ger relationship between patients and providers with regard to maintaining patient privacy. Both the content of policies and the approach used to develop them play a large role in ensuring that employees abide by them. Policy documents are most effective when designed as easily accessible, ongoing reference materials and when introduced at the start of employment and referred to regularly in training and other internal communications.

Policies Regarding Information Uses and Flows

Policy statements regarding information uses and flows attempt to balance the need for providers, payers, researchers, and others to access health information against patients' desires for privacy. Overly restrictive policies, by making information inaccessible and leaving providers vulnerable to malpractice litigation, may interfere with providers' abilities to care for patients properly. Overly permissive policies may cause patients to lose confidence in the ability of the organization to protect sensitive data, making them reluctant to impart vital information. Notwithstanding common principles for balancing access and privacy, specific decisions may vary across organizations according to the size, structure, and types of care provided. Organizational culture also plays a strong role.

Policies regarding information use and flows tend to be formalized in specific policy documents on security, confidentiality, protection of sensitive health information, research uses of health information, and release of health information. They address both paper and electronic health records to avoid possible inconsistencies in the procedures employees follow for handling them.5 Formally developed policies vary among organizations according to their internally developed risk assessments (Box 5.1).

Security Policies

Security policies describe an organization's philosophy and goals for user authentication and access control, as well as data reliability, availability, and integrity. Effective policies generally include a description of the organization's risk assessment and assign responsibility to individu-


At present, the electronic medical record is an attempt to transfer paper records into electronic form. Over time, the electronic medical record will incorporate content such as images and sound that cannot be stored in paper form. Modern telecommunications may also provide the opportunity to capture content not previously considered part of the patient record, such as teleconferences and on-line consultations.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement