rity (i.e., what information should be assigned what access controls), having multiple access privilege databases in an organization that must work in consort, and keeping track of the users in an organization and their often changing roles over time (e.g., providers who move from service to service or fill in temporarily for a colleague).

An additional crucial aspect of data access control for health care settings is to allow access overrides in the case of an emergency. When a patient shows up in an emergency care facility unconscious or incoherent, the physician, who may never have seen the patient before, must have access to crucial information (prior history, current medications, allergies, possible psychiatric status, etc.) quickly to make possibly life saving decisions about care. Thus, the context (urgency) of the need to know may override conventional access control mechanisms (with an appropriate audit log of the event, as described below).

The committee's review indicated that most health care organizations are attempting to adapt access control criteria and processes from paper record systems to on-line systems. Thus, most sites conceptually identify four classes of information:

1. Public information (e.g., promotional materials, educational materials) available to any interested person inside or outside the organization;
2. Internal confidential information (e.g., organizational policies, business strategies, outcomes and utilization information) accessible on a need-to-know basis to organization employees and affiliates;
3. Confidential patient record information—the routine content of patient health records—accessible on a need-to-know basis to providers and oversight groups, as well as to outside groups (e.g., insurance payers); and
4. Highly sensitive patient record information (e.g., records of celebrities or other widely recognized persons, or special content such as information related to substance abuse, psychiatric care, physical abuse, HIV status, and abortions) accessible on a restricted need-to-know basis to authorized users of patient record information.

Although these distinctions are made in principle, often information is not labeled appropriately, except for patient records and sensitive information; in fact, most organizations have not yet decided whether or not to put highly sensitive information on-line because of concerns about patient privacy. For medical record information, most sites do not distin-