BOX 5.3 Training Physicians in Privacy and Security
The difficulty of involving physicians in effective information system training is symptomatic of the changing basic professional norms and values in the practice of medicine. Most models of the medical profession are careful to distinguish between the content of medical work (the actual practice of medicine) and the terms and conditions of medical work—the organizational, employment, and contractual arrangements defining the relationship between the physician and the clinic, group, hospital, health maintenance organization, preferred provider organization, or health system where medical care is delivered.1 Although physicians continue to exert considerable control over the content of their work, there has been a marked erosion of physician control over the terms and conditions of that work. Most physicians who work within managed care settings are familiar with this development; however, they are still somewhat uncomfortable with the reality of modern medical work defined as both the process of delivering care and the process of creating, maintaining, and transmitting information about that care. Medical notes and patient charts traditionally have been someone else's responsibility, now, physicians must encounter the information system directly, and must then be responsible for how information is created, used, and safeguarded. Physician resistance to accepting this responsibility may be owing to the fact that responsibility for such charting tasks historically has been associated with clerical staff. Physicians are likely to define information processing tasks as part of the terms and conditions of medical work, rather than as part of the core of medical work. Once that historical association is weakened and the core of medical work is redefined as both care process and information process, resistance may also weaken.
The first and most obvious way to help overcome such resistance is to work toward revision of the medical school curriculum so that training in information systems and the importance of data security is more than cursory. Medical school curriculum changes are slow to develop and spread; thus, this type of solution can be expected only in the long term. Currently, many managed care organizations complain that primary care physicians hired at the postresidency level often lack experience with information systems and must be given extensive in-house retraining.2
Within managed care organizations and health maintenance organizations it is possible to directly impose information system training and responsibility for data
training programs. These include attractive pamphlets, enhancements to computer systems, self-study modules available for use in the computer training center or to take home, and posted reminders in elevators and cafeterias.
An organization's information system may be designed to educate users as to possible breaches of confidentiality Described earlier was a screen used at one site that appeared whenever users accessed sensitive information. The screen contained text reminding users that they were accessing sensitive information and asked the user if the action was justified. Another common option is to display an abbreviated version of the