sults are administrative uncertainty and potential violations of privacy in states with weaker confidentiality requirements. To further compound the problem, few mechanisms exist, inside or outside government, for monitoring and enforcing compliance with laws, regulations, and standards governing the confidentiality of health information. In particular, an individual whose information has been compromised generally lacks recourse for a specific incident and cannot receive compensation or ensure that those responsible for the incident are punished.
Conflicting views of data ownership and a lack of patient understanding of health data flows and of their rights to privacy and confidentiality also need to be addressed at a national rather than an institutional or organizational level. As site visits and briefings to the committee attest, patients, providers, health researchers, and other users of health information often have conflicting views regarding the ownership of identifiable health information. Patients tend to believe that information about their health history, diagnosis, and treatment belongs to them because it is about them. Health care organizations believe patient health information belongs to them because they invest resources in collecting, storing, and analyzing it and because they are required to collect data regarding patient care. Insurance companies, pharmaceutical manufacturers, and market research companies claim some ownership rights because of their vested interests. In addition, there is evidence that vendors of medical diagnostic equipment believe the data collected by their instruments belong to them because their devices have enabled its collection. The resulting confusion has frustrated efforts to enhance the privacy and security of health information by frustrating efforts to determine responsibility for protecting information.
Over the past several years, a consensus has emerged within Congress and among the general public regarding the need for federal legislation to address this important issue. The Office of Technology Assessment (OTA), in its report Protecting Privacy in Computerized Medical Information,31 found that current laws, in general, do not provide consistent, comprehensive protection of health information confidentiality. Focusing on the impact of computer technology, the report concluded that computerization reduces some concerns about the privacy of health infor-