data exist with which to make more general assessments. Managers at most sites believe that EMRs enable them to control and monitor access to patient information better than they could with paper record systems. However, the expanding use of EMRs dictates that awareness of the privacy and security concerns must extend beyond the leading institutions the committee visited, to all potential users of EMRs.
Additional privacy concerns arise from the widespread dissemination of information throughout the health care system—often without explicit patient consent. Health care providers, payers (e.g., insurers), managers of pharmaceutical benefits programs, equipment suppliers, and oversight organizations collect large amounts of patient-identifiable health information for use in managing care, conducting quality and utilization reviews, processing claims, combating fraud, and analyzing markets for health products and services. In general, such information is collected for legitimate purposes, but few controls exist to ensure that it is not used for other purposes that may run counter to the patient's interests or patient privacy. For example, self-insured employers who collect patient data to monitor benefits programs and combat fraud are not systematically prevented from using such information to deny workers promotions or continued employment because of information in their health records. From the patient's perspective, the flows of health information among these many types of organizations may be of more concern than the possible misuse of information by authorized users within a particular organization or by outside attackers.
Protection of electronic health information held by individual organizations requires a combination of both technical and organizational practices, the selection of which involves implicit trade-offs among cost, complexity, and degree of privacy provided. Organizational practices are at least as important as technical practices. Although technical mechanisms can be used to validate the identity of computer users, establish controls on the information they can access, and encrypt information transmitted between locations, organizational policies establish the objectives of technical measures, determining who is allowed access to information and how tightly access will be controlled. Moreover, large numbers of health care workers have a legitimate need to access patient-identifiable information and have more opportunities than outsiders to disclose information inappropriately. As managers at several sites reported, strong training programs and disciplinary policies are often the most effective way of ensuring that workers comply with privacy and security policies. They act as a deterrent to potential abuse, rather than as an obstacle.