For the past 16 months, it was my privilege and pleasure to serve on the National Research Council's Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. The NRC staff organized site visits to hospitals and other healthcare institutions that keep medical records and have a reputation for doing a good job. We also heard from representatives of companies in related business areas, privacy advocates, and others.

Paul Clayton of Columbia University's Dept. of Medical Informatics chaired the panel, and Jerry Sheehan of the NRC staff was the study director. A prepublication copy of the committee's report, For the Record: Protecting Electronic Health Information, was released on March 5 and is available at http://www.nap.edu/readingroom/books/ftr/.

The recommendations call for improvements in technical and organizational policies, practices, and procedures that should not surprise Cipher readers with a good background in computer security (though you might be surprised at the number of institutions that don't have these policies, practices, and procedures in place).

Press coverage of many of the report's findings and recommendations has been gratifying, but there is one particular recommendation that, somewhat to my surprise, has received almost no attention. As it happens, this recommendation presents a technical challenge that some Cipher readers might like to pursue:

Recommendation 4: Any effort to develop a universal patient identifier should weigh the presumed advantages of such an identifier against potential privacy concerns. Any method used to identify patients and to link patient records in a health care environment should be evaluated against the privacy criteria listed below.

1. The method should be accompanied by an explicit policy framework that defines the nature and character of linkages that violate patient privacy and specifies legal or other sanctions for creating such linkages. That framework should derive from the national debate advocated in recommendation 3.
2. It should facilitate the identification of parties that link records so that those who make improper linkages can be held responsible for their creation.
3. It should be unidirectional to the degree that is technically feasible: it should facilitate the appropriate linking of health records given information about the patient or provided by the patient (such as the patients identifier), but prevent a patients identity from being easily deduced from a set of linked health records or from the identifier itself.

The first of the three parts of this recommendation calls for the development of a privacy policy, which is not a technical issue. The other two parts, however, do call for new technology.

I think it is fair to say that the committee would have pointed to practical technologies that could make the linker of records visible and that were unidirectional, if it had been able to identify them. Perhaps Cipher readers can help, either by letting us know what we missed or developing something new.

As I mentioned in my last letter, the issue of universal patient identifiers is of particular moment in the U.S., because legislation passed last August requires the Health and Human Services Department to develop recommendations on this topic very soon.

On a lighter note, I would like to thank the many contributors to this issue and also to welcome Dr. James Davis of the Department of Electrical Engineering and Computer Science at Iowa State University to our slate of regular volunteers. Jim will be helping Hilarie Orman keep our Call for Papers file up-to-date.

Please let me know if you would be interesting in helping to keep Cipher going. I am particularly interested in finding people to help keep the Reader's Guide current.

Carl Landwehr
Editor, Cipher