Personal tools


CFP'93 - Sands

CFP'93 - Medical Information and Privacy

by Daniel Z. Sands, MD

Center for Clinical Computing
Harvard Medical School / Beth Israel Hospital, Boston

Copyright (c) 1993 Daniel Z. Sands, MD
All publication rights reserved by author

Information is essential to the proper care of patients, and computerized medical records allow health care providers to gain access to current patient medical information more rapidly and more efficiently than the paper record. The immense benefits that this computerized information provides must be weighed against the right of the patient to expect that his or her records remain confidential. Institutions that have mature hospital information systems, such as The Center for Clinical Computing (CCC) at Boston's Beth Israel Hospital, have grappled with these issues in the effort to balance system useability with patient privacy. Because of the careful multi-tiered security that a computerized system allows, the computerized information system probably provides more confidentiality of medical records than does a paper record.

Patients should expect that only authorized personnel will view their medical records, which may contain sensitive demographic, financial, personal, and medical information. Yet in our increasingly complex health care system, the group of individuals with the "need to know" has expanded from the physician and nurses to allied health professionals, social workers, discharge planning specialists, fiscal managers, quality assurance personnel, medical records workers, diagnostic "coders" (who decide how best to bill the insurance companies), and the payers themselves, which include agents from managed care organizations, private insurance companies, and the federal government. All believe that they have the need to view the patient's medical record.

In a health care institution with paper records, these individuals can peruse the chart at liberty, assuming they can find it. Once they've found it, the only protection a patient has is that they can seldom read the hand-written notes. In reality, almost anyone donning a uniform or a white coat can pick up a patient's chart and freely read it without question. Once the chart is stored in medical records it is usually more difficult to retrieve, but the information is still available to agents of insurance companies. After all, in our health care system, the payer -not the patient- is the hospital's real customer. So paper records are certainly not secure.

The paper record has other problems, as well. Besides the legibility problem alluded to above, the information one is trying to find is often missing, out-of-date, or in a previous volume of the chart. Assuming the information is there, it takes a long time to find, due to the inefficient organization of the paper medical record. Furthermore, only a few people can view the chart at any one time. For these reasons, the paper chart should be made obsolete and be replaced by a computerized medical record as soon as possible.

The computerized medical record, such as that found in Beth Israel Hospital's CCC system, is an indispensable tool for patient care. It provides concurrent access to patient information including demographics, visit and admission history, insurance information, virtually all test results, diagnoses, and medications. For patients followed in our primary care clinic, we also maintain a problem list, medication list, notes, and periodic health care screening sheets through the Online Medical Record (OMR). In addition, our system has an electronic mail system which provides users with the ability to communicate with one another, clinical decision support tools, including a program to search the medical literature, and automated medical alerts and reminders. The CCC system allows access through almost 1500 terminals and personal computers, which are located in patient care areas of the 450-bed hospital and its clinics, and allows telephone access through personal computers and a proprietary emulator program. The intensive use of the system testifies to its a typical week there are 50,000 look-ups of patient information, 9000 electronic mail messages sent, and 1200 medical literature searches. The system is indispensable to those who use it.

The CCC system's security is based on computer-assigned four-character keys that allow a user to log on. This identifies the user and serves as the user's electronic signature, and users are instructed not to disclose their keys. The user's status in the hospital (as well as the terminal used to log on to the system) determines which types of information that individual may view, enter, or change. For example, a ward clerk may need to view admission and demographic information but has no need to see clinical information. A physician, on the other hand, needs to view clinical information but has little need to view detailed insurance information. In this way we can tightly regulate usage based upon the need for information.

Another way in which secure records are maintained is a detailed audit trail of all information access and alteration in the system. When patient information is examined, the key of the person looking up the information is stored, along with the patient identifier and the date and time. Any patient may request a list of those viewing their online medical information at any time and any physician can request a list of those who have had access to his or her patients' records. Although this audit trail is always maintained, the user is reminded of this fact following key reassignments, after every 500th patient look-up, during the look-up of VIP or employee information, and at random intervals. Violations of patient confidentiality that come to our attention lead to disciplinary action. Through this mechanism we maintain a feeling that "Big Brother is watching" so that users feel accountable for their actions.

It is clear that the computerized medical record has tangible benefits over the paper records that include accessibility, organization, legibility, accuracy, and timeliness. It is also important to recognize that the computerized record is no more a risk to patient confidentiality than is the paper record, and may be more secure, due to the ability to regulate access and track look-ups of information. We must currently deal with the legions of third-party payers of health care -including the federal government- who receive unrestricted access to patient information and frequently store it in computerized databases of their own in the name of managing and regulating the provision of health care; one can only speculate as to the security of these information repositories and the uses to which it is put. The future will bring issues of inter- institution transfer of medical records in which data encryption and error-free transmissions will be important. In the meantime, health care institutions can and do implement secure and useful medical information systems.


Bleich HL et al. Clinical computing in a teaching hospital. New England Journal of Medicine 1985; 312:756-64.

Commission of the European Communities DG XIII/F AIM, ed. Data Protection and Confidentiality in Health Informatics. Washington, DC:IOS Press, 1991.

Greisser G. Data protection in hospital information systems: 1. Definition and Overview. in Orthner HF, Blum BI eds., Implementing Hospital Information Systems. New York, NY: Springer-Verlag, 1989:222-53.

Murphy G. System and data protection. in Ball MJ, Collin MF eds., Aspects of the Computer-Based Medical Record. New York, NY:Springer-Verlag, 1992:201-11.

Safran C et al. Role of computing in patient care in two hospitals. M.D. Computing 1989; 6:141-8.

Return to the CPSR home page.
Archived CPSR Information
Created before October 2004

Sign up for CPSR announcements emails


International Chapters -

> Canada
> Japan
> Peru
> Spain

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
Why did you join CPSR?

It was time to support the cause.