tions will, upon request, analyze the audit logs of accesses to a particular patient's record. This practice is useful in detecting alleged violations of confidentiality. Though exposing health care organizations to possible legal action, such reviews can, in the long run, help reduce patients' suspicions and provide the motivation for organizations to develop strong measures for protecting patient information.
Formal organizational structures are needed to develop, implement, and enforce policies regarding privacy and security. These structures take on a variety of forms, depending largely upon the nature and culture of the institution in which they will operate, and serve as a focal point for both management and technical issues related to the safeguarding of privacy and security in paper and electronic medical records. Institutions with strong organizational policy tend to have well-defined structures with clear lines of responsibility. They typically include groups charged with developing policy; offices or departments for implementing policy, and structures for granting access privileges to users of the institution's information systems. A fourth structure—the institutional review board—is discussed above in the section titled "Policies on Research Uses of Health Information."
Health care organizations develop privacy and security policies in many different ways: by a small cadre of senior executives, by a committee process that solicits input from across the organization, or by some combination of the two. Committee members saw a range of approaches during their site visits. One site developed policy primarily within senior management, with limited input from department heads, users, and patients. Another organization used committee structures for all policy development activities. Policy developed by a small group of high-level executives has the advantage of being less time-consuming than a committee process and inherently carries with it the authoritative power of management. At the same time, it is becoming increasingly understood that employee input into policy decisions increases the likelihood of acceptance and effective implementation.13
Most sites visited for this study developed policy by committee. These