A framework for "Need to Know" authorizations in medical computer systems: responding to the constitutional requirements.

"Need to Know" systems which restrict access to computerized data to those with a specified need for the data have been described as part of the solution to the problem of privacy in health care information systems. However, no operational "need to know" system is described in the medical literature. Recent legal developments in constitutional privacy protection make a "need to know" system mandatory, not optional. In sophisticated information systems users can utilize the unique characteristics of the system itself to implement a high level "need to know" system, based on the institution's own patient treatment pattern. This article provides an analytical tool for helping to define a "need to know" system with reference to the specific problems of health care institutions.