HIPAA: Privacy and Security in Health Care Networks

Pooja Deshmukh & David Croasdell. Information Security and Ethics: Concepts, Methodologies, Tools, and Applications. Editor: Hamid Nemati. Volume 5. Information Science Reference, 2008.


Data communication infrastructures are changing how health information and health care is provided and received. People using tools such as the Internet for health-related purposes—patients, health care professionals, administrators, and researchers, those creating or selling health products and services, and other stakeholders—must join together to create a safe environment and enhance the value of the Internet for meeting health care needs. Because health information, products, and services have the potential to both improve health and do harm, organizations and individuals that provide health information via the Internet have obligations to be trustworthy, provide high quality content, protect users’ privacy, and adhere to standards of best practices for services in health care. People using telecommunications infrastructures in health care share a responsibility to help assure the value and integrity of the information by exercising judgment in using health care sites, products, and services. [Internet Health Coalition, 2000]

The Health Insurance Portability and Accountability Act (HIPAA) has brought about significant changes in the procedures and practices within the health care industry. As newer information technologies are implemented in health care organizations, the challenge becomes to increase network connectivity and enable access to key information without compromising its confidentiality, integrity, or availability. With the advent of HIPAA regulations, health care organizations are required by law to have procedures in place to protect the privacy of patient information. This chapter addresses issues related to privacy and security of patient information in health care networks. It provides a background on HIPAA regulations, drivers for the need for privacy and security in health care organizations, the role of technology-based solutions, and the products available to the industry. The chapter includes a discussion of the ethical issues driving the design and implementation of information in support of HIPAA guidelines. The increased use of information technology in health care promises greater functionality and decreasing costs. While these factors point towards continued development of more robust applications, careful selection and implementation is necessary to ensure the security and privacy of patient information.

The evolution of networking technologies has enabled businesses to provide enhanced services, greater access to information, and higher levels of availability for both the service providers and the customers. While many industries have easily adopted internetworking technologies, others have been unable to do so because of the inherent complexities of their specific businesses. The health care industry is a prime example. Health care is a document-intensive industry that has faced significant challenges in migrating to the near “paperless” environments that many industries strive to achieve utilizing networking technologies (Cisco Systems, 2002). Furthermore, health care organizations work with highly sensitive data such as patients’ personal health information. As such, health care organizations must be keenly aware of the privacy concerns and security risks of converting to electronic infrastructures.


Anyone seeking health-related information, products, or services has a right to expect that organizations and individuals who provide such information follow a set of guiding principles. If confidences are not kept, individuals will be less forthcoming with information, which in turn may impact the care they receive. Health information includes information for staying in good physical condition as well as for preventing and managing disease. It may also include information for making decisions about health products and health services and may be in the form of data, text, audio, and/or video. In addition, enhanced health information may be available through programming and interactivity (Internet Health Coalition, 2000). Managing health information in a technological world implies the persistent storage and potential dissemination of health-related data using data communication networks. Such environments have the potential to compromise both the security and privacy of the records maintained on these networks.

Although privacy and security are terms that are often used interchangeably, there is an inherent difference between the two concepts. The Merriam-Webster online dictionary (2003) defines security as:

The quality or state of being secure as a: freedom from danger: SAFETY, b: freedom from fear or anxiety PROTECTION, (1): measures taken to guard against espionage or sabotage, crime, attack, or escape.

Whereas privacy is defined as:

The quality or state of being apart from company or observation: SECLUSION b: freedom from unauthorized intrusion <one’s right to privacy>.

By combining the two terms, one can gain a complete picture of protecting information in context of the health care industry. Both security and privacy must be considered in order to adequately address the issue of safeguarding patient information (Fleisher, 2001). The Health Insurance Portability and Accountability Act (HIPAA), effective as of April 14, 2000, attempts to address privacy and security issues in the context of health-related activities. Accordingly, HIPAA defines security as:

The regulations which address the protection of data resident on provider computers or networks, as well as the protection of data while it is being transmitted to third parties. Primarily, security addresses the technical components related to the collection, protection, and dissemination of data. (HIPAA Standard164.530)

Whereas privacy is defined as:

The regulations, which address the protection of patient information in any format and by any user. Privacy necessitates providing an individual’s health related information and disclosure of how and where that information is being used. (HIPAA standard 142.308) (Fleisher, 2001)

More simply stated, the security regulations address technical components of health care information, which are monitored by a Security Officer. Privacy regulations are more operational in nature and are managed by a Privacy Officer (Wilson, 2002).

