they may or may not be tangible (e.g., disclosure may involve social embarrassment for which monetary compensation is not appropriate).17

Privacy advocates readily acknowledge that violations of a fundamental right to privacy or the uses of personal information that are harmful to an individual's interests do not depend on the existence of electronic health information-indeed, improper and harmful disclosures of personal information have mostly involved information taken from paper-based records. They argue, however, that electronic health information and computer networks compound the problem enormously.

Prior to the establishment of computer networks, health information had a physical embodiment, was awkward to copy, and was accessible only from central locations. The difficulty of moving health information increased dramatically with the volume of records being transferred. Automation and, more importantly, networking have changed this situation radically. Data have no physical embodiment, are easily copied, and are accessible from multiple points of access. Large numbers of records can be transferred as easily as a single one. The existence of the Internet means that data can be moved across administrative, legal, and national jurisdictions as easily as it can be moved to the next desk; intrusions can be mounted with equal facility. Electronic medical records also raise the possibility that much more accurate and complete composite pictures of individuals can be more easily drawn—so much more so that reasonable people would raise concerns about the aggregate even if they had no concerns about any single data element. Finally, any such aggregated database might well concentrate information in so lucrative a manner that the database itself becomes an interesting target for those seeking information.

Additional security concerns derive from the growing use of the World Wide Web. The spread of World Wide Web technology has precipitated a shift from a transaction-oriented approach to data transfer to an approach depending on a message-based client-server interface. In the transaction-oriented approach, users submit requests and receive responses in a stylized format. Because stylized requests and responses are limited in content to what style itself enables, not all data requests are possible, and expanding the scope of possible requests requires additional work on the part of the system developer. By contrast, Web-based interfaces are usually developed with tools that are intended to facilitate and improve system responsiveness to arbitrary user requests, and the


Examples of information seekers include employers, government agencies, credit bureaus, insurers, educational institutions, the media, and private investigators. See Rothfeder, Jeffrey. 1992. Privacy for Sale: How Computerization Has Made Everyone's Life an Open Secret. Simon and Schuster, New York.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement