transfer of health information will have to be limited to those tasks that convenient obstacle-based security mechanisms can support; the culture of stakeholders will have to change to accommodate the extra load of mechanisms that are more difficult to use; or the aforementioned risks will have to be assumed by the health care system.

Provided that adequate obstacle-based security mechanisms exist at the Internet interface (e.g., by use of a firewall), a deterrence-based approach that allows relatively free internal access can be adopted without excessive risk. Countering organizational threats by erecting technical obstacles to access is not, in general, compatible with the efficient and effective operation of systems used by providers. The time pressures on providers do not permit the level of security-driven interaction that such mechanisms require, and the risk that an obstacle-based mechanism will deny legitimate access to data in an emergency (with the consequent liability) is inherent in such mechanisms. An important enabling mechanism for such an approach is an identification and authentication mechanism that has adequate strength and is acceptable to all classes of users.

Systemic Concerns About Health Information

Systemic concerns about the privacy of patient-specific health information are generally rooted in the use of such information in a manner that acts against the interests of the individual patient involved. These interests may involve specific identifiable adverse consequences such as increased difficulty in obtaining employment or insurance or less tangible ones such as personal embarrassment or discomfort. In order to understand how public concerns about such use arise, it is helpful first to examine the exchanges of health information throughout the health care system.

Uses and Flows of Health Information

Health information-both paper and electronic-is used for many purposes by a variety of individuals and organizations within and outside the health care industry (Table 3.3). Primary users include physicians, clinics, and hospitals that provide care to patients. Secondary users employ health information for a variety of societal, business, and government purposes other than providing care.9 They include organizations that pay for health care benefits, such as traditional insurance companies, managed care providers, or government programs like Medicare and


Consumer Reports. 1994. "Who's Reading Your Medical Records?," October, pp. 628-632.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement