actions. Even though some laboratories prefer to match name and ID number to ensure the proper flow of data to patient records or require signed consent forms to accompany a specimen (particularly for HIV tests), laboratory technicians have no real need to know the names of patients whose samples they are analyzing, as long as the correct result occurs (i.e., the data are bound without error or ambiguity to the proper record). Only at a few points in the overall health care process is it necessary that the patient's full identity be known. Using session identifiers in place of the full patient name is equivalent to using access tickets in the Kerberos system for distributed computing authentication and authorization control where actual user or client identity is not carried in the ticket and is available only by means of authorized requests to the key distribution center. Similar capabilities are being developed for Internet commerce, where user anonymity is desired in the context of authenticated transactions (e.g., digital voting, anonymous digital "cash" purchases, and anonymous e-mail for suggestion box submissions). Such a system would preserve patient anonymity more effectively, preventing inappropriate access to patient-identified information while allowing information to be associated accurately with the proper patient record.

As discussed in Chapter 3, there are basically two kinds of interventions for minimizing violations of the confidentiality of health care information: (1) obstacles such as strong authentication and authorization technologies and (2) deterrents such as threats that misbehavior will be observed and sanctions applied. In a health care setting, obstacle-like remedies have limited effectiveness because they often cost time and aggravation for providers carrying out their necessary tasks. Deterrents can be highly effective among groups such as health care providers, who are ethically motivated, or among groups that can be influenced by sanctions such as job loss or legal process.

Audit trails, or records of information access events, can provide one of the strongest deterrents to abuse. Audit trails record details about information access, including the identity of the requester, the date and time of the request, the source and destination of the request, a descriptor of the information retrieved, and perhaps a reason for the access. The effectiveness of such a record depends on strong authentication of users having access to the system; it does little good to know that a celebrity's health care record was retrieved improperly if it is impossible to determine the identities of all those who actually retrieved the record. Audit trail information must also be kept in a safe place so that intruders cannot modify the trail to erase evidence of their access. Finally, although there