from accessing a system from a location not reasonably associated with a need for that data.

Access Control Technologies Not Yet Deployed in Health Care Settings

Access Control List and Role Based Access. The committee believes that the flexibility of access control list technologies, such as those being deployed in the Open Software Foundation's Distributed Computing Environment, should be deployed more widely to facilitate detailed management of information access based on often changing user role(s), temporal variations in role, and so forth. Several research studies and demonstrations of role-based access control are under way that may help in defining ways to manage the complexities and promote the use of this type of authorization.8

Anonymous Patient IDs. The health care community typically assumes that a patient's name (and other personal demographic information) is routinely associated with all steps in the patient's care—for example, chart information, blood and tissue samples, laboratory tests, radiological films, pharmaceuticals. This practice constitutes implicit open visual access to aspects of patient information on the part of all persons involved in a patient's care, even if they have no need to know the identity of a patient. This in turn often leads to breaches of privacy through disclosure of private information about acquaintances. It may be possible to reduce these frequent, casual, and accidental disclosures of confidential information if unique identifiers, other than the patient's name, were used on records, orders, testing, and diagnostic procedures, except where absolutely essential. For example, there is not always a need to have a patient's name displayed in processing laboratory or pathology data, or in analyzing radiology or cardiology test results, in many other situations.9 A coded patient ID would suffice in many cases, just as bank account numbers and credit card numbers provide the true identifying label for financial trans-


See Ferraiolo, David, and Richard Kuhn, "Role-based Access Controls," a summary of ongoing work at the National Institute of Standards and Technology, available on-line at; and Wiederhold, Gio, Michel Bilello, Vatsala Sarathy, and XioaLei Qian, 1996, "A Security Mediator for Health Care Information," Proceedings of the 1996 AMIA Conference, Washington, D.C., October, pp. 120-124.


In some cases, the use of patient names for laboratory tests is helpful. As one reviewer noted, on evening and night shifts when staffing is short, hospital laboratory personnel (who themselves often must draw specimens from patients in their rooms) must informally prioritize sampling. The more anonymous the specimens, the less likely is this informal but important-information exchange and judgment to be made.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement