Health information technology (HIT) has become a signal element of federal health policy, especially as the recently enacted American Recovery and Reinvestment Act of 2009 (Recovery Act or ARRA) comprises numerous provisions related to HIT and commits tens of billions of dollars to its development and adoption. These provisions charge various agencies of the federal government with both general and specific HIT-related implementation tasks including, inter alia, providing funding for HIT in various contexts: the implementation of interoperable HIT, HIT-related infrastructure, and HIT-related training and research. The Recovery Act also contains various regulatory provisions pertaining to HIT. Provisions of the Recovery Act that address HIT directly require the establishment of the Office of the National Coordinator for Health Information Technology (ONCHIT or ONC) at the Department of Health and Human Services (HHS) and specify incentive payments for health care professionals and hospitals to implement, improve, and maintain HIT under the Medicare and Medicaid programs.[...] [D]espite the considerable promise of HIT, implementation can be difficult, and deliverable off-the-shelf benefits are unclear to many providers, independent of price and payment questions. Other significant impediments to HIT adoption include complex "cultural" barriers among practitioners and patients, standard-setting issues, network externalities, and regulatory costs. These are surveyed briefly below, both because some general background is useful to our particular discussion and because these impediments are, in various ways, interrelated. Our focus in this Article, however, will be on one particular species of regulatory costs--those imposed by certain sorts of privacy and data security regulations, with special attention to state law privacy and data security regimes.[...] We investigate the expected tangible privacy harms related to HIT and find them to be less stark than some may believe. For example, from 2001 to 2005, about 0.111% of the adult population suffered medical insurance account misuse (defined as the use of personal information to obtain or receive payment for medical treatment, services or goods), and only 0.0148% of the adult population had their personal data used to create a new medical insurance policy. Further, it does not appear that consent or breach-notification requirements significantly reduce the tangible harms caused by the privacy violations that do occur. Rather, most benefits from medical privacy regulations likely accrue in the utility that patients derive from the fact that they have dominion over their personal medical information. This likelihood strongly suggests that policy makers need to develop a clearer understanding of patients' underlying preferences for medical privacy before expanding regulatory burdens, as they ought to be wary of adopting costly regulations that may promise modest tangible benefits. In light of the existing data on consumer preferences for privacy, we propose a modified federal Privacy Rule that maintains the exception to consent for medical treatment, but also allows privacy-sensitive patients to sequester their records from interoperable HIT systems altogether. We also suggest that breach notification triggers should be related to actual risk of harm and that a focus on data security may be a more efficient substitute for both consent and breach notification requirements. We also focus on the costs associated with varying state regulation of medical privacy. Although we do not advocate any particular legislative response to the costs of state regulation, we explain how the express preemption of state health information privacy and data security provisions could be an efficient response to the costs of those provisions. In addition, although the implied preemption arguments advanced by the petitioners (and rejected by the U.S. Supreme Court) in another health care context, that of Wyeth v. Levine, are precluded by statute in this one, policy arguments in favor of preemption in this area may enjoy certain advantages that, at least in the Court's view, were not available to the petitioners in Wyeth.[...] This Article is unique because, in addition to its use of independent research, it draws heavily from information gathered at a 2008 Federal Trade Commission workshop that examined certain innovations in health care delivery (the Workshop). The Article proceeds as follows. Part II comprises several brief background sections: (a) summarizes certain general information about HIT development and adoption; (b) reviews certain costs and benefits associated with HIT; and (c) provides an overview of federal and state health information privacy and data security law. Part III returns to the question of benefits and barriers associated with HIT, providing a more focused discussion of network effects in HIT. Part IV examines consumers' demand for privacy generally and health information privacy specifically. Part V then analyzes the implicit tradeoffs between various types of privacy regulation and the adoption and application of HIT. Part VI considers the federal preemption of state regulation of health information privacy and data security as a feasible policy response to the costs of regulatory variation.
Daniel J. Gilman & James C. Cooper,
There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information,
Mich. Telecomm. & Tech. L. Rev.
Available at: http://repository.law.umich.edu/mttlr/vol16/iss2/1