Organizations are becoming increasingly dependent on data communication networks for their daily business communications, database information retrieval, and distributed data processing. The rise of the Internet and wireless communications has provided opportunities to connect to computers anywhere in the world. However, this capability has also increased the potential vulnerability of organizational assets. As a result, not only do organizations need to prevent their assets from threats such as fraud and theft but they also need to be concerned with the potential loss of consumer confidence from a publicly known security break-in. Other security concerns include potential losses from disruption of an application or natural disasters (Fitzgerald & Dennis, 2000).

Security Issues in the Health Care Industry

In today’s uncertain political and economic environment, many factors are driving the need for secure networks in the health care industry. A significant business challenge is to increase network connectivity and to enable access to key information assets without compromising the confidentiality, integrity, or availability of those assets. Some believe that using new technologies can assist with the process of securing patient information. According to Oracle Corporation, incorporating technology in hospitals will make the process of providing access to patient information more secure since all the data will be stored in one place (Couzin, 2001). This will reduce the risk associated with patient information “floating” around the hospital where it could potentially be accessed by multiple doctors, nurses, technicians, and administrators. In some of the solutions implemented by Oracle, doctors no longer need to spend valuable time filling out forms, tracking patient charts, or waiting to pick up X-ray or MRI results as these tasks are now automated through the use of technology (Couzin, 2001). While this has greatly increased the ease of use, it has also increased the vulnerability and security of the underlying content.

Conversely, the health care industry’s steady move towards the computer-based patient record and the overall trend of delivering health care information using information technology in lieu of paper has raised anxiety regarding the security of that information. Issues related to the security of an enterprise network could create fear and uncertainty for health care executives. Securely sharing patient information over distributed regional networks that link multiple hospitals, clinics, and doctors’ offices has become an issue of key importance in health care organizations (KBeta Security Web, 2001). For an organization to begin building a highly secure network, it must first understand the issue of security and why it has become such a priority in health care today.

To this end, network security has never been more important. For example, e-vandalism is occurring unnoticed in many of today’s information-centric companies. Clandestine hackers and vandals not only steal a company’s confidential information, but also damage its reputation in the process. The loyalty that companies have worked so hard to build could disappear if customers and business partners believe that their personal data is at risk (McMillan, 2002). The concern is thus magnified for health care enterprises trying to deploy network solutions.

Another factor driving the need for greater attention to security concerns is the move to sharing information with remote physicians. With the growth of outpatient care sites health care providers can no longer be content with just one local area network. In the past, doctors did not consider having the capacity to receive patient data in their homes. The ability of physicians to practice medicine remotely is becoming a competitive differentiation in the marketplace (Sarasohn-Kane, 2003). This practice is beneficial not only to the doctor in terms of flexibility and convenience, but also to patients who could be diagnosed and receive treatment virtually across time and physical space. Health systems and plans want to attract and retain the best physicians in the community by touting the ability to provide information anywhere and anytime a doctor needs it. The confidentiality of such information becomes paramount in the ability to conduct business.

These issues have also gained impetus as network intrusions by computer viruses have become more prevalent in recent years. The threat of new and more virulent computer worms and viruses has heightened the level of consumer awareness and concern about the use or misuse of personal health records. An IBM survey conducted in 1999 revealed that 33% of Americans would trust banks to handle their personal information properly, but only 23% placed the same faith in health care providers (Sarasohn-Kane, 2003). In a September 2000 Gallup poll, 77% of the respondents said the privacy of their personal health information was very important. Eighty-four percent were concerned that this information might be made available to others without their consent. Only 7% of the respondents said they were willing to store or transmit personal health information on the Internet and only 8% felt a Web site could be trusted with such information (Hunt, 1999).

Confidence in security measures is even more important given the push towards consumer-driven health care. Consumers’ desire to access information about their own health has resulted in increased use of interactive medical networks such as the Internet and intranets. In part, the changes are due to the improving technological capability along with managed care organizations’ desire for patient empowerment by asking patients to assume more self-management. Consumers’ use of these networks has initiated the development of personal health information management software that may be a precursor to an electronic medical record owned by the patient. As a result, health care information is becoming more portable. Previously, the hospital literally owned patient records. In contrast today, multiple owners outside the hospital may be contending for it. The implementation of technical solutions has provided greater portability and convenience in the health care arena. At the same time, the demand for security is becoming even more imperative (Sarasohn-Kane, 2003). Copies of electronic files containing vast amounts of confidential information can easily be sent electronically over a network connection without any indication that the information was stolen.

Consumers want to control where their health information goes. Part of the enterprise’s risk management analysis is to realize that we live in a litigious society. As such, it is prudent on the part of businesses to take every reasonable step to ensure the confidentiality of health care information. More trust in the health care system will help ensure better health outcomes through the use of technology.

Privacy Issues in the Health Care Industry

Health care providers maintain and share a vast amount of sensitive patient information for a variety of reasons. Such records are kept and shared for diagnosis and treatment of the patients, payment of health care services rendered, public health reporting, research, and even for marketing and use by media. While traditional paper-based systems have vulnerabilities, they also place some natural limits on the ability of information collectors to share and disseminate information. It is sometimes a challenge to locate paper records. In order to disseminate the information, someone must physically remove the records from the premises either by carrying, copying, mailing, or faxing the documents. These limitations create a double-edged sword. Although such systems may protect information from being disseminated for improper reasons, they may also obstruct the flow of information being shared for legitimate, health care-related purposes (Choy, Hudson, Pritts, & Goldman, 2001).

Health information can be easily located, collected, and organized with the migration of the health care industry toward electronic data collection, storage, and transmission. One major drawback is that sensitive and personal patient information can be sent to any number of places thousands of miles away with the click of a mouse button. Thus, some consumers may be afraid to take advantage of the technology because of privacy and confidentiality concerns. According to the Ethics Survey of Consumer Attitudes conducted by the Cyber Dialogue and the Institute for the Future for the California Health Care Foundation and the Internet Health Care Coalition in January 2000, more than 75% of the people surveyed are concerned about Web sites sharing information without their consent, thus impacting their willingness to use the Internet for health-related services (Goldman & Hudson, 1999).

Consumers are increasingly worried about the loss of their privacy, and have heightened concerns when it comes to their health information (Brewin, 2003). They worry that their health information may be used or disclosed inappropriately and leave them vulnerable to unwanted exposure, stigma, and discrimination, possibly leading to economic losses. Patients fear that their personal information will be used to deny them health insurance, employment, credit, and housing. With the increase in the use of technology and the ease with which information can be transmitted, there has undoubtedly been a considerable increase in the access of health care information. People who access such data without appropriate authorization are motivated either by profit or at times just plain curiosity (Goldman & Hudson, 1999). As a result, consumers sometimes take drastic steps to keep their health information private. According to one survey, almost one out of six U.S. adults has taken extreme steps to maintain the privacy of his or her medical information. Patients withhold information from their doctors, provide inaccurate or incomplete information, and doctor-hop to avoid a consolidated medical record. They go as far as paying out-of-pocket for care that is covered by their insurance, or even avoiding care altogether (Goldman & Hudson, 1999).

Such privacy-protection behavior, which consumers/patients do both offline and online, can result in a significant cost to their health. A study released by the Pew Internet and American Life Project found that 89% of Internet users who seek health information online are worried that others will find out about their activities and are worried that the Internet companies will give this information away. Eighty-five percent fear that insurance companies might change their coverage after finding out what online information consumers had accessed (Choy et al., 2001). By concealing information, patients risk undetected and untreated conditions. At the same time, the doctor’s ability to diagnose and treat patients is jeopardized without access to complete and accurate information. Further, future treatment may be compromised if the doctor misrepresents patient information so as to encourage disclosure. This in turn can have a detrimental effect on the community, as without full patient participation upfront, the information collected will be unreliable for users downstream. Ultimately, health care initiatives that depend on complete and accurate information may be undermined (Goldman & Hudson, 1999).

Legal and Regulatory Environment

Regulatory factors are driving the current trend toward security and privacy standards in the transmission of health care information over enterprise networks. State and federal legislation, professional and standards organizations, and internal organizational risk management departments are driving the need for security measures. Many states, for example, regulate the use of electronic signatures and medical records. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) addresses security and confidentiality issues in the Information Management section of its accreditation manual. Overlaying all these factors, however, is the greatest of all regulatory drivers: a recent federal law called HIPAA.

The Health Insurance Portability and Accountability Act, signed into law in the United States in August 1996, mandates the adoption of national uniform standards for the electronic transmission of health and patient information. The intent of HIPAA is “administrative simplification” and protection of patient privacy. HIPAA requires that the health care industry promote a national, uniform security standard for the secure electronic transmission of patient-identifiable information.

