and money in efforts to significantly improve privacy and standards. Rising concerns about patient privacy—and recent legislative initiatives—may create new incentives for improving privacy and security within the health care industry. The Health Insurance Portability and Accountability Act of 1996, for example, directs the Secretary of Health and Human Services to develop and promulgate security standards for electronic health information by February 1998 and to make recommendations to Congress regarding the privacy of individually identifiable health information by August 1997. Other legislation was introduced to the 105th Congress that also addresses the privacy of health information.5


In order to better protect electronic health information, health care organizations will have to work individually, collectively, and with relevant government entities to address the broad scope of concerns regarding privacy and security. Choices will need to be made regarding practices that adequately balance privacy concerns against the need to ensure access to the information for providing care. The recommendations provided below reflect the committee's deliberations regarding feasible practices for improving the privacy and security of electronic health information at the level of both individual organizations and the health care system as a whole. They address several areas: privacy and security practices health care organizations should adopt to protect electronic health information; mechanisms for creating an industry-wide infrastructure for improving privacy and security; ways of addressing privacy concerns that arise from the systemic sharing of information among different institutions; development of patient identifiers; and topics for future research.

Improving Privacy And Security Practices

Health care organizations can adopt a number of technical and organizational practices to improve the protection of health information. Different health organizations face different threats and differ in the resources


The Fair Health Information Practices Act of 1997 was introduced in the 105th Congress on January 7, 1997. During the 104th Congress, no fewer than three bills were introduced into Congress related to the privacy and security of health information, some of which may be reintroduced in the 105th Congress: S. 1360 (the Medical Records Confidentiality Act of 1995), H.R. 435 (the Fair Health Information Practices Act of 1995), and H.R. 3103 (the Medical Privacy in the Age of New Technologies Act of 1996).

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement