L M Lawrence1. 1. Advanced Information Systems Division, MITRE Corporation in McLean, VA.
Abstract
BACKGROUND: Information about encounters between patients and physicians, nurses, and other caregivers is recorded on paper and in computer databases. Caregivers are expected to respect the confidential nature of patient information. Yet quality management programs, for example, entail systematic, efficient collection of information extracted from patient case files. Compiling "report cards" on managed care networks necessitates access to aggregated information on episodes of care and their outcomes. Regional provider networks; the development of comprehensive computerized patient records; and the dependence of health care reform on large-scale, highly distributed databases make the patient record even more vulnerable. Each organization must assess whether its protection of patients' privacy is sufficient. AN INFORMATION SECURITY PROGRAM: A logical first step in devising such a program is to establish the necessary policies, which are prerequisites to the proper development of computer systems. A policy should address such issues as the authorized access needs to sensitive information and limitations concerning secondary use; the application of technical, procedural, physical, and personnel safeguards; and the dissemination of information. Information managers should seek opportunities to install commercially secure products that meet their security requirements. CONCLUSIONS: Top management, information systems planners, and quality improvement leaders must jointly determine policies that satisfy the duty to preserve patients' confidentiality, foster the most effective use of information in the patient record, and avoid overly restrictive policies that would impede total quality management.
BACKGROUND: Information about encounters between patients and physicians, nurses, and other caregivers is recorded on paper and in computer databases. Caregivers are expected to respect the confidential nature of patient information. Yet quality management programs, for example, entail systematic, efficient collection of information extracted from patient case files. Compiling "report cards" on managed care networks necessitates access to aggregated information on episodes of care and their outcomes. Regional provider networks; the development of comprehensive computerized patient records; and the dependence of health care reform on large-scale, highly distributed databases make the patient record even more vulnerable. Each organization must assess whether its protection of patients' privacy is sufficient. AN INFORMATION SECURITY PROGRAM: A logical first step in devising such a program is to establish the necessary policies, which are prerequisites to the proper development of computer systems. A policy should address such issues as the authorized access needs to sensitive information and limitations concerning secondary use; the application of technical, procedural, physical, and personnel safeguards; and the dissemination of information. Information managers should seek opportunities to install commercially secure products that meet their security requirements. CONCLUSIONS: Top management, information systems planners, and quality improvement leaders must jointly determine policies that satisfy the duty to preserve patients' confidentiality, foster the most effective use of information in the patient record, and avoid overly restrictive policies that would impede total quality management.
Entities:
Keywords:
Joint Commission on Accreditation of Healthcare Organizations; Professional Patient Relationship