There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information
There is a Time to Keep Silent and a Time to Speak , the Hard Part is Knowing W hich is W hich: Striking the Balance between Privacy Protection and the Flow of Health Care Information
Daniel J. Gilman 0 1
James C. Cooper 0 1
Federal Trade Commission 0 1
0 This Articlesibrought to you for free and open access by the Journals at University of Michgian Law School Scholarship Repository. It has been accepted for inclusion in Michgian Telecommunications and Technology Law Review by an authorized editor of University of Michgian Law School Scholarship Repository. For more information , please
1 Part of theHealth Law and Policy Commons , Privacy Law Commons, and theScience
Follow this and additional works at: http://repository.law.umich.edu/m ttlr Technology Law Commons Recommended Citation Daniel J. Gilman & James C. Cooper, There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information, 16 Mich. Telecomm. & Tech. L. Rev. 279 (2010). Available at: http://repository.law.umich.edu/mttlr/vol16/iss2/1
Daniel J. Gilman, J.D., Ph.D., is an Attorney-Advisor in the Office of Policy
Planning at the Federal Trade Commission.
James C. Cooper, J.D., Ph.D., is Attorney-Advisor to Commissioner William E.
Kovacic at the Federal Trade Commission. The views expressed in this Article are those of the
authors alone, and do not necessarily represent the views of the Federal Trade Commission or
any of its commissioners. The authors would like to thank Maureen K. Ohlhausen, William E.
Kovacic, and Arlene Holen for their helpful comments regarding earlier drafts of this Article
and related materials. Faults in this Article should, of course, be attributed to the authors
3. Data Security Requirements ........................................
4. Legal U ncertainty ........................................................
III. STRIKING THE BALANCE ..........................................................
CONCLU SIO N..........................................................................................
PREEMPTION VERSUS FEDERALISM IN PRIVACY REGIMES ........ 343
Every positive value has its price in negative terms.
Here comes a transformation, again. Health information technology
(HIT) has become a signal element of federal health policy, especially as
the recently enacted American Recovery and Reinvestment Act of 2009
(Recovery Act or ARRA)' comprises numerous provisions related to HIT
and commits tens of billions of dollars to its development and adoption.2
These provisions charge various agencies of the federal government with
both general and specific HIT-related implementation tasks including,
inter alia, providing funding for HIT in various contexts: the
implementation of interoperable HIT, HIT-related infrastructure, and HIT-related
training and research. The Recovery Act also contains various regulatory
provisions pertaining to HIT. Provisions of the Recovery Act that address
HIT directly require the establishment of the Office of the National
Coordinator for Health Information Technology (ONCHIT or ONC) at the
Department of Health and Human Services (HHS)' and specify incentive
payments for health care professionals and hospitals to implement,
improve, and maintain HIT under the Medicare and Medicaid programs. 4
I. The "American Recovery and Reinvestment Act of 2009" is the short title of H.R. I,
"Making supplemental appropriations for job preservation and creation, infrastructure
investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal
stabilization, for fiscal year ending September 30, 2009, and for other purposes." American
Recovery and Reinvestment Act of 2009 (Recovery Act), Pub. L. No. 111-5, 123 Stat. 115
2. Although $19, $20, and $22 billion price tags have been associated with Recovery
Act HIT spending, HIT-related outlays contemplated in the statute appear to be much higher
still. A partial tally may be gleaned from notes 3-4, infra. See generally Letter from Douglas
W. Elmendorf, Dir., Cong. Budget Office, to Hon. Charles E. Grassley, Ranking Member,
Comm. on Fin., U.S. S., tbl.2 (Mar. 2, 2009), http://www.cbo.gov/ftpdocs/100xx/docl0008/
3. See Recovery Act § 3001. The Congressional Budget Office (CBO) has estimated
budget authority of $2 billion and outlays of $1.98 billion associated with Title XIII. Letter
from Douglas W. Elmendorf, supra note 2, at tbl.2.
4. For these provisions in Division B, Title IV, of the Recovery Act, CBO estimates
net outlays at $20.819 billion. Letter from Douglas W. Elmendorf, supra note 2, at tbl.2. That
estimate supposes substantial savings in later years. For example, CBO-estimated total outlays
for Medicare incentives total $36.347 billion from 2009 through 2015, but anticipated negative
Although the magnitude of this commitment to HIT is striking, the
impetus is clear enough.' Many have argued that the growth of HIT is
critical to improving quality and efficiency in health care delivery.6 It
appears that HIT has the potential to reduce medical errors,' duplicative
testing and procedures, 8 and substantial administrative costs now
attributed to incomplete, hard-to-find, or otherwise faulty paper records.9
Although significant use of computers in health care dates to at least the
1950s, many areas of health care trail other sectors of the economy in
their use of information technology. How is it that in many practices, the
use of expensive and highly sophisticated technology-such as magnetic
resonance imaging-is common, but the use of simple
technologysuch as computerized lookup tables to check both general and
patientspecific contraindications for prescription medicines-is not?
The answer is not so simple. On the one hand, certain barriers to
widespread adoption of HIT have been plain enough and are well
documented. As described below, the costs of adoption, which are borne
chiefly by health care providers, can be high, including not only the
acquisition of hardware and software but often costs associated with
modifying HIT systems to suit particular practices, training for users,
and prospective maintenance and updating costs.' ° At the same time, the
benefits of adoption tend to be distributed, accruing mostly to payers,
patients, and public health rather than to the health care providers who
pay the direct costs of adoption. The Recovery Act promises to shift that
balance of costs and benefits in a way that is bound to be significant.
Specifically, the Act's financial incentives for adoption should make at
least a marginal difference for many practitioners, practices, and
The problem of adoption has not, however, been a simple problem of
misaligned incentives, and it is unlikely that the allocation or
reallocation of funds will remove all of the barriers to the widespread
adoption of fully functioning, interconnected, HIT systems by U.S.
health care providers. First, despite the considerable promise of HIT,
implementation can be difficult, and deliverable off-the-shelf benefits
are unclear to many providers, independent of price and payment
questions. Other significant impediments to HIT adoption include complex
"cultural" barriers among practitioners and patients, standard-setting
issues, network externalities, and regulatory costs. These are surveyed
briefly below, both because some general background is useful to our
particular discussion and because these impediments are, in various
ways, interrelated. Our focus in this Article, however, will be on one
particular species of regulatory costs-those imposed by certain sorts of
privacy and data security regulations, with special attention to state law
privacy and data security regimes.
There are several reasons for this focus. First, lowering these sorts of
barriers may sometimes be tractable and cost-effective. Regulatory
reform is not always low-hanging fruit, but it may be more practicable in
the short run than, say, reworking the medical practice habits of several
generations of established, working physicians. Second, emerging
research casts new light on the relationship between privacy regulation and
HIT in ways important to HIT policy. Recently, several authors have
provided cogent analyses of the implications of HIT for health
information privacy, and have suggested regulatory modifications to ensure that
privacy remains protected." In addition, emerging research suggests that,
by increasing the costs of inter-hospital communication of health
information, certain state privacy laws tend to suppress the network benefits
associated with HIT, and thus tend to reduce the rate of HIT adoption by
II. See, e.g., Sharona Hoffman & Andy Podgurski, Electronic Health Record Systems,
22 HARV. J.L. & TECH. 104, 121-22 (2008); Sharona Hoffman & Andy Podgurski, Protecting
Electronic Private Health Information, 48 B.C. L. REV. 331, 335-38 (2007); Nicolas P.Terry
& Leslie P.Francis, Ensuring the Privacy and Confidentiality of Electronic Health Records,
2007 U. ILL. L. REV. 681,682.
A Time to Keep Silent and a ime to Speak
hospitals in those states that have such laws.'2 That result may not be
wholly surprising, as many stakeholders have suggested that certain state
laws may impede HIT adoption,' 3 and that the mix, or patchwork, of
state regulation is problematic as it stands.' 4 Third, building on both
these strands of research, we will argue that policy makers should
consider tradeoffs between two important policy goals that are to some
extent in tension: (1)regulatory protections for health information
privacy and (2) the flow of health information, which is a central goal of
HIT. The Recovery Act does not seem to recognize such tradeoffs,
although we hope that they may figure in its implementation.
At one level, tradeoffs between privacy and HIT are inevitable. HIT
facilitates the collection, storage, processing, and flow of health
information. Privacy and data security depend, at least, on the absence of
unwanted access to or sharing of health information. Hence, many of the
benefits associated with HIT arise from rapid and low-cost information
sharing between disparate parts of the health care system, but laws
designed to protect health privacy are designed to make the flow of health
care information more costly. Indeed many states have been working to
update and harmonize their regulatory requirements in this area in
recognition of such problems.'" In this Article, we examine the balance
between patients' legitimate concerns about the breach of health
information privacy and security, on the one hand, and the HIT-associated
benefits that may be threatened by excessive and highly variable privacy
regulation, on the other. As has been argued in the context of financial
12. See, e.g., Amalia R. Miller & Catherine Tucker, Privacy Protectionand Technology
Diffusion: The Case of Electronic Medical Records 55 MGMT. SC. 1077 (2009) (discussing
the differential effects of state law medical privacy regimes on hospitals' adoption of HIT).
13. See, e.g., LINDA L. DIMITROPOULOS, PRIVACY AND SECURITY SOLUTIONS FOR
INTEROPERABLE HEALTH INFORMATION EXCHANGE: NATIONWIDE SUMMARY 6-3 (2007)
[hereinafter NATIONWIDE SUMM.] ("Several states reported that antiquated laws written for
paper-only environments created significant barriers to electronic health information
14. See, e.g., Linda Dimitropoulos & Stephanie Rizk, A State-Based Approach to
Privacy and Security for Interoperable Health Information Exchange, 28 HEALTH AFF. 428,
428-29 (2009) ("An interoperable system of HIE [health information exchange]-that is, one
in which various parties can share and exchange data among them-will have difficulty
accommodating the current range of variation in policy requirements."); see also, e.g., J.Thomas
Rosch, Comm'r, F.T.C., Where Do We Go From Here?-Some Thoughts on the Future of the
Consumer Protection Mission (Jan. 29, 2007) (transcript available at http://www.ftc.gov/
15. See, e.g., NATIONWIDE SUMM., supra note 13, at 6-39 to 6-44 (reporting on various
cross-state and interstate initiatives to address interstate variation, including efforts to
harmonize state medical privacy laws across certain states).
16. See J. Howard Beales, III & Timothy J. Muris, Choice or Consequences: Protecting
Privacy in Commercial Information, 75 U. CHI. L. REV. 109, 118-20 (2008).
expected consequences of breach-both tangible harms and the impact
on the intrinsic value that patients find in health information privacy.
Data suggest that the former harms are small, and we suggest that policy
makers should develop a keener understanding of the latter, which is
likely to vary across the population in both quality and magnitude.
We investigate the expected tangible privacy harms related to HIT
and find them to be less stark than some may believe. For example, from
2001 to 2005, about 0.111% of the adult population suffered medical
insurance account misuse (defined as the use of personal information to
obtain or receive payment for medical treatment, services or goods), and
only 0.0148% of the adult population had their personal data used to
create a new medical insurance policy.'7 Further, it does not appear that
consent or breach-notification requirements significantly reduce the
tangible harms caused by the privacy violations that do occur. Rather, most
benefits from medical privacy regulations likely accrue in the utility that
patients derive from the fact that they have dominion over their personal
medical information. This likelihood strongly suggests that policy
makers need to develop a clearer understanding of patients' underlying
preferences for medical privacy before expanding regulatory burdens, as
they ought to be wary of adopting costly regulations that may promise
modest tangible benefits. In light of the existing data on consumer
preferences for privacy, we propose a modified federal Privacy Rule that
maintains the exception to consent for medical treatment, but also allows
privacy-sensitive patients to sequester their records from interoperable
HIT systems altogether. We also suggest that breach notification triggers
should be related to actual risk of harm and that a focus on data security
may be a more efficient substitute for both consent and breach
We also focus on the costs associated with varying state regulation
of medical privacy. Although we do not advocate any particular
legislative response to the costs of state regulation, we explain how the express
preemption of state health information privacy and data security
provisions could be an efficient response to the costs of those provisions. In
addition, although the implied preemption arguments advanced by the
petitioners (and rejected by the U.S. Supreme Court) in another health
17. See SYNOVATE, 2006 IDENTITY THEFT SURVEY REPORT 17, 19 (2007), http:H
www.ftc.gov/os/2007/1 I/SynovateFinalReportlDTheft2006.pdf [hereinafter SYNOVATE 2006
REPORT]. These calculations are based on an estimate of 3.7% of the adult population being a
victim of ID theft. Id. at II. Of the surveyed victims of ID theft, 3% suffered reported misuse
of existing medical insurance accounts. Id. at 17. Also, 0.04% of surveyed ID theft victims
reported that new medical insurance accounts were opened using the stolen information. Id. at
19. Thus, .03 * .037 = 0.00111 of the adult population suffered misuse of their existing
medical insurance accounts and .004 * .037 = 0.000148 of the adult population suffered new
medical insurance account fraud.
care context, that of Wyeth v. Levine, '8 are precluded by statute in this
one,' 9 policy arguments in favor of preemption in this area may enjoy
certain advantages that, at least in the Court's view, were not available to
the petitioners in Wyeth.
