rity (i.e., what information should be assigned what access controls), having multiple access privilege databases in an organization that must work in consort, and keeping track of the users in an organization and their often changing roles over time (e.g., providers who move from service to service or fill in temporarily for a colleague).
An additional crucial aspect of data access control for health care settings is to allow access overrides in the case of an emergency. When a patient shows up in an emergency care facility unconscious or incoherent, the physician, who may never have seen the patient before, must have access to crucial information (prior history, current medications, allergies, possible psychiatric status, etc.) quickly to make possibly life saving decisions about care. Thus, the context (urgency) of the need to know may override conventional access control mechanisms (with an appropriate audit log of the event, as described below).
The committee's review indicated that most health care organizations are attempting to adapt access control criteria and processes from paper record systems to on-line systems. Thus, most sites conceptually identify four classes of information:
Although these distinctions are made in principle, often information is not labeled appropriately, except for patient records and sensitive information; in fact, most organizations have not yet decided whether or not to put highly sensitive information on-line because of concerns about patient privacy. For medical record information, most sites do not distin-