entail.² As health care organizations collect, process, and store more health information in computerized form and use both private and public telecommunications systems to transmit this information between different entities, they must ensure that adequate mechanisms are in place to protect the information.

This report investigates ways of protecting health information in an era of increasing computerization and far-reaching communications. It concentrates primarily on protecting patient-identifiable health information, that is, health records that contain information from which the patient's identity can be deduced or inferred.³ It assesses technical and organizational practices currently in use for protecting electronic health information, identifies other technologies worthy of testing in health care settings, and outlines areas for future research. In addition, the report discusses the privacy concerns that stem from the increasing exchanges of information among different types of organizations involved in providing care, paying for care, or conducting analyses of health information for a wide range of societal purposes. As the report notes, such sharing of information may pose greater privacy concerns than unauthorized access to health information stored at any individual location.

Expenditures on information technology for health care are growing rapidly. The health care industry spends approximately $10 billion to $15 billion a year on information technology, and expenditures are expected to grow by 15 to 20 percent a year for the next several years.⁴ Health care organizations are developing electronic medical records (EMRs) for stor-