Nothing in the following discussion should be read to assail the
notion that some form of regulatory intervention is appropriate to safeguard
the substantial consumer interests at stake in the area of health
information privacy.2° But excessive regulation, or a poorly integrated patchwork
of federal and state regulations, could impede innovations that would be
beneficial to health care consumers, public health, and the fisc.2' Even
well-intentioned regulations can be costly, and the research community
only recently has begun to grapple with the broader costs-including the
economic and health costs-of various means of safeguarding consumer
privacy. Because substantial attention rightly is being paid to the
consumer interests at stake in HIT privacy and data security, we focus here
on the other side of the cost/benefit divide.
This Article is unique because, in addition to its use of independent
research, it draws heavily from information gathered at a 2008 Federal
Trade Commission workshop that examined certain innovations in health
care delivery (the Workshop).22 The Article proceeds as follows. Part II
comprises several brief background sections: (a) summarizes certain
general information about HIT development and adoption; (b) reviews
certain costs and benefits associated with HIT; and (c) provides an
overview of federal and state health information privacy and data security
law. Part III returns to the question of benefits and barriers associated
18. Wyeth v. Levine, 129 S. Ct. 1187, 1193-94(2009).
19. Regulations promulgated under HIPAA with regard to "the privacy of individually
identifiable health information shall not supercede a contrary provision of State law, if the
provision of State law imposes requirements, standards, or implementation specifications that
are more stringent than the requirements, standards, or implementation specifications imposed
under the regulation." Health Insurance Portability and Accountability Act of 1996 (HIPAA)
§ 264(c)(2), 110 Stat. 2033-34, 42 U.S.C. § 1320d-2 (2009).
20. See, e.g., United States v. Skodnek, 933 F. Supp. 1108 (D. Mass. 1996) (describing
harms to consumers related to defendant psychiatrist who was fined and incarcerated
following convictions for making false claims to the Medicare program, mail fraud, obstruction of
justice, and witness intimidation); cf ALAN F. WESTIN, How THE PUBLIC VIEWS PRIVACY AND
HEALTH RESEARCH 13-14 (2008), available at http://www.ftc.gov/os/comments/
healthcarewrkshp/534908-00001.pdf (suggesting through nationwide survey data that 58% of
respondents believe medical-record privacy is insufficiently protected).
21. See Amalia Miller, Professor, Dep't of Econ., Univ. of Va., Address at Federal Trade
Commission Workshop on Innovations in Health Care Delivery 225-32, 251-52
(Apr. 24, 2008)
(transcript available at http://www.ftc.govlbclhealthcarelhcdldocs/
22. The main web page for the April 24, 2008 FTC Workshop, Innovations in Health
Care Delivery, with links to the Workshop agenda, a complete transcript of the Workshop
itself, supporting materials, and public comments, is available at http://
with HIT, providing a more focused discussion of network effects in
HIT. Part IV examines consumers' demand for privacy generally and
health information privacy specifically. Part V then analyzes the implicit
tradeoffs between various types of privacy regulation and the adoption
and application of HIT. Part VI considers the federal preemption of state
regulation of health information privacy and data security as a feasible
policy response to the costs of regulatory variation.
I. TECHNICAL, MARKET, AND REGULATORY BACKGROUND
A. The Development and Adoption of HIT
As noted above, many areas of health care trail other sectors of the
economy in their use of information technology. Recent years, however,
have seen a proliferation of utilities, systems, hardware, and analytics,
including electronic health records, personal health records, electronic
prescribing, and the collection, analysis, and flow of increasingly rich
types of health information. Generally speaking, HIT "refers to
computer applications for the practice of medicine. 23 "Applications" in this
context, encompass software and hardware applications and their
outputs, as well as analytic, training, and other support services that might
enhance the use of such applications.
The Recovery Act stipulates that "'health information technology'
means hardware, software, integrated technologies or related licenses,
intellectual property, upgrades, or packaged solutions sold as services
that are designed for or support the use by health care entities or patients
for the electronic creation, maintenance, access, or exchange of health
information. 24 Just as the Recovery Act thus defines HIT generally for
certain of its own purposes, it is important to understand that HIT
comprises myriad products and services, such as (a) electronic medical
records-including patient records, clinical decision support, laboratory
records, health plan records, records exchange systems, and personal
health records, (b) clinical ancillaries and other kinds of clinical
information systems, such as labs, radiology, and image management
systems, (c) biomedical devices, including medical device data systems,
(d) population HIT, including "not just public health reporting, which is
moving to an electronic basis, but also registries such as disease
registries, immunization registries, and . . . statistical analysis and reporting
such as quality of process, quality of outcomes and health disparities
23. CONG. BUDGET OFFICE, supra note 10, at I.
24. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 3000(5), 123
Stat. 115, 229 (2009).
analysis that would count in the population health area of health IT," and
(e) applications serving the administrative and financial sectors of
Note, too, that there appears to be substantial variation in usage in
broader discussions of HIT,26 and that definitions may continue to change
in the course of HIT development. As a practical matter, this Article
makes no attempt to force the larger HIT policy discussion-including
published research-to conform to particular stipulated definitions of
HIT applications. At the same time, certain extant definitions of central
HIT applications provide a useful baseline. In 2008, the National
Alliance for Health Information Technology offered the following
definitions in a report to the ONC:
Electronic Medical Record [eMR]: An electronic record of
health-related information on an individual that can be
created, gathered, managed, and consulted by authorized
clinicians and staff within one health care organization.
Electronic Health Record [eHR]: An electronic record of
health-related information on an individual that conforms to
nationally recognized interoperability standards and that can
be created, managed, and consulted by authorized clinicians
and staff across more than one health care organization.
Personal Health Record [PHR]: An electronic record of
health-related information on an individual that conforms to
nationally recognized interoperability standards and that can
be drawn from multiple sources while being managed, shared,
and controlled by the individual. 27
25. At the FTC Workshop, Mr. Ferguson provided roughly this overview of HIT
applications, devices, and services. James Ferguson, Exec. Dir., Health I.T. Strategy & Policy,
Kaiser Permanente, Address at Federal Trade Commission Workshop on Innovations in Health
Care Delivery 135-36
(Apr. 24, 2008)
(transcript available at http://www.ftc.gov/bc/
26. See, e.g., OFFICE FOR CIVIL RIGHTS, U.S. DEP'T OF HEALTH & HUMAN SERVS.,
PERSONAL HEALTH RECORDS AND THE HIPAA PRIVACY RULE I, http://www.hhs.govlocr/
privacy/hipaa/understanding/speciallhealthit/phrs.pdf (last visited Mar. 24, 2010) ("There is
currently no universal definition of a [Personal Health Record], although several relatively
similar definitions exist within the industry.")
27. NAT'L ALLIANCE FOR HEALTH INFO. TECH., DEFINING KEY HEALTH INFORMATION
TECHNOLOGY TERMS 6 (2008), http://healthit.hhs.gov/ (use the search bar to locate the
document and then follow the hyperlink).
For the most part, the Recovery Act appears to have borrowed from these
in its stipulated HIT definitions.28 Also important is electronic
prescribing (eRx), which has been "defined by the eHealth Initiative as 'the use
of computing devices to enter, modify, review, and output or
communicate drug prescriptions.' ,,29
Again, many have argued that the growth of HIT is centrally
important to improving quality and efficiency in health care. 0 Both the general
promise of HIT and its demonstrated efficiencies in particular
implementations have garnered substantial private and public commitment to HIT
development and adoption. Large IT businesses are increasingly
involved in HIT development;3 ' large employers have been interested in
the potential benefits of HIT for their health care benefits programs;
and prior to the Recovery Act's enactment, HHS and other federal
agen28. For example, under the Recovery Act, an "electronic health record" (eHR) is "an
electronic record of health-related information on an individual that is created, gathered,
managed, and consulted by authorized health care clinicians and staff." Recovery Act § 13400(5).
29. Agency for Healthcare Research and Quality, Electronic Prescribing, http:I/
healthit.ahrq.gov/ (follow the "Electronic Prescribing" hyperlink in the "Key Topics" box)
(last visited Mar. 24, 2010). We stipulate the use of "eRx" as a convenient abbreviation for
electronic prescribing for the purposes of this Article.
30. See, e.g., Hillestad et al., supra note 6, at 1103.
31. For example, the Workshop included a presentation on Microsoft's Health Vault, a
platform supporting web-based PHRs and the development of various HIT applications that
might interconnect with such PHRs. George Scriban, Senior Product Manager, HealthVault,
Microsoft, Address at Federal Trade Commission Workshop on Innovations in Health Care
(Apr. 24, 2008)
(transcript available at http://www.ftc.gov/bc/healthcare/
hcd/docs/hcdwksptranscript.pdf). Discussion also included the third-party PHR application
Google Health, which, like Health Vault, provides individual health care consumers with
webbased tools with which to populate their records. See Deven McGraw, Dir., Health Privacy
Project, Ctr. of Democracy and Tech., Address at Federal Trade Commission Workshop on
Innovations in Health Care Delivery 145
(Apr. 24, 2008)
(transcript available at
http://www.ftc.gov/bc/healthcare/hcd/docs/hcdwksptranscript.pdf); see also Google Health,
http://www.google.com/health (last visited June 6, 2008). At the same time, part of what is
striking about HIT development is the extent to which health care providers themselves have
found it necessary to develop such proprietary HIT systems. At the Workshop, the Mayo
Clinic's Dr. Wood remarked, "We found the need to develop [Mayo's applications] mostly on
our own, because we have not found opportunities with partners who can develop them with
us.'" Dr. Douglas Wood, Dept. of Med., Health Care Policy Research Group, Mayo Clinic,
Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 169
(Apr. 24, 2008)
(transcript available at http://www.ftc.gov/bc/healthcare/hcd/docs/
hcdwksptranscript.pdf). Another panelist noted that Marshfield Clinic has developed its core
HIT systems since implementing its first eMR module in 1985. Thomas Berg, Dir. & Special
Projects Manager, Clinical Info. Servs., Marshfield Clinic, Address at Federal Trade
Commission Workshop on Innovations in Health Care Delivery 200-01
(Apr. 24, 2008)
available at http://www.ftc.govlbc/healthcare/hcd/docs/hcdwksptranscript.pdf).
32. For example, Dossia is a consortium of large employers, including AT&T, Applied
Materials, BP America, Inc., Cardinal Health, Intel Corporation, Pitney Bowes,
SanofiAventis, and Wal-Mart, who jointly developed and provide a PHR system for the voluntary use
of their employees. A Dossia web site describing the consortium, its PHR, and its privacy
policies is available at http://www.dossia.org/.
cies had devoted considerable resources to the development and
promotion of HIT."3
Today, some large medical centers and health care systems are all
but paperless, with systems at Marshfield Clinic, the Mayo Clinic, and
Kaiser Permanente being described at some length at the FTC
Workshop." For example, Marshfield Clinic-which comprises about 45
health care facilities in Wisconsin and has integrated eHRs for about 2
million patients-reported that all specialties in its various clinics use
the same integrated eHRs and that all inputs into the eHRs by the
roughly 1200 physicians affiliated with Marshfield are done
At the same time, the adoption of HIT, interoperability of HIT
systems, and integration of health information has in many places lagged
behind expectations. 36 In fact, paper-based patient record systems still
dominate in U.S. medical practice, especially in small practice settings.37
Only about four percent of U.S. physicians have access to a
fullyfunctional eHR system, and only about thirteen percent have access to a
33. For example, although the ONC is established by statute under the Recovery Act, it
initially was created to spearhead and integrate HIT initiatives in response to a 2004 executive
order. 2004 Exec. Order, supra note 5.
34. Other systems, such as the Department of Veterans Affairs' (VA's) VistA system,
also were discussed. See, e.g., Berg, supra note 31, at 199-201 (discussing the Marshfield
Clinic); Ferguson, supra note 25, at 134-35 (discussing Kaiser-Permanente); Dr. Robert M.
Kolodner, Nat'l Coordinator, Health Info. Tech., Dep't. of Health & Human Servs., Address at
Federal Trade Commission Workshop on Innovations in Health Care Delivery 293
(April 24, 2008) (transcript available at http://www.ftc.gov/bc/healthcare/hcd/docs/
hcdwksptranscript.pdf) (discussing the VA); Wood, supra note 31, at 169 (discussing the
Mayo Clinic); see also, e.g., Gov'T ACCOUNTABILITY OFFICE, GAO-04-0224, INFORMATION
TECHNOLOGY, BENEFITS REALIZED FOR SELECTED HEALTH CARE FUNCTIONS 36 (Oct. 2003)
(regarding Kaiser-Permanente), available at http:// www.gao.gov/new.items/dO4224.pdf
[hereinafter GAO 2003 REPORT]; Id. at 46-47 (regarding Mayo Clinic); Id. at 61-62 (regarding
35. Berg, supra note 31, at 199-201.
36. "Despite the efforts of the National Committee on Vital and Health Statistics ...
and other groups, progress in health IT in the United States has been too slow." Robert M.
Kolodner et al., Health Information Technology: Strategic Initiatives, Real Progress,
HEALTH AFF. w39 1, w391-w392 (2008), http://content.healthaffairs.org/cgi/reprintI
hlthaff.27.5.w391 v 1; see also CONG. BUDGET OFFICE, supra note 10, at 3
potential of health IT to increase efficiency and improve quality, though, very few providers as of
2006, about 12 percent of physicians and I I percent of hospitals have adopted it")
. But cf
Edward H. Shortliffe, Strategic Action in Health Information Technology: Why the Obvious
Has Taken So Long, 24 HEALTH AFF. 1222, 1223 (2005) (examining slow growth in HIT "in
context by assessing what has succeeded and what still remains to be realized, while asking
what barriers exist that have prevented optimal progress to date").
37. David Gans et al., Medical Groups' Adoption of Electronic Health Records and
Information Systems, 24 HEALTH AFF. 1323, 1325-26 (2005).
basic system. According to one recent paper, "only 1.5% of U.S.
hospitals have a comprehensive electronic-records system (i.e., present in all
clinical units), and an additional 7.6% have a basic system (i.e., present
in at least one clinical unit). Computerized provider-order entry for
medications has been implemented in only 17% of hospitals.!'
Indeed, the most basic policy issue in HIT may be the relative pace
of its development and adoption. That is, given the public and private
benefits anticipated with HIT-many of which have been observed in
particular institutional settings-how is it that HIT markets are not more
developed?40 Why is HIT use not more common?
B. PotentialBenefits and Costs of HIT
Broadly, HIT benefits flow from two sources: stand-alone and
network efficiencies.4 Stand-alone efficiencies are those that accrue
internally to an office, clinic, or hospital from its use of HIT, and may
include reduced administrative and error costs. Network benefits are
those that are realized across multiple health care service providers:
when various parts of the health care system are able to communicate
efficiently, each part enjoys increasing benefits as the scope of the
network from which information may be drawn increases. In HIT such
network benefits are likely to be more substantial than stand-alone
benefits. 42 Most patients see multiple providers in a given year," and
providers often rely on external entities to perform lab and radiology
work." But, as the former National Coordinator for HIT has explained,
A 7me to Keep Silent and a lime to Speak
"[flragmentation ...results in errors, duplication, lack of coordination,
and many other problems.*"'
Although the flow of information should reduce fragmentation, the
benefits of HIT on a national scale are very difficult to predict. As a
CBO report has observed, "[n]o aspect of health IT entails as much
uncertainty as the magnitude of its potential benefits.'"6 A well-cited
RAND report estimates that "effective EMR implementation could
eventually save more than $81 billion annually. '4 Others have been critical of
the RAND estimates.48 The CBO, for example, has argued that the
RAND study does not adequately distinguish between possible and
likely benefits to HIT adoption, concluding that it is "not an appropriate
guide to estimating the effects of legislative proposals aimed at boosting
the use of health IT.' 49 Such disputes may be difficult to resolve in any
precise way in the short run. In brief, possible HIT benefits may be
substantial, highly variable according to particular implementations, and
At least locally, HIT has led to concrete qualitative improvements in
health care services, according to process measures or outcome
measures. One FTC Workshop panelist described, for example, a hospital
system's adherence to the evidence-based process standard of ACE
inhibitor prescription following myocardial infarction ("heart attack")
upon discharge. In that case, implementation of evidence-based HIT
clinical guidance at InterMountain Healthcare reportedly increased
adherence to the standard from about 65% to about 95%-a process
improvement-which reduced significantly the readmission rate-an
45. Brailer, supra note 42, at w5-19; see also Hoffman & Podgurski, supra note II, at
113 (stating that when doctors do not communicate and coordinate a patient's care "any one of
them may miss vital information that is critical to the individual's welfare").
46. CONG. BUDGET OFFICE, supra note 10, at 6.
47. Hillestad et al., supra note 6, at 1103.
48. CONG. BUDGET OFFICE, supra note 10, at 8-9 (claiming RAND overestimates
probable benefits of HIT); but cf David U. Himmelstein & Steffie Woolhandler, Hope And
Hype: Predicting The Impact Of Electronic Medical Records, 24 HEALTH AFF. 1121, 1122
(2005) (arguing that the RAND analysis is a form of "hype" that "reveals a disturbing array of
unproven assumptions, wishful thinking, and special effects"). We note that the RAND
report's estimate is not generated by precisely the same problem as the CBO's critique of that
estimate. Briefly, the RAND report addresses possible benefits of large-scale eMR adoption.
Although the authors provide reasons to think that their estimate represents neither a "best
case" nor a "worst case" scenario, they recognize that "the currently useful evidence is not
robust enough to make strong predictions." Hillestad et al., supra note 6, at 1104-05. The
CBO Report offers very useful analysis, but it does not offer any particular cost-benefit
analysis attached to any particular legislative proposal, and like the RAND report, itdoes not appear
to approach a comprehensive assessment of possible benefits (or costs) to HIT adoption.
49. CONG. BUDGET OFFICE, supra note 10, at 4.
outcome improvement." That is consistent with survey data suggesting
that physicians who employ eHRs report greater avoidance of costly
medical errors, including, "having averted a known drug allergic reaction
(80%) or a potentially dangerous drug interaction (71%), being alerted to
a critical laboratory value (90%), ordering a critical laboratory test
(68%) and providing preventive care (69%).
A 2003 General Accounting Office (GAO) Report, based on data
from ten private and public health care delivery organizations, three
insurers, and one community data network, described substantial
efficiency gains in both administrative function and delivery of care
across settings.12 For example, Mayo Clinic, a 1,951-bed teaching
hospital, achieved annual savings of about $8.6 million by replacing paper
medical charts with electronic medical records for outpatients, $2.85
million by replacing manual medical record handling processes with
electronic access to lab results and reports, $ 2.9 million by automating
correspondence, and $7 million by reducing un-billable tests and billing
patients directly. 3 Single-site studies have also been promising. For
example, a study of the effects of eRx at Brigham and Women's Hospital
indicated "large differences ... for all main types of medication errors:
dgoiesse!.'errors, frequency errors, route errors, substitution errors, and
aller50. Dr. Mark Dente, Vice President, Health Care Solutions & Integrated IT Solutions,
GE Health Care, Address at Federal Trade Commission Workshop on Innovations in Health
Care Delivery 277
(Apr. 24, 2008)
(transcript available at http://www.ftc.gov/bc/healthcare/
hcd/docs/hcdwksptranscript.pdf) (describing HIT benefits at InterMountain Healthcare, a
network of hospitals and clinics in Utah). Dr. Dente also described improvements in ventilator
management with the implementation of evidence-based systems at InterMountain. In that
case, he reported both significant improvement in the survival rate and a significant savings,
approximately $120,000 per case, due to the implementation of HIT-based clinical support. Id.
51. DesRoches et al., supra note 38, at 54 (reporting on "fully functional" eHRs,
although those with more basic systems reported "the same effects but less commonly").
52. See generally, GAO 2003 REPORT, supra note 34.
53. Id. at 46, 48.
54. David W. Bates et al., The Impact of Computerized Physician OrderEntry on
Medication Error Prevention, 6 J. AM. MED. INFORMATIcs ASS'N. 313, 313 (1999); see also, e.g.,
Hagop S. Mekhjian et al., Immediate Benefits Realized Following Implementation of Physician
Order Entry at an Academic Medical Center, 9 J. AM. MED. INFORMATICS Ass'N. 529, 529,
539 (2002) (reporting that the joint introduction of computerized physician order entries
(CPOEs) and eMR systems at Ohio State University Health System improved patient care by,
for example, reducing tum-around times and eliminating all nursing and physician
transcription errors); Kirsten Colpaert et al., Impact of Computerized Physician Order Entry on
Medication Prescription Errors in the Intensive Care Unit: A Controlled Cross-Sectional
Trial, 10 CRITICAL CARE R21 (2006), availableat http:l/ccforum.com/contentll0/l/R21
(reporting that HIT implementation in the ICU resulted in significant decreases in the occurrence
and severity of medication errors).
A ime to Keep Silent and a 7me to Speak
At the same time, it is not clear from either the GAO Report or other
studies that the reported efficiency gains represent net gains for the
adopters. Also, although single-site studies demonstrating gains in
clinical quality at academic medical centers are promising, results have been
somewhat mixed, and there have been relatively few studies measuring
qualitative gains using longitudinal national data. One recent study
employing national data observes that EMRs "have a clear and statistically
significant effect on patient safety," as they are associated with fewer
infections attributable to medical care in hospitals, but that the observed
effect is limited to one of the study's quality measures and, while
"promising," is "small."5 In addition, the promise of any gains may be at risk,
as there have been significant problems with particular HIT
Electronic prescribing illustrates both the potential benefits of HIT
and the extent to which such benefits are uncertain prior to
implementation. As noted above, eRx has long been considered an important and
tractable area for HIT development and adoption. Preventable
medication errors are numerous. The oft-cited 2006 IOM Report, PREVENTING
MEDICATION ERRORS, for example, estimated that "at least 1.5 million
preventable ADEs [adverse drug events] occur each year in the United
States."'7 These errors inevitably impose medical costs, which, in turn,
may impose substantial expense on private and public payers.18
The IOM Report suggested that eRx holds special promise for error
avoidance,59 and there are good reasons to agree. First, many errors
55. Stephen T. Parente & Jeffrey S.McCullough, Health Information Technology and
PatientSafety: Evidencefrom PanelData, 28 HEALTH AFF. 357, 358 (2009).
56. See, e.g., Yong Y. Han et al., Unexpected IncreasedMortality After tmplementation
of a CommerciallySold Computerized Physician Order Entry System, 116 PEDIATRICS 1506,
1506 (2005) (reporting an unexpected increase in mortality rates among children who were
referred and admitted to the hospital after eRx implementation); Ross Koppel et al., Role of
ComputerizedPhysician OrderEntry Systems in FacilitatingMedical Errors,293 J.AM. MED.
ASS'N. 1197, 1198 (2005) (documenting errors associated with implementation of a
widelyused, commercially-available computerized provider order entry system); Ceci Connolly,
Cedars-SinaiDoctors Cling to Pen and Paper,WASH. POST, Mar. 21, 2005, at AOl (describing
an unsuccessful attempt to implement a hospital-level electronic health record system and
reporting that up to 30% of such implementations fail).
57. INST. OF MED., supra note 7, at 5.
58. Id. at 5, 132. That cost estimate excludes both errors of omission (cases where
medication ought to have been prescribed and administered, but was not) and the larger
economic costs-such as missed work days-imposed by preventable ADEs. The report noted
that there are large gaps in our understanding of the costs of medication errors. Id. at 58.
Nevertheless, the report also suggested that, for example, in-hospital adverse drug events alone
might conservatively be estimated to cost $ 3.5 billion per year, in 2006 dollars. Id. at 132.
