interface developer must work to reduce the scope of the requests that the user can make. Although a Web-based interface for examining data can be as restrictive as a system based on the transaction approach, checking whether a user's actions are appropriate is difficult and expensive; auditing a user's actions is more complex; and the assurance that the intended limits are indeed enforced is even more difficult to achieve. Nor is it necessarily possible to determine what the user intends to do with the information retrieved and if the user therefore is a threat to patient privacy.

The solutions advocated to address these privacy concerns fall into one of three categories. One approach is to forbid outright the collection of data that might be misused, on the theory that procedural solutions are inevitably ineffective and subject to abuse and compromise (these concerns about inevitable compromise are usually manifested in the area of secondary release of data). A second approach is to allow the collection of some amount of personal information (e.g., health information) under a specific set of circumstances but to impose on collecting organizations and parties rules about the management and disposition of that information and penalties for violations of those rules. A third approach is to specify conditions regarding the use of patient-identifiable health information through the policy process to which all handlers of that information are obligated to conform. The first proposal precludes the development of electronic databases of health information. The second two approaches can be implemented through the promulgation of appropriate public and organizational policy and the use of certain technologies. The second approach leads to situations in which the same information is handled differently by different organizations, simply because they fall into different categories. The third approach leads to a more uniform treatment of data and represents a high-level organizing principle for governing the protection of patient-specific information.

Even before the advent of computers, significant resources were devoted to the safeguarding of health information. Every accredited hospital in the United States had (and still has) a medical records department with responsibility for ensuring only legitimate access to health records, the integrity of data contained in those records, and the confidentiality of those records. Health care organizations established policies regarding the collection, use, and release of health information to maintain privacy and security, and they evaluated the relative costs and benefits of alternative mechanisms for protecting health information.

With electronic health information, the same issues still apply, though