HIPAA is a turning point for the health care industry because it requires that the industry develop a set of national standards that will help bring the much-needed data-standard unity to health care transactions and provide assurance that confidential patient information will be safe or safer than paper-based patient records.

Although HIPAA does not mandate the collection or electronic transmission of health information, it requires that standards be adopted for any electronic transmission of specified transactions. To ensure protection of privacy, the law provides for confidentiality protections for information processed in accordance with the new standards. It requires organizations to focus on Electronic Data Interchange (EDI) transactions for health plan enrollment, eligibility, claims payment, premium payment, coordination of benefits, and referral/authorization. HIPAA also mandates protecting confidentiality of individually identifiable patient information in an automated system. It requires organizations to be able to demonstrate sound practices that protect patient confidentiality and security.

HIPAA security requirements are broad, covering any organization that generates or otherwise handles electronic patient records and other e-medical data. HIPAA requires the health care organizations to implement encryption, user authentication, and other security measures to safeguard the integrity, confidentiality, and availability of electronic data by mid-2003. Entities affected by this law include virtually all private and government hospitals, outpatient centers, nursing centers, Health Maintenance Organizations (HMO), Preferred Provider Organizations (PPO), insurance companies, firms providing clinical information systems for medical labs, providers of pathology, radiology, patient billing, and pharmacy records, medical software application providers, and even related Web portal companies (Yozons Technology, 2003).

Penalties for noncompliance to the law can be severe. The civil penalty for violating transaction standards is up to $100 per person per violation and up to $25,000 per person per violation of a single standard for a calendar year. The penalty for knowing misuse of individually identifiable health information can reach $250,000 and/or imprisonment for up to ten years. HIPAA has hit the nation’s $1.3 trillion health care industry quickly by becoming the de facto security guideline for federal privacy standards regarding health care information. The privacy standards, which govern electronically Protected Health Information (PHI), went into effect as of April 14, 2003 and could create a legal nightmare for the health care industry, requiring a massive training effort and costing millions of dollars. There is also concern that litigation over a failure to adhere to HIPAA security standards may dampen the use of technologies such as wireless LAN systems in hospitals (Brewin, 2003).

Given the mandated HIPAA compliance, many organizations have been working overtime to ensure their organizations are aligned correctly. In order to examine the implications of HIPAA in the workplace, interviews were conducted with professionals responsible for information systems and telecommunication services in regional medical centers. The combination of HIPAA and the hospitals’ endeavor to become HIPAA compliant has resulted in additional responsibilities for individuals such as the Privacy and Security Officers for their respective medical centers. On the whole, these professionals consider HIPAA to be a double-edged sword. In their opinion, to a large degree most hospitals and health care organizations have always been very sensitive to privacy and confidentiality of patient information. HIPAA has simply formalized some of those issues and ensured that the standards are being applied equally. The primary gap in the protection of patient information was seen at pharmacies as they previously shared patient information with various vendors. If a patient were to buy prescription drugs at the pharmacy, he or she might receive advertisements with information on drugs related to their condition. With the advent of HIPAA, pharmacies need to be monitored and are not allowed to share patient information with vendors without the consent of the patient. In addition, the electronic transaction of transmitting patient information to bill insurance companies needs to be supported by software that is HIPAA compliant

Implications of HIPAA Implementation

Overall HIPAA is believed to be a very positive thing, as patients find comfort in knowing that there are standards in place to safeguard their personal health information. Still, some patients have negative perceptions regarding how HIPAA affects the privacy and security of personal information. Most hospitals are very explicit when stating what happens with patient information and with whom such information is shared. However, such an expression, alluding to a more open process, has raised concerns among some patients who have only recently become aware of such standard practices of health care organizations. They believe that HIPAA has allowed health care organizations to share more information than they previously could. In effect, HIPAA has heightened peoples’ awareness of issues related to information privacy and security. For many, these concern are issues that were previously unknown or of little interest. As such, efforts are being made to educate such individuals in order to make them feel more comfortable about the privacy of their information.