59. Id. at 229
("By 2008, all prescribers should have plans in place to implement
; see also Gilad J. Kuperman et al., Medication-RelatedClinical Decision
Support in Computerized Provider Order Entry Systems: A Review, 14 J. AM. MED.
appear to be caused by basic coding or information processing failures
that should be amenable to automated control.' In addition, adverse
events due to faulty drug or dose identity checking, failures in drug
knowledge, and limited patient knowledge (i.e., patient history, current
and recent medications, etc.), 61 should be reduced by eRx supported by
adverse drug events62 and direct financial costs. 63
eMRs and computerized drug information. In particular institutional
settings, eRx has been associated with substantial reductions in preventable
On the other hand, there have been significant problems with
particular implementations of eRx systems." For example, although eRx
implementation at the Children's Hospital of Pittsburgh appeared to
reduce adverse drug events significantly during a nine-month study
period,6 a subsequent study of mortality rates among children who were
referred and admitted to the hospital showed an unexpected increase in
mortality after implementation.i Such problems seem to arise in
transition to an eRx system, with incomplete or fragmented eRx systems, or
with poor integration between training and practice standards on the one
hand and the HIT systems on the other. Those are not necessarily
longterm, much less intractable, problems. Still, they suggest the potential for
large transition costs in eRx adoption and may raise questions about the
INFORMATICS Ass'N. 29, 29 (2007) (reviewing literature and concluding that "CPOE ...with
clinical decision support ... can improve patient safety and lower medication-related costs").
60. INST. OF MED., supra note 7, at 121-22 (errors include transcription errors,
ordertracking errors, and inter-service communication errors).
62. See, e.g., David W. Bates et al.s,upra note 54, at 313; Hagop S.Mekhjian et al.,
supra note 54, at 529, 539; Kirsten Colpaert et al., supra note 54.
63. See, e.g., W.M. Tierney et al., Physician Inpatient Order Writing on Microcomputer
Workstations: Effects on Resource Utilization, 269 J. AM. MED. Ass'N. 379, 379 (1993)
(concluding that a network of microcomputer workstations for writing all inpatient orders
significantly lowered patient charges and hospital costs); cf David W. Bates et al., The Costs
of Adverse Drug Events in Hospitalized Patients, 277 J. AM. MED. ASS'N. 307, 307 (1997)
(discussing substantial costs of ADEs and preventable ADEs).
64. See, e.g., Ceci Connolly, supra note 56, at A01 (describing an unsuccessful attempt
to implement a hospital-level electronic health record system and reporting that up to 30% of
such implementations fail).
65. Jeffrey S. Upperman et al., The Impact of Hospitalwide Computerized Physician
Order Entry on Medical Errors in a Pediatric Hospital, 40 J.PEDIATRIC SURGERY 57, 57
66. Han, supra note 56, at 1506; see also, e.g., Koppel, supra note 56, at 1198
(claiming that the implementation of a widely-used and commercially-available CPOE system in an
urban tertiary-care teaching hospital was associated with numerous categories of errors).
67. The JAMA-published study noted, for example, that medication errors were
exacerbated in the system under study by the fact that patient medication records were shown in
small fonts, across a large number of screens (up to 20), where patient names did not appear
on all screens, as well as by "hectic" workstations and "common" crashes of the CPOE
system. See id. at 1200-01.
extent to which efficie.nc6y1 gains realized in particular institutional
settings can be generalized.
One of the most obvious impediments to the adoption of HIT is its
substantial cost. As discussed in the previous section, acquisition and
implementation of HIT systems are costly, operating and maintenance
costs are ongoing, and HIT investments may be regarded as at-risk.
Regulatory costs, uncertainty, "cultural" aversions to HIT, and concerns
about liability exposure also are likely to slow adoption. And yet, as one
FTC Workshop panelist succinctly stated with respect to HIT
investments, "there is no billing code for it'.69
HIT adoption costs are varied and substantial. The CBO has noted
that adoption costs include: (1) the initial fixed cost of the hardware,
software, and technical assistance necessary to install the system, (2)
licensing fees, (3) the expense of maintaining the system, and (4) the
"opportunity cost" of the time that health care providers could have
spent seeing patients but instead must devote to learning how to use the
new system and how to adjust their work practices accordingly. 0
Although the data is limited, and there is some evidence HIT system prices
are falling, recent studies suggest that, (a) physicians' offices may be
expected to pay initial costs of $25,000-$45,000 to acquire an
officebased HIT system;7 (b) annual operating costs are 12-20% of initial
cost; 72 (c) implementation costs for hospitals range from $3 million for
68. See Salomeh Keyhani et al., Electronic Health Records and the Quality of Care, 46
MED. CARE 1267 (2008). In this study, the authors conducted cross-sectional analyses of
national data gathered in ambulatory care settings, including physician offices. Examining blood
pressure control in particular, the authors generally failed to find a relationship between eHR
adoption and the examined quality of care measures, and concluded that "[ilt is doubtful that
presence of an EHR alone can improve the quality of care." Id. at 1270; see also Jeffrey A.
Linder, et al., Electronic Health Record Use and the Quality ofAmbulatory Care in the United
States, 167 ARCHIVES OF INTERNAL MED. 1400, 1400 (2007) (failing to find quality
improvements, on most measures, associated with eHRs as implemented in ambulatory care settings).
But cf DesRoches et al., supra note 38, at 50 (discussing quality improvements reported by
ambulatory care providers).
69. Ferguson, supra note 25, at 195. There have long been concerns about misaligned
payment incentives in health care markets associated with third-party payment and
regulation. See, e.g., F.T.C. &
DEP'T OF JUSTICE, IMPROVING HEALTH CARE: A DOSE OF
COMPETITION, Exec. Summ. 5 (2004), available at http:l/www.ftc.gov/reports/healthcare/
040723healthcarerpt.pdf [hereinafter A DOSE OF COMPETITION]. For example, as the
FTC/DOJ Report observes, "Government administered pricing by CMS inadvertently can
distort market competition ....CMS never decided as a matter of policy to provide greater
profits for cardiac surgery than many other types of service, but the [payment system] ...
tends to do so." Id. at Exec. Summ. 16.
70. CONG. BUDGET OFFICE, supra note 10, at 17.
smaller hospitals to $7.9 million for large hospitals;" and (d) average
hospital operating costs are about 19% of one-time costs, or $2,700 per
bed] 4 CBO and others also have observed substantial operating costs
associated with HIT.
It appears that cost structures co-vary with rates of HIT adoption by
type and size of practice setting. For example, "[l]arge hospitals (200
beds or more) have three to four times greater adoption rates than those
of smaller hospitals (fewer than 50 beds),, 76 which may be due, in part,
to the ability of larger facilities to "take advantage of economies of scale
by spreading the fixed costs of health IT over a larger base. 7 7 Academic
medical centers also have relatively high adoption rates, 8 perhaps
because certain HIT costs may be shared with (and are especially valuable
to) research and teaching functions of the hospitals. 79 Adoption rates also
vary according to practice size in group practice settings, with small
practice groups (5 full-time physicians or fewer) having the lowest rate
of eHR adoption and the highest percentage of paper medical records. °
Large medical centers also have expressed concerns about costs
resulting from the interruption or restructuring of work flow.8 ' The
integrated HIT system implemented at the Mayo Clinic may be
considered a success in many ways. At the same time, Mayo acknowledges that
its eMR has "had its share of problems because it didn't really match the
physician workflow."82 In some ways, such costs are among the various
"cultural" barriers to HIT adoption, which have to do with providers' and
patients' comfort levels with HIT. For example, HIT may influence the
way health care professionals collaborate and interact, in addition to the
way they keep and consult records and reference ou•tside- so u84rces;83 it
may also influence the nature of patient/provider interactions. As one
FTC Workshop panelist explained, in many smaller practices, providers
may be especially likely to face the question "how ready and willing am
Ito change the things that I do every single day"? 8'
Patients also may be wary of the ability of HIT systems to protect
their sensitive information. For example, survey data suggests that a
large proportion of consumers have concerns about the adequacy of
extant privacy protections for their medical records and about the risks that
may be presented by inadequate privacy protections.6 Consumer
apprehension about HIT can affect adoption rates of consumer-oriented HIT
products, such as PHRs. It also may reduce demand-side pressures for
providers to adopt HIT.87
The economic benefits of HIT adoption are thus uncertain, and HIT
investments generally have been regarded as at-risk investments,
potential benefits notwithstanding. Uncertainty reduces the present value of
future HIT benefits, and thus private incentives for providers to adopt
HIT. As noted above, implementation may be difficult and clinical
improvements may be uncertain. Expected benefits are likely to be a
positive function of one system's ability to communicate with others, but
providers may be unsure whether a system they adopt today will prove to
83. See, e.g., Ferguson, supra note 25, at 138-39.
85. Carr, supra note 81, at 154; see also Gans et al., supra note 37, at 1325-26.
86. See, e.g., McGraw, supra note 31, at 142 ("[Tlhe survey data is also very clear that
people have significant concerns about the privacy of their medical records, particularly in
electronic form."); see also Wood, supra note 31, at 184 (regarding Mayo Clinic surveys of
patient privacy concerns); Joy Pritts, Dir. for the Center of Med. Record Rights and Privacy,
Health Policy Inst., Georgetown Univ., Address at Federal Trade Commission Workshop on
Innovations in Health Care Delivery 287-88
(Apr. 24, 2008)
(transcript available at
http://www.ftc.gov/bc/healthcare/hcd/docs/hcdwksptranscript.pdf); WESTIN, supra note 20,at
15 (providing nationwide survey data that suggests 58% believe medical record privacy is
insufficiently protected); MARKLE FOUND., AMERICANS OVERWHELMINGLY BELIEVE
ELECTRONIC PERSONAL HEALTH RECORDS COULD IMPROVE THEIR HEALTH (2008), available at
http://www.connectingforhealth.org/resources/ResearchBrief-200806.pdf; CAL. HEALTHCARE
FOUND., THE STATE OF HEALTH INFORMATION TECHNOLOGY IN CALIFORNIA: CONSUMER
PERSPECTIVE 2 (2008), available at http://www.chcf.orgldocuments/chronicdisease/
HITConsumerSnapshot08.pdf (stating that a survey of California health care consumers shows
"most consumers in California are wary about using health information technology (HIT),
such as personal health records (PHRs)" although many consumers are interested in HIT and
use the Internet for health information); NATIONWIDE SUMM., supra note 13, at 6-36.
87. McGraw, supra note 31, at 195 ("But the improvements in health care quality and
the cost reductions ... that are there as potentials, are going to drive the other actors in the
system, consumers and purchasers ... to actually be on the demand side [of HIT adoption].");
Cf. Ferguson, supra note 25, at 138-39 (discussing popularity, among Kaiser consumers, of
secure online communications with providers, online appointment scheduling, online lab
results, and online Rx refills).
[M]any providers and other covered entities require patient
permission to disclose personal health information for treatment,
payment, and health care operations to satisfy professional
ethical requirements or for risk management ....
treatment purposes, even if federal or state laws did not require
such permission .. . Although variation in the requirement for
and content of patient permission to disclose is due largely to
state law and organizational practices, "HIPAA" is often cited as
the basis for requiring patients' permission for treatment."'
When relevant state and federal privacy regulations are not clear,
parties may over-comply to avoid liability."" For example, ambiguous
state law provisions regarding the circumstances that trigger breach
notification requirements can lead to over-notification. '8 Further, unclear
consent (or documentation of consent) requirements have led to subsStan28-9
tial variation in the form and content of authorization across providers.
That variation, in turn, has made some providers unwilling to accept
consent obtained by others.2' ° Vagueness in "minimum necessary"
disclosure requirements under the Privacy Rule also seems to have had a
chilling effect on electronic information exchange. T9 For example,
because it often is technically impossible to segregate data fields in eHRs,
many hospitals allow third-party payers to have access only to paper
Note that Miller finds a one-time increase in HIT adoption
HHS' adoption of the HIPAA
Rule.29' That is
286. NATIONWIDE SUMM., supra note 13, at 6-11. See also Dimitropoulos & Rizk, supra
note 14, at 429 (discussing how broad variation exists in the "need for.., and the actual
process of obtaining appropriate patient consent" in the context of identifying gaps and conflicts
among state laws).
