Addressing Systemic Concerns Related To Privacy And Security

Recommendations 1 and 2 (with 2.1 and 2.2) address actions to protect the privacy and security of health information held by individual health care organizations; they do not address the privacy concerns that result from the legitimate and widespread systemic flows of information within the health care system. Although the committee was not constituted with the range of expertise needed to render recommendations about ways to balance patients' desire for privacy against the social benefits that accrue from better access to information for health care, research, and other purposes, it does call attention to the existence of this conflict and recommends a national debate to determine how and to what extent greater control needs to be taken over these flows of information in order to protect patient privacy.7 Only when this national debate takes place can policy be formulated properly.

Recommendation 3: The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the privacy concerns of patients and the information needs of various users of health information. The objective of this debate should be to develop a consensus about the ways in which privacy concerns can be balanced against the legitimate needs of other users for patient-identifiable health information. If the result of this debate is a decision that the privacy interests of consumers should weigh more heavily in this competition, several legislative options could strengthen the hands of consumers. These include (1) legislation to restrict access to patient-identifiable health information based on the intended use; (2) legislation to prohibit specific practices of concern to patients; (3) legislation to establish information rights for patients; and (4) legislation to enable a health privacy ombudsman (described below) to take legal action against those who violate privacy standards (these options are explained in greater detail in Box 6.2 of Chapter 6). To further this debate, the committee makes five subrecommendations.

Recommendation 3.1: Organizations that collect, analyze, or disseminate health information should adopt a set of fair information practices similar to those contained in the federal Privacy Act of 1974. These practices would define the obligations and responsibilities of organizations that collect, analyze, or store health information; give patients the


A recent committee appointed by the Institute of Medicine was specifically charged to address these issues. See Institute of Medicine. 1994. Health Data in the Information Age: Use, Disclosure, and Confidentiality, Molla S. Donaldson and Kathleen N. Lohr (eds.). National Academy Press, Washington, D.C.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement