When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data--genetic information, HIV test results, psychiatric records--entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure--from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

Contents

• Committee On Maintaining Privacy And Security In Health Care Applications Of The National Information Infrastructure
• Computer Science And Telecommunications Board
• Commission On Physical Sciences, Mathematics, And Applications
• [The National Academies]
• Preface
• [Dedication]
• Executive Summary
• 1. Introduction
  • The Growing Use Of Information Technology In Health Care
  • Protecting the Privacy and Security of Health Information
  • Goals And Limitations Of This Report
  • Organization Of This Report
• 2. The Public Policy Context
  • Federal And State Protections
  • Nongovernmental Initiatives
  • Improving Public Policy
• 3. Privacy and Security Concerns Regarding Electronic Health Information
  • Concerns Regarding Health Information Held By Individual Organizations
  • Countering Organizational Threats
  • Systemic Concerns About Health Information
• 4. Technical Approaches to Protecting Electronic Health Information
  • Observed Technological Practices At Studied Sites
  • Physical Security of Communications, Computer, and Display Systems
  • Control of External Communication Links and Access
  • Encryption
  • Software Discipline
  • System Backup and Disaster Recovery Procedures
  • System Self-Assessment and Attention to Technological Awareness
  • Site Visit Summary
  • Key Issues In Using Technology To Protect Health Information
  • Obstacles To Use Of Security Technology
• 5. Organizational Approaches to Protecting Electronic Health Information
  • Formal Policies
  • Organizational Structures
  • Education And Training
  • Sanctions For Breaches Of Confidentiality
  • Improving Organizational Management: Closing The Gap Between Theory And Practice
• 6. Finding and Recommendations
  • Findings And Conclusions
  • Recommendations
  • Concluding Remarks
• Bibliography
• Appendixes
  • Appendix A Study Committee's Site Visit Guide
  • Appendix B Individuals Who Briefed the Study Committee
  • Appendix C National Library of Medicine Awards to Develop Health Care Applications of the National Information Infrastructure
  • Appendix D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information
  • Appendix E Committee Biographies

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.

This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine.

Support for this project was provided by the National Library of Medicine and the Warren Grant Magnuson Clinical Center of the National Institutes of Health and by the Massachusetts Health Data Consortium. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.