The security piece of the regulation mandates the implementation of security measures within health care organizations. These security measures were previously hard to implement because there was not much return on investment. With HIPAA, it has become easier to justify these requirements from a business standpoint. The security measures may contain a layered approach to securing the network. A plan needs to be in place to ensure that every single layer of the network has been “hardened” to make it secure. In addition, some medical centers have assigned different access capacities to their various staff members depending either on their location in the hospital or the privileges assigned to them. Further constraints have been implemented in order to manage and protect the IT resources. For instance, users may need to follow a specific format for their passwords in order to ensure that they are not easily decipherable. For systems containing clinical information used to make emergency decisions, some hospitals have implemented a “break the glass” procedure, in which, for example, if a password is not working in emergency situations, physicians are still able to get to the information. Extra audits and alerts are put in place so that if someone “breaks the glass,” network administrators are automatically notified and upper management can be apprised of the related circumstances.

Table 1. Eight guiding principles of e-health code of ethics (Internet Health Coalition, 2000)
e-Health Code of Ethics: 8 Guiding Principles
Candor ·         Disclose vested financial interests

·         Disclose key information for consumer decisions

Honesty ·         Present information truthfully

·         No misleading claims

Quality ·         Accurate, clear, current, evidence-based

·         Readable, culturally competent, accessible

·         Citations, links, editorial board and policies

Informed Consent ·         Privacy policy and risks

·         Data collection and sharing

·         Consequences of refusal to consent

Privacy ·         Prevent unauthorized access or personal identification of aggregate data

·         Let users review and update personal data

Professionalism ·         Abide by professional codes of ethics

·         Disclose potential conflicts of interest

·         Obey applicable laws and regulations

·         Point out limits of online practice

Responsible Partnering ·         Choose trustworthy partners, affiliates, and links

·         Maintain editorial independence from sponsors

·         Tell users when they are leaving the site

Accountability ·         Provide management contact info

·         Encourage user feedback

·         Respond promptly and fairly to complaint

The processes associated with accessing records have also undergone changes as illustrated in the following scenario. If a physician examines one patient and consults with another physician on the case, the second physician may be unable to access the patient’s records since he or she is not the “physician of record.” In such a situation, the second physician could override the access blocks by agreeing to have their name appear in the audit report. If the second physician agrees, administrators can monitor records for inappropriate activities and follow-up with the physician to address access issues as needed.

There are obvious cost implications on the implementation of HIPAA. Organizations now need to maintain a fair-sized HIPAA contingency budget every year. There are costs such as traveling to understand more about HIPAA, man-hours, and employee education.


Health care services and professionals are working toward providing environments that safeguard health-related information. In part, actions have been encouraged and set in motion as a result of HIPAA compliance efforts. Some solutions are enabled by information and communication technologies while others rely on standards of practice that have been advanced by the health care community. The eHealth code of Ethics, initiated in 2000, helps ensure that people understand the potential risks of managing their own health care and the health of those in their care. The eight guiding principles of the code work to ensure candor, honesty, quality, professionalism, responsible partnering, accountability, informed consent, and privacy of patient information (Internet Health Coalition, 2000) (Table 1).

In a similar vein, the Health on the Net (HON) Foundation (2002) Code of Conduct for medical and health Web sites addresses the reliability and credibility of information on the Internet. Specifically, it addresses the authority of the information provided, data confidentiality and privacy, proper attribution of sources, transparency of financial sponsorship, and the importance of clearly separating advertising from editorial content (Health on the Net Foundation, 2002).

Role of Technology-Based Solutions

In addition to guiding principles for behavior, health care enterprises are faced with a number of technical and operational challenges. Among these are the needs to operate more efficiently, to expand the scope of the enterprise, to provide greater access to information from a variety of locations and platforms including mobile/wireless, and to greatly improve the security and privacy of information. These challenges can, at times, seem contradictory. The responses to these challenges necessitate many different initiatives, including security planning, creation of wide area networks, and adoption of wireless/mobile platforms. In addition, the health care industry’s ongoing, massive consolidation has resulted in the emergence of so-called Integrated Delivery Systems (IDS). These systems are designed for large, regional providers that need to share clinical and other information among numerous hospitals, clinics, home-care agencies, and other facilities. With the advent of multiple clinics and hospitals sharing data, a health care organization must contend with factors such as leased telecommunications lines and external circuits and services, rather than local services inside a building (KBeta Security Web, 2001).

From unauthorized users to disgruntled employees to cyber-terrorists, the threat to health care information systems cannot be taken lightly. Poorly written software, the demand for convenience over security, and overworked, undertrained IT health care professionals present substantial information systems vulnerabilities (Beaver, 2003). The HIPAA security rule is about information security best practices. Technology for secure networks includes tools such as firewalls, encryption, user authentication, and software that detects and reports network vulnerabilities and unauthorized activity (KBeta Security Web, 2001).

