Skip to main content

For the Record Protecting Electronic Health Information (1997) / Chapter Skim
Currently Skimming:

Executive Summary
Pages 1-18

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 1...
... At the same time, the prospect of storing health information in electronic form raises concerns about patient privacy and data security, for although information technology allows the use of advanced technical mechanisms to limit access to health information, it also introduces new vulnerabilities.~ Information technology facilitates both the storage of large amounts of electronic information in a small physical space and the dissemination of this information. It also enables the creation and analysis of large databases that contain information from various sources.
Read the entire page →
From page 2...
... In response to these concerns, the National Library of Medicine, together with the Warren Grant Magnuson Clinical Center of the National Institutes of Health and the Massachusetts Health Data Consortium, asked the Computer Science and Telecommunications Board of the National Research Council to examine ways of protecting electronic health information. As part of its research, the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure assembled for this project conducted visits to six health care organizations that had demonstrated leadership in developing health care applications of information technology.
Read the entire page →
From page 3...
... As health care organizations expand the scale and scope of their computer networks, their vulnerability to outside attacks is bound to increase. Little is known about the extent of privacy and security violations in health care organizations.
Read the entire page →
From page 4...
... From the patient's perspective, the flows of health information among these many types of organizations may be of more concern than the possible misuse of information by authorized users within a particular organization or by outside attackers. PROTECTING ELECTRONIC HEALTH INFORMATION Protection of electronic health information held by individual organizations requires a combination of both technical and organizational practices, the selection of which involves implicit trade-offs among cost, complexity, and degree of privacy provided.
Read the entire page →
From page 5...
... In some cases, practices have not been widely implemented that could improve security without adversely affecting care, such as systems for auditing access to clinical information or for systematically reviewing audit logs. Given the rapid pace at which health care organizations have been trying to install and expand the functionality of health care information systems, they have had limited resources to dedicate to security concerns.
Read the entire page →
From page 6...
... The Health Insurance Portability and Accountability Act of 1996, for example, directs the Secretary of Health and Human Services to develop and promulgate security standards for electronic health information by February 1998 and to make recommendations to Congress regarding the privacy of individually identifiable health information by August 1997. Other legislation was introduced to the 105th Congress that also addresses the privacy of health information.5 RECOMMENDATIONS In order to better protect electronic health information, health care organizations will have to work individually, collectively, and with relevant government entities to address the broad scope of concerns regarding privacy and security.
Read the entire page →
From page 7...
... Over time, the technical solutions available to health care organizations for protecting health information will evolve as will the sophistication of the threat. Health care organizations will have to upgrade their security practices as new technology becomes available.
Read the entire page →
From page 10...
... The comprehensive protection of electronic health information requires an institutional infrastructure that will develop and promote compliance with industrywide standards for privacy and security and facilitate greater sharing of security-related information among organizations that collect, process, and store health information. Although health care organizations have strong incentives to adopt information technology, they do not necessarily have adequate incentives to develop the infrastructure necessary to promote privacy and security without support from government.
Read the entire page →
From page 11...
... Establishment of an organization to facilitate exchanges of such information would provide a vehicle for improving the security of electronic health information as health care organizations increase their reliance on information technology and would strengthen the knowledge base for making policy in this area. It could be modeled after the computer emergency response team established at Carnegie Mellon University for Internet security (the CERT Coordination Center)
Read the entire page →
From page 12...
... Although the committee was not constituted with the range of expertise needed to render recommendations about ways to balance patients' desire for privacy against the social benefits that accrue from better access to information for health care, research, and other purposes, it does call attention to the existence of this conflict and recommends a national debate to determine how and to what extent greater control needs to be taken over these flows of information in order to protect patient privacy.7 Only when this national debate takes place can policy be formulated properly. Recommendation 3: The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the privacy concerns of patients and the information needs of various users of health information.
Read the entire page →
From page 13...
... Recommendation 3.2: The Department of Health and Human Services should work with state and local governments, health care researchers, and the health care industry to establish a program to promote consumer awareness of health privacy issues and the value of health information for patient care, administration, and research. It should also conduct studies that will develop a series of recommendations for improving the level of consumer awareness of health data flows.
Read the entire page →
From page 14...
... Developing Patient Identifiers The current effort to develop standards for a universal health identifier as mandated by the Health Insurance Portability and Accountability Act has potential implications for patient privacy.9 While use of a common identifier for indexing patient records has the potential of improving the quality and reducing the costs of health care by making a more complete patient record available to providers, of facilitating the creation of longitudinal patient records for health care researchers, and of simplifying the administration of health care benefits, it could also facilitate the assembly of information about patients without their consent (e.g., the linkage of medical records with financial and employment records)
Read the entire page →
From page 15...
... Nevertheless, these criteria are intended to ensure that privacy concerns are explicitly recognized in the debate over universal patient identifiers. In the end, other criteria will also have to be considered in deciding whether and how to develop a universal identifier to ensure that it will allow access to patient records as needed for medical care, research, and billing; that it can be integrated easily into existing health information systems; and that some sort of system can be established for distributing and managing identifiers.
Read the entire page →
From page 16...
... The question the nation must therefore answer is whether there are ways of attaining the presumed benefits of a universal patient identifier without jeopardizing patient privacy. Meeting Future Technological Needs As the threats to electronic health information become more sophisticated and health care organizations take greater advantage of information technology, additional technologies for security will become necessary.
Read the entire page →
From page 17...
... Some approaches to solving this problem show promise for reducing the need to link patient records through the use of patientspecific identification, thus potentially mitigating the need for assigning patients unique, universal identifiers. · Audit tools.
Read the entire page →
From page 18...
... 18 FOR THE RECORD: PROTECTING ELECTRONIC HEALTH INFORMATION lion systems at both the institutional and systemic levels. Clearly, additional work is needed, yet the committee believes that, with these mechanisms in place, the health care industry will be able to move forward in its attempts to improve health care while simultaneously protecting patient privacy.
Read the entire page →

Key Terms

  • care organizations
  • care industry
  • electronic health
  • patient privacy
  • information security

  • privacy concerns
  • patient records
  • medical records
  • individual organizations
  • audit trails

  • care applications
  • insurance portability
  • health insurance
  • electronic medical
  • confidentiality policies

  • care information
  • security practices
  • information practices
  • health identifier
  • security standards

  • patient information
  • clinical information
  • protecting electronic
  • accountability act
  • universal patient

  • health data
  • protect patient
  • information held
  • universal health
  • establish formal


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.