Security of the distributed electronic patient record: a case-based approach to identifying policy issues

From Clinfowiki
Jump to: navigation, search

This is a review of J. Anderson’s 2001 article, “Security of the distributed electronic patient record: a case-based approach to identifying policy issues”. [1]


With respect to the fast increase in the role IT in healthcare industry in the US, in this paper, the author identified important health information policy issues. In order to achieve that, author used few case studies to highlight these issues. In addition, he explains the expansion in demand for electronic patient records and patient personal healthcare monitoring systems which caused by the changes in revenue for health services in the US. Despite of the fact of growth in healthcare technology demand, the author explains that most of industrial products have technical problems and resisted by physicians and raised policy issues relating to patient security, privacy and confidentiality.

Security Public Concerns

Author identified different security concerns regarding to the patient medical record. The concerns including but not limited to the disclosure of patient medical information to others without patient consent and use of medical records for research without the patient's explicit permission. He also mentions the use of prescription data which comes from the records contained identifiable patient information to detect fraud as a security public concern. Consequently, the author explains the result of these concerns which caused a patients to shield themselves from intrusive uses of their health information. He explains that there are a group of patients that refused to file an insurance claim and decided not to see a health care provider because of medical record privacy concerns which might hurt their job or their ability to obtain insurance coverage. Finally, authors states that this lack of reliable information may affect the quality of diagnosis and patient treatment decisions.  

Secondary uses of health information

The researcher of the paper defines the secondary use of patient-specific health information as accessing patient data by non-health care providers which might use patient data for commercial or non-beneficial reasons to the patient and he explains that “once data are transferred out of the institution that provides the patient care, there is little control over its use”. These compromises might come from insurance companies, employers, or any other firms that might use patient records with patient consent. Furthermore, the author explains the fact that existence of a connection between patients’ health information and other sources of patient-specific data might cause additional risks to privacy and confidentiality. As an example, a drug manufacturer might use these types of information to encourage patients to change their prescriptions with their drugs. On the other hand, author states that having access to patient specific information might be beneficial to identify patients at risk for specific health problems.

Issues for public policy

In this section, author explain the major health information collectors which are private organizations and he points this out that these organizations are not subject to the US Privacy Actlaw and with the absence of comprehensive legislation policy for electronic medical information, healthcare institutions refuse to invest on security improvement. The author also emphasizes on the fact that HIPAA regulations fail to address a number of threats to the security of health information because HIPPA regulations only apply to providers established electronic health information and it doesn't cover paper-based records. Besides, HIPPA regulations do not apply to other organizations with access to protected health records such as insurance companies, pharmacies, and direct marketers. Finally, the researcher explains that the development of unique identifiers for patients remained a complicated task as using the social security numbers as a patient’s identifier has been rejected because they are used by different third-party organizations and there is potential that they use it for unauthorized purpose. There is also a fear that these kind of universal integrated identifiers would permit the linking of data on individuals from multiple sources and subsequently, US Congress “prohibited implementation of individual identifiers until congress specifically approved the standard for them”. The author explains the issue with existing electronic health record systems which is their vulnerability to inappropriate use, both within and without the institutions that provide care. At this point, he reaches to a conclusion that a systemic use of patient-identifiable health information by any third-party organization and institutes has a great potential for major privacy and security threats.


Although some aspects of this article are outdated and resolved over past 10 years, this article is a great introduction to the security and privacy issues that caused lawmakers to defined different laws and regulations for protecting patient privacy. Additionally, there many aspects that needs attention and remained unresolved in the past 15 years or more and no specific solution has been proposed to address them including defining a centralize way to address patient healthcare record among different clinic without breaking patient privacy and data secrecy.


  1. J. Anderson 2001. Security of the distributed electronic patient record: a case-based approach to identifying policy issues