Responding to the imperative to share data in the health world – as a requisite for quality health care – the legislation creates the concept of a custodian/trustee/steward of PHI, and creates rules and procedures for enabling the sharing of data among the custodians. [...] The concepts of confidence and confidentiality, barely appearing in the technology or the legislative reviews of Parts I and II, are prominent in the interviews of Part III. [...] Outside this cloud of actors are the potential intruder, the oversight agency (which could be a privacy official, or a health or state agency which ensure the rules are observed) and the secondary user - someone that has access to the data for a secondary (non-primary care) purpose. [...] To sign a piece of data, the signer creates a simplified form of the data called a digest using some standard publicly-known method, encrypts that digest, and attaches it to the data (which is not encrypted) as a signature. [...] Anyone can now verify that this data-signature pair is in fact from the signer by creating a digest of the unencrypted data and comparing it against the decrypted signature - if the digest created by the verifier and the decrypted signature are identical, the only person who could have created that data is the signer.