• to economic discrimination as the result of such a past, he or she may well wish to limit the dissemination or availability of such information.

Mitigating the impact of such concerns is generally a matter of public policy. Health care enterprises and others with access to health care information can decide voluntarily to refrain from using a universal health identifier in particular ways, or mandatory mechanisms can be put in place by legislation. Legislative approaches might choose to prohibit discrimination in employment on the basis of patient information or prohibit the dissemination of patient information to employers. Nevertheless, it may be possible to design an identification and linking scheme that can satisfy the needs of the health care industry without jeopardizing patient privacy or that can help enforce any policy framework established for protecting privacy. For example, it may be possible to design a system that does not rely on a single number. Chapter 4 outlines some approaches for identifying and linking records. Chapter 6 contains the committee's judgments on these issues. The chapters include recommendations for extensive education of the public about threats to the privacy of health care information and criteria for ensuring that the development of any universal patient identifier explicitly recognizes its potential effects on privacy. They also include recommendations for the passage of legislation setting down the principles by which trustees of health care information are limited in its collection, use, and disposal and are responsible for disclosure of accesses to it. Finally, they include the development of technologies that control the integrity of, access to, and accountability for uses of health care information across all stakeholders.

Patient-identifiable health information has business value to organizations such as insurers, employers, providers, and drug companies. This value leads to organizational pressure to disseminate and use the data for purposes other than those for which they were collected. Individual patients are at a disadvantage in resisting this pressure because of the imbalance of power between them and these organizations.

Systemic concerns arise from deep differences among stakeholders as to what constitutes fair information practice. Every stakeholder that receives data about a patient has an argument to support its claims about a bona fide need for patient information. No consensus exists across society regarding the legitimacy of these needs and against which they can be independently assessed. Nor does consensus exist regarding the uses made of such information. This lack of consensus differentiates the security problem in the health care field from that of the military or financial