tals specifies information management (IM) standards. IM.2 states that the "confidentiality, security and integrity of data and information are maintained." IM.2.2 states that "the hospital determines appropriate levels of security and confidentiality for data and information . .. " and continues by stating that the "collection, storage and retrieval systems are designed to allow timely and easy use of data and information without compromising its security and confidentiality." IM.2.2.3 states that "records and information are protected against loss, destruction, tampering and unauthorized access or use.''

The intent of these standards is to ensure that a hospital maintains the security and confidentiality of data and is especially careful about preserving the confidentiality of sensitive data. The hospital is expected to determine the level of security and confidentiality maintained for different types of information. Access to each category of information is based on need and defined by job title and function.

According to the JCAHO, an effective process defines the following:

  1. Who has access to information;
  2. The information to which an individual has access;
  3. The user's obligation to keep information confidential;
  4. When release of health information or removal of the medical record is permitted;
  5. How information is protected against unauthorized intrusion, corruption, or damage; and
  6. The process followed when confidentiality and security are violated.

JCAHO examines hospital practices in the area of information management during its triennial reviews. The reviews address information management practices at an overall level but do not directly ascertain the occurrence of specific instances in which hospital practices may have been violated. JCAHO reviews are nominally voluntary, but organizations that participate in the Medicare and Medicaid programs (and expect to be reimbursed for services offered under these programs) are required to receive JCAHO accreditation.

Improving Public Policy

Better protection of electronic health information will require efforts at the national level. The lack of uniform national standards for the privacy and security of health information creates particular problems for health care organizations that serve constituents in multiple states and creates additional confusion for patients regarding their rights. The re-

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement