systems and networks can be accessed by unauthorized users. If not adequately addressed, such concerns can both dissuade health care organizations from investing in information technology and make patients reluctant to share information, undermining the provision of care.
In response to these concerns, the National Library of Medicine, together with the Warren Grant Magnuson Clinical Center of the National Institutes of Health and the Massachusetts Health Data Consortium, asked the Computer Science and Telecommunications Board of the National Research Council to examine ways of protecting electronic health information. As part of its research, the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure assembled for this project conducted visits to six health care organizations that had demonstrated leadership in developing health care applications of information technology. This report examines the motivations behind the growing use of information technology within the health care industry; identifies related privacy and security concerns; and assesses a wide variety of mechanisms for protecting privacy and security in health care applications of information technology. As the report demonstrates, a variety of technical and nontechnical practices are available for protecting electronic health information held by individual organizations. Such practices do not address the privacy concerns that stem from the widespread and relatively unregulated dissemination of information among institutions in the health care industry, including providers, payers, researchers, and oversight agencies.
Information technology is becoming increasingly important to the health care industry as organizations attempt to find ways of lowering the costs of care while improving its quality. The health care industry spent an estimated $10 billion to $15 billion on information technology in 1996,2 and further growth is expected as organizations implement electronic medical records, upgrade administrative and billing systems, install internal networks for sharing information among affiliated entities, and use public networks, such as the Internet, to distribute health-related information and provide access to clinical databases from remote locations. Much of the demand for information technology is driven by structural changes in the health care industry and its methods of care. Integrated