Management Issues

It is imperative to realize that technology is not the silver bullet that people have come to believe in and rely on. Simply relying on the technical solutions is not sufficient to ensure the security of the information. While cutting-edge network technology might be available to make networks secure, technology is only an enabler (KBeta Security Web, 2001). Other issues that need to be considered include ongoing information risk assessment, information security audits, disaster recovery, and business continuity plans (Beaver, 2003). Information security is a business issue as well. Organizational and cultural issues are paramount in making the technology fulfill its potential. The key is to impart a culture of security and confidentiality to an organization. As a corporate cultural issue, security and confidentiality integrate through diverse areas of technology, organization, and regulation. Security is an integrated approach in which an organization needs to have its entire management team involved in the decision-making processes. These processes should include key decision makers from multiple and varied departments such as legal, human resources, and operations.

Given the intersecting technical, organizational, and regulatory factors, it should be understood that security of enterprise networks is both an ethical as well as a cultural issue, requiring constant, iterative education and awareness. In order for information security initiatives to be effective, it is critical to not forget the end user. In fact, the human factor can be the weakest link in an information security program (Beaver, 2003). Organizations must reinforce employee awareness through an ongoing program of education, reward, and recognition. Individual user accountability is a critical component of network security. A system cannot allow, for example, several providers to use the same terminal simply by using the same password and logon for the sake of convenience.

Mobile computing applications and the use of wireless technologies in health care has seen a great deal of growth and expansion capabilities. From a security standpoint, the social changes are probably the hardest to implement. It is easy to have the firewalls and technologies in place, but it is harder as well as more important to manage the social aspect of such a change. If people leave their PC screen on and the others walking by can see the information displayed on it, then security doesn’t mean anything. Similarly, if people stick their passwords on post-it notes on their screens, then the security measures become meaningless. Maybe security will change with biotechnology, and people won’t have to remember multiple passwords while they simply remember to bring their thumb to work.

The information owners must determine security risks, impact, and the severity of a potential compromise. Additionally, the information owners should be responsible for determining a balance between the costs and benefits of security for their particular organization. Organizational risk is an aggregate factor and must be determined collectively by all of the information owners within and throughout the organization. Securing an organization’s information assets is ultimately an upper management responsibility and must be managed from the top down from a business perspective. Health care managers must understand the business impact of information risks and the implications involved if systems are not secured. To protect themselves from legal liabilities, health care organizations need to show due diligence in attempting to implement best practices in this regard.

Implications and Conclusions

In the end, it is necessary to understand that there is no such thing as 100% security. However, it is vital that reasonable measures be in place to reduce the chances of unauthorized access of confidential information. With HIPAA privacy regulation compliance mandatory since April 14, 2003, health care providers need to ensure that their systems meet the federal health privacy policies. Although the law allows for incidental disclosures of information, providers covered by the rule are expected to put reasonable safeguards in place to protect their patients’ information. This means that sign-in sheets may be used in a doctor’s reception areas but patients should no longer be asked to write down their conditions because other patients could see the sheet. In an emergency room, the large white boards listing patient names and conditions should be moved to areas out of public view. In hospitals, patient charts should be turned to face the wall so people walking by cannot read them. New computer software allows doctors’ offices to identify patients by full name or just by initials, just in case others might catch a glance of a PC screen. Most hospitals have new policies regarding the release of information regarding a patient’s condition. Such information was once routinely provided to family, friends, clergy, and reporters who called. Under the new rules, hospitals must give patients a chance to opt out of any hospital directory. No information, even that a person is a patient in the hospital, may be released without the patient’s consent. Even if a patient agrees to being included on a general patient listing, hospitals may release only limited information without specific patient authorization and only if a caller asks about a patient by name (Meckler, 2003).

Technologically, the continued growth and acceptance of the Internet, widespread growth of wireless devices with greater functionality and decreasing costs of technology solutions all point towards continued development of more robust software applications. These developments may improve adoption of technology, but careful selection and implementation are necessary to ensure the security and privacy of patient information. Eventually, organizational policies, technical solutions, and regulatory guidance should improve the acceptance of e-technology and increase its value to the health care organizations. With greater security of patient information, health care organizations can build patient trust by protecting confidential patient information. This trust between the patient and the provider in turn will lead to improvement in the overall quality of health care.