiality, and security are used in many different ways to discuss the protection of personal health information. This report uses the term privacy to refer to an individual's desire to limit the disclosure of personal information. It uses the term confidentiality to refer to a condition in which information is shared or released in a controlled manner. Organizations develop confidentiality policies to codify their rules for controlling the release of personal information in an effort to protect patient privacy. Security consists of a number of measures that organizations implement to protect information and systems. It includes efforts not only to maintain the confidentiality of information, but also to ensure the integrity and availability of that information and the information systems used to access it.


The protection of genomic data and tissue samples, while also of increasing concern, is not specifically addressed in this report, although much of the discussion of patient-identifiable information does apply.


Munro, Neil. 1996. "Infotech Reshapes Health Care Marketplace," Washington Technology, Aug. 8, p. 1.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement