Editor’s Note: In this pair of articles, experts share perspectives on the questions and challenges surrounding healthcare IT and privacy.

Seeking a difficult balance:  The limits of privacy in the emerging healthcare IT ecology

It’s not always easy to strike the right balance between privacy and other values. In particular, because privacy is all about controlling access to personal information, it tends to be in tension with the value of information availability. This tension can become outright opposition in some cases. This article will discuss two healthcare situations in which that is the case, one at the operational level involving emergency access to information and the other at the policy level involving the shutdown of the HIPAA individual identifier by privacy advocates. The latter, in particular, is a story worth recalling because it may be causing the unintended consequence of increasing risks to personal information in the emerging nationwide health information network.

When discussing information security risks, it is probably easier to speak in terms of confidentiality rather than privacy. The three standard objectives of information security are confidentiality, integrity and availability—the “CIA triad.” Privacy in particular overlaps with confidentiality, as both have to do with control of access to personal information. Privacy can be defined as the legally recognized right of an individual to limit access to personal information, while confidentiality can be defined as a condition in which a party is subject to obligations to control access to information. Confidentiality, therefore, enforces the personal information access limitations that privacy laws and individual choices define.

Availability, on the other hand, is all about providing information where and when it is needed, both complete and accurate. Taken to its extreme, availability would not be constrained by any limitations other than the demands of the user. Availability and confidentiality are therefore in tension and may well come into opposition, and the question then becomes how to resolve the conflict.

Almost all security requirements are risk-based, meaning that some degree of risk is inevitable and must be accepted. Conflicting security objectives can therefore be resolved by balancing the relative tolerance for the risks associated with that objective. For example, it might be appropriate to accept a higher level of confidentiality risk if the harms they are likely to cause are materially less than the harms likely to be caused by availability errors. This can be demonstrated with an example from healthcare treatment operations.

The case for weak passwords in the emergency room

For healthcare purposes—and really, for almost all purposes—individual health and safety are and should generally be ranked the most important harms to avoid and, if material, are certainly more important than reputational or financial harms. This suggests a low tolerance for risks of availability errors for systems used to support real-time diagnosis and treatment: A failure to have necessary information available might cause a mistaken diagnosis and kill someone. A lower risk of availability errors might therefore be appropriately balanced against an increased risk of confidentiality errors, which might result in reputational or financial harm but are not likely to result in death.

The need for this kind of balancing act might be found, for example, in electronic health record (EHR) access in an emergency room, which is typically controlled by password. For most purposes, it is considered a best practice to require the use and of unique, mixed-alphanumeric and symbol passwords that are frequently changed to control access to protected health information, especially the kind of detailed, often sensitive information contained in an EHR. Because such passwords are hard to crack, they tend to reduce the risk of confidentiality errors resulting in unauthorized access.

However, by the same token, strong passwords are also hard to remember. Users who are unable to remember their passwords will be unable to access their EHRs, creating a risk of availability errors. A strong password policy that reduces the risk of confidentiality errors, therefore, also increases the risk of availability errors.

In some clinical settings it might be appropriate to forego strong passwords. For example, in an emergency room setting, clinical information may well be needed on literally a life-or-death emergency basis so that the tolerance for availability errors should be very low. The hospital operating the emergency room might therefore conclude that EHR access in the emergency room should not be controlled by strong passwords.

The balancing of risks would be very different for a claims processing system in the same hospital. Claims information may include highly sensitive personal information but is used for financial purposes and so does not need to be available with the same urgency as clinical information. In this setting, there would be a higher tolerance for availability errors, and a strong password policy might be very appropriate.

Unintended consequences of the demise of the HIPAA patient identifier

This same tension has had some interesting consequences for national health information technology policy. The American healthcare sector has been going through a difficult infrastructure transition for a long time, as paper-based medical record and administrative systems are over time converted to EHRs and management information and claims processing systems. These systems in turn are becoming increasingly interoperable, under policy initiatives pursued by both parties and many private organizations to establish health information exchange (HIE) functions and organizations.

These policy initiatives have brought us such noteworthy developments as the Health Insurance Portability and Accountability Act (HIPAA), known to most of us principally for its privacy and security mandates. In fact, however, these were but a small part of the “Administrative Simplification” section, which in turn were but a small part of HIPAA which was intended to promote and standardize electronic healthcare claims transactions. The privacy and security provisions were almost an afterthought, added on to help reassure the public that the new systems would protect their information against improper use or disclosure.

For the last decade or so, the principal public policy initiative has been development of a seamless nationwide network for HIE among interoperable EHRs. This network—probably ultimately a “network of networks” operated by various organizations—will someday, ideally, allow for on-demand delivery of information from the EHR of any healthcare provider who has treated a given patient to the EHR of any other provider where the patient needs care. For example, if I had a medical emergency in New York, my hospital would pull in information from my primary care doctor’s EHR in Seattle; the EHRs of specialists I had seen in San Francisco and Denver, and the EHR of a hospital in Los Angeles where I’d received care. This information could be crucial to my diagnosis and treatment, and my doctors and I would very much want the information to be available. A nationwide HIE, therefore, should have a low tolerance for availability errors.

There are several basic problems with making information available across a network of this kind, but one of the most fundamental is, how does a provider find information? How do you identify me uniquely, so that you can find information about me?

One possible solution was actually provided for in HIPAA, which required regulations establishing a unique patient identifier for use in claims transactions. While not intended to enable HIE, this kind of identifier could play a useful role in the projected nationwide system.

But this potential solution was stopped dead by privacy advocates. Shortly after initial hearings were held on the proposed identifier in 1998, a coalition of privacy advocates objected that this was the first step to a national registry of citizens. There was a public uproar; Congress quickly passed legislation defunding work on the regulation, and no one has been willing to touch it since. Policy concerns about potential privacy violations thus eliminated a potential solution for reduction of HIE availability errors.

And an unanticipated consequence may well be a system which creates even greater privacy risks. In the absence of a universal identifier, the solution to identifying individuals for HIE is the master patient index (MPI). Names—and even names along with one or two other bits of personal information—aren’t very reliable identifiers across a large population. An MPI serving HIE for a large population therefore needs additional demographic information, which must be updated and maintained. Individuals are then identified by a more-or-less formal comparison of demographic data sets.

An MPI is complex enough within a closed network, and complexity only increases with MPIs serving more than one network. A genuinely functional nationwide network will have to have some sort of MPI interoperability solution, which will require even more storage and sharing of information. But the same demographic data that resolves identities is useful for identity theft, so that these new databases and transactions are likely targets for malicious action—a seriously increased risk of harmful confidentiality errors. This may or may not turn out to be a worthwhile tradeoff against the loss of the HIPAA unique patient identifier


There is no single right privacy choice for all situations. Rather, privacy is one of a number of important values which must be balanced, but might not always be fully reconciled, in pursuing personal, organizational and policy objectives. When that occurs, all that can really be done is a careful analysis of the implications of the difficult choices, and a decision that some kinds of privacy risks might be worth accepting to avoid other, more harmful types of risk.

Written By

John Christiansen


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»