287. See STEVEN SHAVELL, FOUNDATIONS OF ECONOMIC ANALYSIS OF LAW 224-29
(2004). Of course, the countervailing consideration for breach notification is that breach
notification appears to lead to a lot of customer churn. The size of this consideration may militate
toward erring on the side of not sending notification.
288. See GAO 2007 REPORT, supra note 213, at 35.
289. See NATIONWIDE SUMM., supra note 13, at 6-3 (explaining that laws that are "silent
with respect to certain aspects health information exchange" can lead to varied customs,
which can hinder HIT).
290. Id. at 6-8 ("The lack of a standard permission form, even within a state, results in
different health care entities' developing their own permission form requirements and refusing
to honor permissions obtained by other entities, thereby interfering with the legitimate flow of
291. The Privacy Rule requires that "a covered entity must make reasonable efforts to
limit protected health information to the minimum necessary to accomplish the intended
purpose of the use, disclosure, or request." 45 C.F.R. § 164.502(b)(1) (2010).
292. NATIONWIDE SUMM., supra note 13, at 6-16.
293. Miller, supra note 21, at 252.
interesting but not paradoxical. Certainly, the promulgation of the federal
Privacy Rule did not reduce the regulatory obligations of health care
providers. At the same time, for some providers, it may have lowered the
lpeegracleiuvnecderctoasinttoyf aHnIdTexapdoosputiroentoprleiacbisieliltyy.2b94ecause it decreased providers'
III. STRIKING THE BALANCE
Although consumers demand privacy, it is not free. Privacy
requirements can have positive effects on HIT adoption by helping to assuage
consumers' concerns that their sensitive health information is secure, but
beyond some threshold, it is important for policy makers to recognize
that tradeoffs between privacy protection and HIT development,
adoption, and use are likely inevitable. As one commenter has put it, the
debate over privacy in health care should focus on "how much [privacy]
we want to afford, which in turn is linked to thinking more carefully
about losses from its breach."2'9 Certain forms of privacy regulation
appear to impose relatively large costs on eMR use while conferring
relatively little in the way of tangible countervailing benefits. Of course,
some may object to such balancing.296 For example, Solove suggests that
individual rights typically give way when pitted against the "common
good."297 That may be a legitimate matter of more general concern, but it
does not answer critical policy and legal questions, such as the level of
resources that ought to be devoted to safeguarding particular rights, or
the manner in which provisions protecting countervailing interests or
rights ought to be balanced.
One might take the position that fundamental rights-or their
exercise or protection-are never in tension, but as we have discussed, that is
entirely dubious in the instant case as it is more generally. Although
exploration of such matters from a policy, legal, or ethical point of view
would take us well beyond the scope of this Article, we should note that,
as a general matter, our Constitutional framework balances fundamental
294. Id. (noting that some have theorized that this was because "HIPAA promoted some
adoption of EMR by making HIPAA compliance easier to demonstrate with an electronic
record than with a paper record").
295. Mike Koetting, Comments on Privacy and Medicine, 30 J. LEGAL STUD. 703, 707
296. See Terry & Francis, supra note 1I,at 699 ("This instrumental approach becomes
dangerous when applied to institutional or industrial models of care. In such models, the
notion too easily falls prey to arguments that see the generation, dispersal, and processing of
longitudinal patient health information primarily as a necessity to reduce overall healthcare
costs and to minimize medical error.").
297. Solove, supra note 207, at 761 ("Society will generally win when its interest are
balanced against those of the individual.").
A lime to Keep Silent and a Time to Speak
rights, interests, privileges, and powers in no small part because it must.
Even core civil liberties are not regarded as absolute. For example, under
the First Amendment, content-based regulation of speech is
presumptively invalid, but certain categories of speech--e.g., obscenity29-are
subject to no protection and others-e.g., commercial speech 2 ---may be
subject to substantial protection, but less than that afforded political,
scientific, literary, or artistic speech. Generally, content-neutral regulation
of speech is subject to intermediate scrutiny and certain species of
restrictions generally are permissible. As the Court has said, "[o]ur cases
make clear ... that even in a public forum the government may impose
reasonable restrictions on the time, place, or manner of protected speech
.... ,00 More generally, "[tlhe First and Fourteenth Amendments have
never been treated as absolutes."' 0'
Speech rights and privacy rights have been variously connected.
"The unwilling listener's interest in avoiding unwanted communication
....is an aspect of the broader 'right to be let alone' that one of our
wisest Justices characterized as 'the most comprehensive of rights and the
right most valued ....,,30B'ut that right, too, is subject to variable
protection, afforded special protection "in the privacy of the home, 3 °' but
lesser protection elsewhere. Similarly, the Supreme Court has on
several occasions grappled with the tension between First Amendment
guarantees to the press to publicize facts and the rights of citizens to
keep certain facts private.3 5 These cases have called on the Court to rule
on "a conflict between interests of the highest order-on the one hand,
the interest in the full and free dissemination of information concerning
public issues, and, on the other hand, the interest in individual privacy
and, more specifically, in fostering free speech."3°0
Of course, in a utilitarian calculus, to the extent that most individuals
highly value a given "right" or interest, their collective valuation may
trump other interests. 7 Hence, citizens may willingly agree ex ante to
limit the circumstance under which the common good may trump an
individual right. That is one route to constitutionalism (and in some sense
to the rule of law), and it is not unrelated to the distinction between
actbased and rule-based approaches to utilitarianism. But generally, the
question whether to balance competing interests does not depend on a
commitment to utilitarianism or any other form of consequentialism. It
also does not require the repudiation of a rights-based approach to
privacy or anything else. 0 8
Returning to our concrete policy concern, when designing laws to
protect consumers' sensitive health information, there are two paramount
questions. To what extent do those privacy laws reduce consumer harm?
And, what benefits from HIT do those privacy protections impede?
In answering the first question, it is important to note as a threshold
matter that the baseline level of harm from PHI breach appears small.
Further, the nexus between some privacy laws applied to HIT and harms
from loss of privacy is tenuous. For example, it is unclear how state
privacy laws that have stringent consent requirements reduce the risk of
identity fraud; there is probably little connection between consent and
avoidance of identity fraud within a treatment episode. Additionally,
breach notification laws do not appear to reduce the incidence of identity
fraud, and although the relationship between breach and risk of identity
fraud may be direct, the available data suggest that it is very slight.
Indeed, the broader class of breach notification requirements does not
appear to pass a cost-benefit test. The average direct cost to responding
to a breach (which almost surely is passed on to consumers) is $50,3o9 but
the upper bound on the median expected cost from new account fraud
(the most expensive type) in the event of a breach is $1.13."0 Indeed,
306. Bartnicki, 532 U.S. at 518.
307. See Solove, supra note 297, at 761.
308. See, e.g., H.L.A. Hart, Are There Any Natural Rights?, 64 PHIL. REV. 175, 176
(1955) ("[A]lthough ... all men are equally entitled to be free in the sense explained, no man
has an absolute or unconditional right to do or not to do any particular thing or to be treated in
any particular way; coercion or restraint of action may be justified in special conditions
consistently with the general principle."); cf Alan Gewirth, Are There Any Absolute Rights?, 31
PHIL. Q. 1 (1981) (distinguishing "absolute rights" from those that may be "overridden:' or
309. See PONEMON INST., FOURTH ANNUAL US COST OF DATA BREACH STUDY 3
310. This figure is calculated as follows: The Synovate 2006 study reports a median loss
for new accounts and other frauds of $40 and 10 hours. Using the average hourly wage rate
even for victims in the 90 h percentile of harm, the expected financial loss
is only $24. Thus, extant breach notification requirements generally do
not appear to be a good deal for consumers.
None of the preceding discussion should suggest that consumers
derive no benefit from privacy regulations or that concerns about the
privacy of health information are unfounded or unimportant. As
discussed already, many patients clearly place an intrinsic value on privacy;
hence, regulations may provide benefits beyond those easily measured.
Moreover, society may wish to subsidize the diminution of certain
extreme harms." ' On the other hand, data available from behavioral
experiments suggest that consumers are willing to supply private
information for relatively small amounts of money or enhanced convenience
shopping online.' 2 Further, several studies have found a mismatch
between ex ante consumer responses to general questions regarding their
desire for privacy protection and the actual tradeoffs they are willing to
make when faced with immediate choices."' Although these studies were
experimental in nature and generally involved personal information that
may be seen as less sensitive than PHI, they again suggest that patients
may be more willing to forego certain privacy protections in return for
better and/or cheaper health care than survey data suggest, especially if
the sacrificed protections are of limited efficacy in preventing tangible
harms. And at least for some patients, at least some of the time, an
interest in optimizing information flow may be critical.
With respect to the second question-the costs of privacy
requirements-empirical evidence suggests that HIT adoption rates are lower in
states with stringent consent requirements. Adoption rates in these states
are lower because the regulations suppress network effects associated
with HIT adoption.' 4 Further, states with lower levels of HIT adoption
appear to have higher infant mortality rates, even after controlling for
possibly confounding variables.' 5 To the extent that the IOM is right
from April 2009 of $18.50, this results in median costs from the most expensive type of
identity fraud of $225. Data from IDAnalytics puts a range of the probability of a breached file
being used in an incidence of identity fraud between 0.0001 and 0.005.
311. See, e.g., RICHARD A. POSNER, ECONOMIC ANALYSIS OF LAW 383-84 (6th ed. 2003)
(arguing for direct regulation where injury may be very large or--on related but distinct
grounds-where injuries are fatal).
312. See sources cited supra note 208.
314. See Miller & Tucker, supra note 12.
315. See Amalia R. Miller & Catherine Tucker, Can Healthcare IT Save Babies? (SSRN
Working Paper Series, 2008), available at
http://papers.ssm.consol3/papers.cfm?abstractid=l 080262#PaperDownload (describing effects of state law privacy regimes on infant
mortality). Specifically, their research suggests that certain HIT adoption reduces infant mortality by
about one percent, with gains that "are twice as large for reducing African American deaths
about the potential for ameliorating serious adverse events due to
medication errors by adopting appropriate HIT, we must note again that
millions of such adverse events are on the table.' 6 Thus, by impeding the
flow of health information between providers, stringent consent
requirements may impose real human costs beyond their financial costs.
Consent requirements also impose direct transaction costs on consumers
and providers. Breach notification requirements impose expenses on
firms that can impede adoption of HIT by health care entities, and may
hinder entry by potential PHR providers. In this manner, these laws can
lead to higher prices and reduced consumer choice.
Although consent and breach notification requirements appear likely
to retard HIT adoption, the benefits they provide appear primarily to be
non-tangible; both types of requirements allow consumers to exercise
some dominion over their health information by providing them a veto
over who sees it in the ordinary course of business and notifying them
when unauthorized access occurs. That suggests that policy makers need
to develop a clearer understanding of consumers' underlying preferences
for privacy and how these preferences vary throughout the
populationand perhaps across treatment contexts-before undertaking costly
regulations that appear to provide very modest tangible benefits."' Further,
theoretical commitments about the foundations of privacy rights, or the
nature of privacy interests, cross-cut questions about the ideal scope of
privacy protections, the resources that ought to be devoted to privacy
protections, or how best to tailor privacy protections to minimize harm to
other important interests. Autonomy-based privacy rights principles may
suggest a property rights regime under which medical information
belongs to patients, with providers enjoined from sharing PHI with third
parties without consent, but we should be wary of conclusory
suggestions that the precise metes and bounds of such rights would be obvious.
We suggest that until there is better information on the distribution of
privacy preferences, policy makers should exercise special caution when
considering new or extant consent and breach notification requirements.
In light of the current state of knowledge of patients' privacy
preferences, we offer regulatory reform proposals for consent, breach
notification, and data security requirements. We make these suggestions
mindful that the federal government is not the only player in this policy
...(as they are] for white deaths." Miller, supra note 21, at 233. It was predicted that eMR
adoption, in that context, would cost roughly $450,000 per infant life saved. Id. at 234.
316. See supra notes 57-61 and accompanying text.
317. See Koetting, supra note 295, at 707 ("[Wie appear on the verge of incurring large
expenses from limited health care funds and/or inhibiting appropriate access to medical
information for solutions that have a low likelihood of solving the problems that are at the heart
of people's concerns.").
space. Indeed, the variation in state privacy regulations gives rise to the
result that overly-stringent or inconsistent privacy laws can impede HIT
adoption. Thus any approach inevitably has to grapple with the issue of
federalism, which we leave for Part VI.
One possible path forward for consent requirements would be to
retain the Privacy Rule's carveout for treatment purposes, but also allow
patients to opt out of HIT systems on a provider-by-provider basis.
After a provider has joined an interoperable HIT network, it would give its
patients the option to have their records sequestered from the shared
system (both retroactively and prospectively). This approach to consent has
at least three advantages. First, the Privacy Rule's treatment exception
appears to be a good candidate for a majoritarian rule because it is
unlikely that many consumers would object to providers sharing their
medical information to enable treatment. 318 Survey evidence suggests that
most patients are comfortable with the current treatment of medical
records by their health care providers, 3'9 and although they have concerns
about the privacy implications of HIT, they believe that the benefits from
HIT outweigh the privacy risks.320 More generally, since the early 1990s,
a majority of consumers have described themselves as either "privacy
unconcerned" or "privacy pragmatists," who are willing to permit the use
of their personal information in return for a benefit and sufficient
safeguards. 3'2I Only around a quarter of the population can be described as
"privacy fundamentalist," who feel that their privacy rights are not being
handled correctly, desire only an opt-in rule, and are unwilling to trade
318. See Terry & Francis, supra note II, at 703 (arguing that consentless information
flows be limited to providers within a patient's "circle of care,' which includes "practitioners
that are immediately and directly involved in the care of the patient-and on an as-needed
basis with another member of a patient's medical team"); Sunstein, supra note 200, at 712
(arguing that the presumption in favor of patient control over private information should be
rebutted when disclosure is to other doctors on a patient's "medical team" because "if this is
necessary for good treatment, the patient has no reasonable basis for complaint").
319. See Harris Poll, supra note 195 (showing 70% of patients surveyed agree that they
are satisfied with the way that doctors and hospitals treat their personal health information,
and 63% agree that the increased use of computers to record and share patient medical records
can be accomplished without jeopardizing proper patient privacy rights).
320. See Beckey Bright, Benefits of Electronic Health Records Seen as Outweighing
Privacy Risks, WALL ST. J., Nov. 29, 2007, available at http://online.wsj.com/article/
SB I119565244262500549.html (reporting results from aWall Street Journal Online/Harris poll
that finds although 51%
(down from 61% in 2006)
of those surveyed believe that the use of
electronic medical records makes it more difficult to ensure patient privacy, 60% (and 72% of
those that currently use electronic medical records) agree that the benefits of electronic
medical records outweigh the privacy risks).
321. See Beales & Muris, supra note 16, at 118 (noting that the majority of consumers
are privacy pragmatists who are "willing to provide information in exchange for benefits");
Westin, Opinion Surveys, supra note 208 (noting that since the early 1990s consumers have
split into three groups: Privacy Fundamentalists (25%); Privacy Pragmatists (63%), and
Privacy Unconcerned (12%)).
privacy protections for benefits 2 2 These data suggest that most patients
are satisfied with the status quo and are willing to allow providers to
share their health information in return for benefits.
Second, maintenance of the Privacy Rule would allow high and
lowdemanders for privacy to self-select into different regulatory regimes
rather than force patients to pool into a regime that provides either
inefficiently high or low levels of privacy. Because those who opt out would
internalize the costs of their decisions, in terms of lost HIT benefits, they
would do so only if they value their privacy more highly than those
benefits.1 23 The remainder of the population, who are willing to accept
the Privacy Rule's requirements, will also enjoy the full benefits of HIT,
whatever they prove to be. Although the choice of default position is
irrelevant in a world without transaction costs, 2' in the real world an
opt-in default is likely to be more efficient than an opt-out default. As
noted above, it is likely that the majority of patients would choose to
participate in HIT networks under the status quo. An opt-in default
would economize on aggregate transaction costs by requiring fewer
people to make a decision. Further, it may be costly to make an
opt-in/optout decision and the opt-in default is likely to cause less harm.326
Third, by eliminating consent for individual information requests for
treatment purposes, this approach would not affect the marginal cost of
the flow of information.327 It is important to note, however, that this result
is only obtained if opt-out occurs at the provider level. If the general
regime were to allow privacy-sensitive patients to require their providers
to obtain and document consent for each discrete instance of information
322. See id.; Harris Poll, supra note 195, at I ("[A]bout 25 percent of the public
consistently feels that their legitimate privacy rights are not being handled properly by business,
employer, or government organizations.").
323. Indeed, the opt-out choice would not necessarily be so stark, as it would provide
high-demanders for privacy two sorts of choices: they could opt out of HIT systems generally,
internalizing the costs implicit in opt-out decisions, but they could also choose ad hoc use of
HIT systems in particular contexts in which private assurances or protections more closely
matched their preferences (for example, in a particular practice setting, or with a utility, where
special protections substantially exceeded those given publicly).
324. For example, these opt-out patients would not enjoy monetary and non-monetary
benefits from enhanced communication among health care providers to coordinate care. See
Terry & Francis, supra note II, at 701-02. They would, of course, enjoy some, as public
health or various benefits accruing to the public fisc would be at least partly available to the
larger population, although we should acknowledge that, at the margin, these may be
diminished according to the number of opt-outs.
325. R.H. Coase, The Problem of Social Cost, 3 J.L. & EcoN. 1,15 (1960).
326. See Beales & Muris, supra note 16, at 114-18 (discussing how, in the context of
consumer financial information, the informational costs of exercising choice regarding
whether to opt-in to or opt-out of an information-sharing regime can swamp expected benefits,
such that the default position often becomes the status quo).
327. See Terry & Francis, supra note II, at 703.
sharing (even for legitimate treatment or reimbursement purposes) or to
demand other ad hoc mandates-say, to select certain records or parts of
records from providers to be excluded from the HIT network-that
would foist costs on those remaining in the system by suppressing
network externalities, and thus HIT adoption rates.12' Further, it would
reduce providers' willingness to rely on electronic records for treatment
decisions to the extent that they have concerns about accuracy, which
would also raise costs and reduce HIT adoption rates .129 Finally, allowing
patients to opt-out of the system on a record-by-record (or information
within a record) basis would impose additional recordkeeping costs on
providers, which likely could not be charged only to those who request
the segregation of their information but, instead, would be built into
With respect to breach notification, triggers based on the relative risk
of harm to consumers, rather than on mere incidence of access also
appear to strike a desirable balance. For example, the FTC's proposed
breach notification rule for PHRs moves in this direction by requiring
notification only when the breach involves unencrypted data and
allowing PHR vendors to rebut the presumption that breached data has been
acquired. 30 This proposal, for example, would relieve a PHR vendor
from the burden of notification when a staff member inadvertently
accesses a database.
Substitution away from consent and breach notification requirements
into data security requirements may be more efficient. Because the former
species of regulation implicate marginal costs of data transmission, they
risk deterring beneficial sharing of health information. On the other hand,
data security requirements implicate primarily (if not exclusively) fixed
costs. Thus, these requirements may be more efficient than other forms of
regulation to assure patient privacy from an error-costs perspective.
Finally, although the preceding discussion has focused entirely on
optimal types of regulation, it is worth exploring the extent to which
government intervention is needed at all. The Constitution clearly
protects citizens from unwarranted government collection and
government-mandated disclosures of private information,"' and is likely
to prohibit the state from setting a ceiling on the privacy protections that
328. See id. at 702-03.
329. This is a concern that has been raised about some approaches to PHRs, or
PHR/eHR interfaces. See Dimitropoulos and Rizk, supra note 14, at 430; Koppel, supra note
330. Health Breach Notification Rule, 74 Fed. Reg. 17,914, 17,915-16 (Apr. 20, 2009)
(to be codified at 16 C.F.R. pt. 318).
331. See Whalen v. Roe, 429 U.S. 589, 599 (1977); United States v. Westinghouse Elec.
Corp., 638 F.2d 570, 570 (3rd Cir. 1980).
private parties may provide, for example, by mandating disclosures
without consent. 32 There is, however, no Constitutional mandate for the
government to set a privacy floor for private entities:" Private entities
face competition in the marketplace. To the extent that health care
providers and HIT vendors compete over privacy protections, the need for
regulation may be diminished. In other areas of the economy, there is
evidence that firms are aware that consumers value privacy and that
firms compete on this dimension.3 If evidence of direct competition on
this dimension of services is slight in the health care arena, it is
nonetheless important to note that, for example, private PHR providers have
expended resources on better understanding consumer knowledge and
preferences. Microsoft, Google, Kaiser, and others prominently display
their privacy policies on their PHR web sites:" The primary online
PHRs are free and consequently generate revenue by attracting traffic for
advertisers. In such double-sided markets, when something (e.g.,
overthe-air television, information or entertainment on a Web site) is given
away to consumers, competition necessarily occurs in non-price
dimensions to attract "eyes" or views. These corporate displays are one
In many instances, regulation or liability is premised on
informational asymmetries. It may be reasonable to assume that consumers are
poorly positioned to appreciate all the risks associated with certain
products, such that the market alone may fail to produce efficient precautions
or levels of safety. 6 By contrast, in the face of information problems
that cause them to overestimate their risks, consumers may demand "too
much" privacy. For example, a large percentage of consumers say that
332. See Citizens for Health v. Leavitt, 428 F.3d 167, 180 (3rd Cir. 2005).
334. See, e.g., Peter Swire, Antitrust, Privacy, and Other Non-Price Competition, ICOMP
Conference on Privacy Competition in the Online Market Place (Apr. 27, 2009),
http://www.icomp.org/calendar/downloadFile/97 (describing how Google, Yahoo, Microsoft, and Ask
compete over privacy features for search engines and how Facebook and MySpace compete
over privacy for social networks); PAUL H. RuBIN & THOMAS M. LENARD, PRIVACY AND THE
COMMERCIAL USE OF PERSONAL INFORMATION 40-42 (2002) (cataloging examples of the
market disciplining firms for violating consumers' preferences for privacy).
335. In addition to a link to its "full Privacy Statement" prominently displayed on the
opening page of Microsoft Health Vault's site for personal use, is the following: "Our
HealthVault Privacy Principles: •You control the Microsoft HealthVault record you create. °You
decide what goes into your HealthVault record. •You decide who can see, use and share your
information. •Microsoft won't use your information in HealthVault to personalize ads or
services without explicit permission'" Microsoft HealthVault, http://www.healthvault.com
Personal/index.html (last visited Mar. 26, 2010); Google Health, Take Charge of Your Health
Information, https://health.google.com (last visited Mar. 26, 2010); Kaiser Permanente,
Privacy Practices for Our Web Site, https://members.kaiserpermanente.org/kpweb/
entryPage.do?cfe=072 (last visited Mar. 26, 2010).
336. See SHAVELL, supra note 287, at 214-15.
they mistrust HIT, but an even larger percentage reports that they are
relatively ignorant about HIT.337 Similarly there appears to be a mismatch
between consumer fears of loss from identity fraud after a breach and
actual levels of harm. 8 These data indicate that consumers probably
overestimate actual risk of harm associated with HIT and are unaware
that HIT may tend to make records safer rather than more vulnerable.
Further, it is dubious that patients are generally aware that stringent
consent and breach notification requirements are likely to have a negative
impact on HIT adoption and use. Thus, there are good reasons to be
concerned that the market may produce "too much" privacy, and that the
current level of demand for regulation to protect the privacy of electronic
health information is greater than it would be in a world of perfect
information. Politicians-who may be susceptible to some of the same
information costs-may thus be biased toward over-regulation; some
more knowingly may be tempted to take advantage of consumers' (and
voters) relative lack of knowledge to push through self-aggrandizing, but
harmful privacy regulations. As Professor Sunstein notes, in the face of
"isolated but highly publicized cases, . . . [plolicy entrepreneurs,
including candidates interested in reelection and good publicity, might well
seek increasingly severe controls., 339 These informational issues again
admonish policy makers to be cautious when developing privacy regimes
to govern HIT. At the very least, policy defaults ought to be set to favor
clarity over opacity, and to avoid disutility based on needless cues to
information problems or counter-productive decision making biases.)40
IV. PREEMPTION VERSUS FEDERALISM IN PRIVACY REGIMES
Leaving aside the stringency of any particular state regulatory
regime, there are also costs associated with the patchwork of regimes.
Although allowing states to experiment with different approaches to
privacy is likely to have benefits, it also comes at a cost. Inconsistent state
337. See NATIONWIDE SUMM., supra note 13, at 6-39 (showing that although nearly half
of consumers surveyed were apprehensive about using electronic health records, 57% reported
not having "read, seen, or heard" anything about electronic health records prior to the survey,
which suggests "a fundamental information gap about electronic health information exchange
within the general consumer population").
338. See PONEMAN INST., CONSUMERS' REPORT CARD ON DATA BREACH NOTIFICATION
5 (2008) (reporting that while 32% of those surveyed believed that following a data breach
their likelihood of becoming an identity fraud victim was greater than 40%, the actual
incidence of fraud was 2%, which suggests "consumers' fears about the possibility of becoming
an identity theft victim do not reflect the actual rate of experience").
339. Sunstein, supra note 200, at 713.
340. See generally, RICHARD H. THALER & CASS R. SUNSTEIN, NUDGE: IMPROVING
DECISIONS ABOUT HEALTH, WEALTH, AND HAPPINESS (Yale Univ. Press 2008).
privacy laws can impede cross-border communication of health
information and can increase the cost of designing and implementing HIT
There appears to be broad recognition-even in the states
themselves-that much is at stake in furthering interoperable HIT and that the
current mix of state laws may be a serious barrier to doing so. For
example, 42 states are now working in various consortia-under the auspices
of the Health Information Security and Privacy Collaboration
(HISPC) '-at diverse tasks aimed at furthering the flow of electronic
health information, including efforts at harmonizing state health privacy
and data security law. 2 Participants in these efforts have observed not
only that "[m]any states have a series of antiquated, fragmented, and
non-standardized laws that may unintentionally create a barrier to the
appropriate exchange of electronic health information," but that "c'
o'3mprehensive reform would be a resource-intensive task in most states. 1
A national study prepared for HHS observes that,
Relevant laws and regulations developed and evolved largely in
response to the paper-based health information exchange. Legal
restrictions addressing health information exchange were often
dispersed across many different statutes and regulations and are
sometimes inconsistent with one another. Several states reported
that antiquated laws written for paper-only environments
created significant barriers to electronic health information
exchange. Other states noted that laws were silent with respect
to certain aspects of health information exchange, leading to
varied business practices and customs."
341. HISPC was established through a contract with HHS to address the privacy and
security challenges presented by electronic health information exchange through multistate
collaboration ...Each HISPC participant had the support of its state or territorial governor
and maintained a steering committee and contact with a range of local stakeholders to ensure
that developed solutions accurately reflect local preferences. RTI INT'L HEALTH INFO.
SECURITY & PRIVACY COLLABORATION (HISPC),
http://www.rti.org/brochures/Health-infoSecurity.pdf (last visited Mar. 26, 2010).
342. See generally Health Info. Security & Privacy Collaboration (HISPC) Nat'l
Conference, Bethesda, MD (Mar. 4-6, 2009) (conference agenda and other materials are available at
http://www.rti.org/events.cfm?bgnyear=2009 (follow the "Health Information Security and
Privacy Collaboration (HISPC) National Conference" hyperlink)). It should be noted that such
consortia organized under HISPC tend to be smaller than national in scope. For example, at
the March 2009 conference there was a report on harmonization efforts undertaken by an I
Istate consortium chaired by Indiana. Id.
343. Julie Roth, Christina Stephan & Patricia Gray, Harmonizing State Privacy Laws for
HIE, Health Info. Security & Privacy Collaboration (HISPC) Nat'l Conference (Mar. 5,2009),
http://www.rti.org/files/hisp/Harmonizing-State-Privacy-Law.pdf. See supra note 342.
344. NATIONWIDE SUMM., supra note 13, at 6-3.
For all of that, relatively little attention has been paid to the
possibility of preempting state law requirements in this area. To be sure, a
few commentators have recommended the express preemption of state
health information privacy laws, generally because they see the
requirements-and the task of compliance with them-as exceedingly
complex or otherwise burdensome for health care providers or other
business entities. 5 But more general considerations of the costs
imposed within and across bodies of state law have been few, and many
broad-ranging HIT policy discussions are silent regarding the
possibility of preemption. For example, the HHS report mentioned in the
preceding paragraph considers various state law issues and means of
addressing them, and does not mention the possibility of broader
preemption of state law.' At the 2008 FTC Workshop, three panels of
participants addressed HIT-related issues, each incorporating privacy
issues into its discussion, but no participants discussed the policy
option of preemption, not even for the purpose of rejecting it 47 The
Recovery Act generally retains the very limited sort of preemption
contemplated under HIPAA, 48 under which the states may not waive the
minimum requirements of HIPAA and the federal Privacy Rule, even as
they are free to regulate unchecked "above" those minimum
There may, of course, be reasons to advocate for state health privacy
regulation, whether favoring particular requirements or the maintenance
of state prerogatives. First, as consumers may be harmed by violations of
their health information privacy, and as they may be poorly situated to
345. That is not to suggest that it has never been mentioned. See Testimony on the
Proposed Rule on Confidentiality of Patient Records: Hearing on Health Insurance Portability
and Accountability Act Before the S. Comm. on Health, Education, Labor and Pensions 106th
Cong. (2000) (testimony of Joanna C. Horobin, Executive Vice President For Commercial
Development, EntreMed Inc.) (suggesting the patchwork of state regulations is unworkable,
and calling for new federal legislation that generally preempts state medical privacy law);
Corey A. Ciocchetti, E-Commerce and Information Privacy: Privacy Policies as Personal
Information Protectors, 44 AM. Bus. L.J. 55, 105-06 (2007) (advocating new federal law that
"must contain an express preemption clause stating that the legislation is intended to serve as a
ceiling as well as a floor"); cf Nicolas P. Terry, An eHealth Diptych: The Impact of Privacy
Regulation on Medical Error and Malpractice Litigation, 27 AM. J.L. & MED. 361, 368
(2001) ("[T]he unsatisfactory 'more stringent' partial preemption provision [in current force]
is likely to befuddle and annoy healthcare institutions with interstate businesses for years into
the future. There may be even worse to come as state legislators are prodded by dissatisfied
privacy advocates to pass statutes that fill perceived gaps in the PIHI regulations, thereby
increasing the number of non-preempted protections.").
346. See NATIONWIDE SUMm., supra note 13. The term "preemption" does appear in the
report, albeit in a different context.
347. See Address at FrC Workshop on Innovations in Health Care Delivery
(Apr. 24, 2008)
(transcript available at http://www.ftc.gov/bclhealthcare/hcd/docs/hcdwksptranscript.pdf).
348. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 13421(a), 123
Stat. 115, 229 (2009).
provide (or contract) for protection against such harms, one may be
concerned about the general question of the adequacy of the larger set of
federal and state privacy regulations. At the FTC Workshop, panelists
were generally in agreement that privacy concerns were important to
HIT policy, and although some panelists were especially concerned
about the costs of excessive regulation, others described the then-current
mix of federal and state regulation as insufficiently protective of
consumers' interests .
It also could be argued that the states may offer an important
"laboratory" for testing various regulatory responses to the problems
presented by emerging or rapidly changing technologies. For example,
Bruce Kobayashi and Larry E. Ribstein have argued that state consumer
privacy law is generally superior to federal law in the realm of digital
information precisely because of the dynamic nature of the underlying
technologies and consumers' interaction with them."0 Where consumers'
expectations of privacy remain unclear, there may not be a set of
common, baseline costs and benefits associated with certain industry
practices that is adequate to justify uniform federal law. State law, on the
other hand, "emerges from 51 laboratories and therefore presents a more
decentralized model that fits the evolving nature of the Internet ....
[and] competition among state laws can mute the inefficient tendencies
of interest group legislation. 35' In addition, "[t]he U.S. government's
regulation of privacy rights could determine important aspects of the
Internet's structure and reduce the flexibility and openness that has made
the Internet a major economic force."3 '
The argument is far from decisive in the present case. First, we
should note that Kobayashi and Ribstein expressly decline to extend
their argument about the potential superiority of state law to the area of
medical privacy. They distinguish "information that consumers clearly
349. Compare Pritts, supra note 86, at 287 ("People] will not adopt it [HIT] if there is
not adequate trust that their information will be kept confidential."), with Miller, supra note
21,at 231, 233 (regarding costs of state law privacy protections-impact on HIT adoption and
relationship between HIT adoption and neonatal mortality, respectively); Dente, supra note
50, at 274 (discussing the need to think about health needs and the importance of information
"when we balance the need for connectivity, interoperability, information, with the rights of all
of us to have ... patient privacy"). Cf Trenkle, supra note 177, at 281 ("[A] lot of things need
to be balanced against privacy and security needs ....[But] it is not an either/or, it is
something that needs to be worked together.").
350. Cf Bruce H. Kobayashi & Larry E. Ribstein, A Recipe for Cookies: State
Regulation of Consumer Marketing Information, GEO. MASON L. & ECON. RES. PAPER No. 01-04,
Feb. 2001, at 5-6 (arguing, on these grounds, that state consumer privacy law is generally
superior to federal law, although expressly declining to extend the argument to medical
351. Id. at 5.
352. Id. at 4.
expect to be kept private, such as medical records ... [from information]
where such expectations are much less clear. 3" Presumably, if-ranging
across the states-there are strong, background expectations of privacy
regarding personal information in consumer medical records, the interest
in having varied experimental responses to situations where such
expectations are denied is considerably diminished.3
Second, where Kobayashi and Ribstein would apply their argument,
it depends on the notion that "competition among state laws can mute
the inefficient tendencies of interest group legislation 55 Perhaps this is
true, but that also depends on the extent to which there can be such
competition among state laws. With Internet privacy, crucial competitive
mechanisms seem to be (a) enforcement, by the courts, of choice of law
and choice of forum clauses and (b) the ability of web operators to
"block transmission to states that do not enforce contractual choice. 356
Even in the more general realm of Internet privacy, "a" may be an
unlikely counterfactual and "b" seems at least costly and very likely
intractable. To the extent that the flow of information is not readily
cabined, and where choice of law may be at issue, there may be reasons
to wonder whether regulatory reach will be at least as powerful as
regulatory competition. In this regard the U.S./E.U. experiences with data
privacy law generally may be instructive, and at least one commentator
has argued that there are conditions under which the regulatory interests
of small states can prompt larger ones to "ratchet up" their regulatory
requirements, even to some extent past their own perceived interests (and
independent of the question whether one or another state had stumbled
upon more efficient requirements). ' Rejecting the notion that global IT
competition prompts a regulatory race to the bottom, Professor Shaffer
suggests that, although "it is not a race to anywhere in particular, it can
(more likely than not) give rise to a ratcheting up of national standards.
This is particularly the case where foreign regulation has externalities, as
is the case with data privacy protection. 35 8
Further, public choice problems may sometimes be
exacerbatednot ameliorated-at the state level. For example, for many issues,
353. Id. at 5.
354. Of course the extent to which they are diminished may vary. Certainly, there may be
significant heterogeneity in consumer preferences, interests, or expectations above some
shared baseline, and the extent to which any particular regulatory regime satisfies either
baseline needs or varied ones may be in question.
355. Kobayashi & Ribstein, supra note 350, at 5.
356. Id. at 5-6.
357. Gregory Shaffer, Globalization and Social Protection:The Impact of EU and
International Rules in the Ratcheting Up U.S. Privacy Standards, 25 YALE J. INT'L L. I, 5-8
358. Id. at 7.
national stakeholders may be able to identify seed states in which
lobbying costs are relatively low, countervailing business interests are
relatively diminished, and-as is often the case-consumer interests are
diffuse and costly to organize. Success therein achieved
may be more
than local: it may tend to lower the costs of lobbying in other states,
producing, in efficient fashion (for the lobbying stakeholder), a sort of
legislative cascade. 9
Finally, the notion of vigorous competition aided by the threat of
virtual exit seems an especially poor fit in many health care contexts.
Informed and well-counseled corporate parties may, for example,
engage in arms-length negotiation over choice-of-law clauses on the basis
of good and tolerably symmetric information about their own interests
and the relevant choices of law.'60One may be less optimistic about such
negotiations between large national payers, mid-sized regional or local
providers, and individual patients, given an industry with notoriously
poor price and quality information transparency,361wwhherbroehpboioeth provider
practices and consumer expectations about such practices may be highly
variable, and when individual patients may require real-time trauma
treatment from a hospital with no local competition.
