Privacy, confidentiality, and security in information systems of state health agencies

Objectives: To assess the employment and status of privacy, confidentiality , security and fair information practices in electronic information systems of U.S. state health agencies. Methods: A survey instrument was developed and administered to key contacts within the state health agencies of each of the 50 U.S. states, Puerto Ric o and the District of Columbia. Results: About a third of U.S. state health agencies have no written polici es in place regarding privacy and confidentiality in electronic information systems. The doctrines of fair information practice often seemed to be ign ored. One quarter of the agencies reported at least one security breach dur ing the past two years, and 16% experienced a privacy and confidentiality r elated transgression. Most of the breaches were committed by personnel from within the agencies. Conclusions: These results raise questions about the integrity of existing privacy, confidentiality and security measures in the information systems o f U.S. state health agencies. Recommendations include the development and v igorous enforcement of written privacy and confidentiality policies, increa sed personnel training, and expanded implementation of security measures su ch as encryption and system firewalls. A discussion of the current status o f U.S. privacy, confidentiality and security issues is offered. (C) 1999 Am erican Journal of Preventive Medicine.