(2) overall flows of information within the industry, and (3) their legal and regulatory rights to privacy are in the long run an asset to an organization wishing to promote an internal culture that takes its privacy and security responsibilities seriously. Increasing the coupling between patients and provider organizations (e.g., through membership on key committees, messages sent to patients about privacy and security, and full disclosure of data flows) will ultimately benefit the organization.
Most patients and consumers are either unaware of or unconcerned about the uses to which their health records are put and the many organizations that possess their health information. Privacy and consumer advocacy groups that have a better understanding of data flows have yet to articulate a consistent position on privacy and security requirements and, until recently, have had limited influence on the legislative process. As a result, patients have little control over the ways in which information about their health is collected, used, or disseminated. For patients to feel comfortable providing personal health information to a care provider, they may need greater authority in helping to determine rules regarding the privacy of health information.
Finding 5: The greatest concerns regarding the privacy of health information derive from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information. The current structure of the industry gives care providers, payers, pharmaceutical benefits managers, equipment suppliers, and oversight organizations a variety of incentives to collect large amounts of patient-identifiable health information (e.g., clinical data). The increasing emphasis on controlling costs and quality and on improving the marketing and sales of related products and services (e.g., medications) further boosts the economic value of such information. Although these data are collected for a variety of legitimate purposes, few controls exist to prevent such information from being used in ways that could harm patients or invade their privacy, and no national debate has occurred to determine what the appropriate uses of health information should be. The existing legal and regulatory framework for protecting patient-identifiable information forms a patchwork of protection that is insufficient in an age of increasing interstate data transfers and of health care delivery systems that span state boundaries.3 Federal laws protect mostly data in the control of the federal government, while state laws provide inconsistent