As described above, the firm had upgraded its electronic record system to incorporate access controls and audit trails so that accesses by its employees could be adequately tracked, and properly authenticated prescriptions could be issued directly from the system to local pharmacies. To support the new service, a special, patient-only access system had been added that replicated records from the system used by providers but had no other access to it. In addition to being able to examine her health records, Charlotte was able to review a list of all the people who had accessed her records and the purpose of each access.

To be sure that a request for Charlotte's records came from her and not from someone else in the household, the firm also offered each of its patients a card that could be used in authenticating requests. The card avoided using the Social Security number for this purpose because those numbers were too widely available to be used for authentication. The card was used by the firm to identify its patients unambiguously, thereby reducing the paperwork required on each office visit and, in some cases, improving emergency treatment.