Such practices, however, do not address the privacy concerns stemming from the systemic flows of information throughout the health care industry. These concerns can be addressed only through initiatives at a national level that delineate and enforce standards for the appropriate uses of health information.4 Existing federal laws, however, protect only data in the control of the federal government, and state laws provide inconsistent protection and often apply only to limited kinds of health information. In some instances, federal law facilitates the private-sector collection of patient-identifiable health information and allows self-insured employers to collect such information on their employees. Thus, to ensure the protection of health information, additional policy actions may be required.

As the site visits attested, health care organizations have a strong interest in maintaining privacy and security, but must balance this interest against the need to ensure that information can be retrieved easily when required for care. Many hospitals, for example, do not restrict physicians from being able to access records of patients not under their care, preferring instead to allow them access to information on all patients in case of emergencies. In some cases, practices have not been widely implemented that could improve security without adversely affecting care, such as systems for auditing access to clinical information or for systematically reviewing audit logs. Given the rapid pace at which health care organizations have been trying to install and expand the functionality of health care information systems, they have had limited resources to dedicate to security concerns.

Part of the problem is a lack of strong incentives for upgrading security practices. Privacy is not often a market differentiator in the health care industry; patients generally select care providers and health plans for reasons other than their ability to protect patient information. Because there has not yet been a widespread and public catastrophe regarding information security in the health care industry, many organizations believed that the risk of a major breach of security is low. Several sites visited for this study believe that they could survive a major event without significant consequences. Moreover, no strong legislation or enforceable industry standards yet exist that govern the privacy and security of health information. Thus, there have been few incentives to invest time


These concerns are discussed in detail in Institute of Medicine, 1994, Health Data in the Information Age: Use, Disclosure, and Confidentiality, Molla S. Donaldson and Kathleen N. Lohr (eds.), National Academy Press, Washington, D.C.; and Office of Technology Assessment, 1993, Protecting Privacy in Computerized Medical Information, OTA-TCT-576, U.S. Government Printing Office, Washington, D.C., September, Chapter 4, pp. 75-87.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement