of a check mark means that the site pays only minimal attention to the given security feature or, in the opinion of the site visit team, could have made significantly more effective use of existing, proven technologies and practices. These judgments may differ from those of individual site managers and system administrators, who judge the need for a particular precaution on the basis of the perceived threat (or lack of it) within the organization. These security considerations are focused on preserving information confidentiality within provider organizations and do not address the problems of unrestricted use of information (e.g., for data mining) after it has passed, with consent, outside the provider organization to secondary payers or to other stakeholders in the health information services industry.

In addition to securing health information systems, as described above, technical tools can play a role in protecting patient privacy by facilitating or impeding the distribution of health information. While advanced computing and communications technology, in general, facilitates the dissemination of health information, technologies exist that can help limit unauthorized or inappropriate distribution of health information. Such technologies include patient identifiers and other approaches for linking records contained in disparate databases, as well as rights management technologies for limiting secondary distribution of health information.

Developing robust methods of indexing and linking patient records is critical to ensuring that providers have reliable data on which to base medical decisions.¹⁸ Patient-specific health care information must be bound uniquely and unambiguously to the person to whom it relates through the use of an identifying label such as a medical record number. To ensure that the identifier is unique, organizations must prevent assignment of the same number to two different patients; to ensure that it is unambiguous, organizations must prevent indexing of any single patient's