Of course, even to the extent that a poor fit between certain bodies of
state law may be costly, there are other possible policy responses besides
expanding the preemptive reach of HIPAA. Harmonization efforts are, as
359. Without analyzing the factors behind any particular legislative cascade, we may
observe, nonetheless, that it is not uncommon for similar legislation to be adopted across
many states following a legislative success in one particular state. For example, California was
the first to enact a data breach notification law, requiring companies to notify California
residents whose unencrypted personal information was acquired by an unauthorized person.
Prepared Statement of the Federal Trade Commission Before the S. Comm. on Commerce, Sci.
and Transp. on Data Breaches and Identity Theft, 109th Cong. 11-12 (2005) (Congressional
testimony by FTC Chairman Deborah Majoras on data breaches and identity theft, discussing
the California breach notification law, CAL. Civ. CODE § 1798.82), available at
http://www.ftc.gov/os/2005/06/050616databreaches.pdf. Many states followed California's
lead, and to date, 32 states have some form of data breach notification. We do not suggest that
the states had no reason to be concerned about breach notification issues. We suggest, simply,
that the progress of follow-on legislation across the states often proceeds at a pace that
suggests something other than the application of policy experiments observed in different
jurisdictions, not least because the pace of adoption makes it implausible that the costs and
benefits of legislation, and its implementation, by early adopters has been analyzed by
360. It may be, as well, that where market transactions commonly involve parties thusly
situated, there is competitive pressure in favor of the convergence of state law regimes on a
relatively efficient model, perhaps as we have seen with the dominance of Delaware corporate
361. See, e.g., Robert Wood Johnson Found., Choosing a Health Care Provider: The
Role of Quality Information, Policy Brief No. 14 (May 2008), available at http://
www.rwjf.org/files/research/051508.policysynthesis.qualityinfo.brief.pdf; A DOSE OF
COMPETITION, supra note 69.
noted, underway within consortia of states, as well as other possible state
law reforms. But harmonization is a costly process in itself,162 and the
results of considerable efforts under the auspices of HISPC over the past
several years-although in many regards interesting-seem partial and
Wyeth v. Levine&6-3addressing very different health care policy and
legal issues-may provide an interesting contrast with present
preemption considerations. In that case, petitioner argued that state law claims,
sounding in tort, that alleged a failure to adequately warn of the risks
attending use of a drug product (administered in a particular way), were
preempted by the regulatory oversight of the federal Food and Drug
Administration (FDA)-in particular, by the approval of the marketing
of the drug product, as safe and effective, under particular labeling,
under the federal Food65, Drug, and Cosmetic Act (FDCA).3' The Court held
that they were not.:
Analogous implied preemption arguments are not available under
HIPAA, the federal Privacy Rule, or the Recovery Act, because the
question whether HIPAA may impliedly preempt more stringent state law
requirements is rejected, expressly, by HIPAA itself. Regulations
promulgated under HIPAA with regard to "the privacy of individually
identifiable health information ... shall not supercede a contrary
provision of State law, if the provision of State law imposes requirements,
standards, or implementation specifications that are more stringent than
the requirements, standards, or implementation specifications imposed
under the regulation."3' The interesting policy question, rather, comes in
two parts. First, if the preemption/non-preemption provision did not
exist, would colorable-or perhaps persuasive-implied preemption
arguments be available to stakeholders burdened by state health privacy
laws? Second, if so, to what extent might such arguments work as policy
grounds for the express preemption of such state laws?
The Court's contentious decision in Wyeth 6 7 rests on the rejection of
two separate implied preemption arguments.316 First, the Court rejected the
362. Cf Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in
Cyberspace, 52 STAN. L. REV. 1315, 1319-20 (2000) (regarding difficulties and harms of
harmonizing privacy rules across national borders).
363. 129 S. Ct. 1187 (2009).
364. Id. at 1193-94.
365. Id. at 1190.
366. Health Insurance Portability and Accountability Act of 1996 (HIPAA) § 264(c)(2),
110 Star. 2033-34,42 U.S.C. § 1320d-2 (2009).
367. Writing for the minority, Justice Alito wrote, "[t]his case illustrates that tragic facts
make bad law," and argued that, "[iun its attempt to evade Geier's applicability to this case, the
Court commits both factual and legal errors." 129 S. Ct. at 1222 (Alito, J., dissenting) (citing
Geier v. Am. Honda Motor Co., 529 U.S. 861 (2000)).
368. Id. at 1193.
conflict preemption argument that, "it would have been impossible for
[Wyeth] to comply with the state law duty ... without violating federal
law. ' 9Although the FDA has the power to approve (or reject) proposed or
extant labeling for a prescription drug product, FDA regulations do permit
certain provisional changes to reflect "newly acquired information" upon
the manufacturer's filing a supplemental application with the FDA (but
prior to approval of that supplemental application). " More generally, the
Court identified what it saw as "a central premise of federal drug
regulation that the manufacturer bears responsibility for the content of its label
at all times., 37 Hence, federal regulations-and in the Wyeth case,
administrative decisions reached under those regulations-do not
determine the appropriate level of warning. The appropriate level of
warning is to be determined by the manufacturer, subject to FDA review.
Absent HIPAA section 264, a different argument might be made
about health information privacy. On the one hand, health care providers
and other covered entities are free in various ways to implement their
own privacy policies. On the other hand, no such entity can make
unilateral changes-pending HHS approval or otherwise-to the basic
requirements of HIPAA and the Privacy Rule; neither can it modify the
rights HIPAA grants to patients and their representatives. There is,
therefore, specific content to the requirements of federal law in the privacy
case, and private parties may comply or fail to comply with those
requirements, but they may not change them.372 In brief, whereas drug
manufacturers-at least arguably-may disclose certain new risk
information prior to administrative approval, health care providers may not
disclose protected PHI, as proscribed under HIPAA and the Privacy
Rule, without authorization.
Second, the Court rejected Wyeth's argument that state law decisions
regarding the adequacy of the labeling in question "would obstruct the
purposes and objectives of federal ... regulations. 37 ' Against that
possibility, the Court noted the absence of an express preemption provision in
the FDCA. The Court also rejected the FDA's own view that the FDCA
establishes "both a 'floor' and a 'ceiling' so that FDA approval of
labeling ... preempts conflicting or contrary State law.' 374 Rather, the Court
369. Id. (holding otherwise at 1199).
370. Id. at 1196.
371. Id. at 1197-98.
372. As noted above, pertinent federal law includes not just HIPAA and the federal
Privacy Rule but also the FTC Act and the Recovery Act.
373. Wyeth, 129 S. Ct. at 1193 (holding otherwise at 1204).
374. Id. at 1200 (internal quotations omitted) (citing 71 Fed. Reg. 3922, 3934-35
preferred the FDA's older (and contrary) view that federal standards are
"a floor upon which States could build.""
Plainly, Congress now intends that HIPAA function as a floor, but
not a ceiling, for health information privacy protection. But Congress
also intends that, in general, the Office of the National Coordinator for
Health Information Technology (ONC) carry out its duties "in a manner
consistent with the development of a nationwide health information
technology infrastructure that allows for the electronic use and exchange
of information. '7 6 In particular Congress has declared that ONC
activities will be directed toward "the utilization of an electronic health record
for each person in the United Sates by 2014." 77 Considerable
appropriations have been devoted to those HIT policy goals. To the extent that
there is, as we have discussed, some tradeoff between state law
protection of health information privacy and the rate of HIT adoption, the
following question presents itself: If the costs of additional state law
protections for health information privacy are substantial and "[m]any states
have a series of antiquated, fragmented, and non-standardized laws that
may unintentionally create a barrier to the appropriate exchange of
electronic health information," while "comprehensive reform would be a
resource intensive task in most states, 378 what is the point at which state
purpose of the Recovery Act's HIT provpisriivoancsy? 37m9ay frustrate the larger
law regulation of health information
Field preemption, another type of implied preemption, may also be
an interesting issue for policy purposes. Congressional intent to preempt
state law may be inferred "where the scheme of federal regulation is
sufficiently comprehensive to make reasonable the inference that Congress
'left no room' for supplementary state regulation. '80 Such cases are not
unrelated to preemption arguments resting on the purposes and objectives
of federal law, in that the Court has held that Congressional intent to
preempt state law may be inferred where "the federal interest is so dominant
that the federal system will be assumed to preclude enforcement of state
laws on the same subject."3 8' Even though HIPAA was not intended, as
drafted, to establish comprehensive health information privacy protection,
375. Id. at 1202.
376. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 3001(b), 123
Stat. 115,229 (2009).
377. Id. at § 3001(a)(3)(A)(ii).
378. Roth et al., supra note 343. See supra note 342.
379. The Recovery Act provides that its two central HIT titles-tit. XIII of div. A and tit.
IV of div. B-be referred to as the "Health Information Technology for Economic and Clinical
Health Act" or the "HITECH Act." Recovery Act § 13001.
380. Hillsborough County v. Automated Med. Labs., Inc., 471 U.S. 707, 713 (1985)
(quoting Rice v.Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)).
381. Rice, 331 U.S. at 230.
between the adoption of HIPAA and the adoption of the Recovery Act,
many nonetheless would have viewed field preemption arguments as
problematic in this context. For example, participants in the FTC Workshop
and other commentators had expressed concerns about possible gaps in
HIPAA,182 especially with regard to the treatment of business associates...
and, more recently, in the emerging area of PHRs.3 4 As we have noted,
however, the Recovery Act comprises provisions that address these
substantial gaps with requirements (and possible penalties) pertaining to
business associates,38 new requirements pertaining to PHR vendors and
related entities,386 and provisions for new rule making in these areas by
HHS and the FTC.38 The Recovery Act also calls for further study,
directly by federal agencies and otherwise under federal aegis, with
additional recommendations to Congress presumed to be forthcoming. If
federal regulation does not (or will not soon) occupy the field, at what
point might it?
There is no sure answer to the question whether the elimination of
HIPAA's Section 264 would establish the likely success of implied
preemption arguments in the area of health information privacy. It may be
that Wyeth has raised the bar for such arguments generally, but the extent
to which the Court will read its holding to cabin more than the reach of
the FDCA with regard to state law claims about drug labeling remains to
be seen. Such implied preemption arguments would be difficult in any
case, especially to the extent that the Court found applicable, and
persuasive, the general notion that "the historic police powers of the States
[are] not to be superseded by ... Federal Act unless that was the clear
and manifest purpose of Congress"388 One might also suggest that the
substantial structural complexity of the Court's implied preemption
doctrine is exceeded greatly by the complexity of the doctrine's
semanticshow it might be applied to novel circumstances is less clear than it could
be. Possible implied preemption arguments do, however, point to policy
grounds to consider express preemption. In brief, it is not clear that the
382. See, e.g., McAndrew, supra note 118, at 211 (regarding "certain gaps in the current
HIPAA coverage"); McGraw, supra note 31, at 146-47 ( "gap" in HIPAA coverage); Pritts,
supra note 86, at 289 ("gaps" in federal and state privacy protections).
383. McGraw, supra note 31, at 146 (identifying this as a "gap" in HIPAA); cf
McAndrew, supra note 118, at 211-12 (noting many concerns about the lack of "level playing field"
with business associates and how business associates handle PHI).
384. McGraw, supra note 31, at 146-47 (regarding "gaps" in HIPAA coverage,
especially with regard to personal health records).
385. See American Recovery and Reinvestment Act of 2009 (Recovery Act), §§ 13401,
13404, 123 Stat. 115, 229 (2009) (regarding the application of security provisions and
penalties and the application of privacy provisions and penalties, respectively).
386. Id.§ 13407.
387. See supra note 104 and accompanying text.
388. Wyeth v.Levine, 129 S. Ct. 1187, 1194-95 (2009) (internal citations omitted).
web of state privacy and data security protections can be read
consistently with federal privacy, data security, and HIT law, not least because
it cannot be read consistently on its own-often, it seems, even the
prospects of intrastate harmonization may be unclear. Moreover, it may be
that the larger body of state law is at odds with the balancing of policy
goals sought in federal HIT law. In particular, the Recovery Act's HIT
provisions appear to balance substantial interests in health privacy
against substantial interests in the development and adoption of
interoperable HIT and, more than that, the actual flow of health information on
a national basis. State law provisions do not appear to strike a similar
balance, and it is not clear that they could. That is not simply a matter of
adding or subtracting cost to the acquisition of HIT hardware and
software or moving a metaphorical floor or ceiling up or down, but about
optimizing a complex set of considerations about health care practice,
health care funding, standard setting and certification, and more. The
interplay between the HIT policy and standards advisory committees
noted above should be instructive in this regard. Indeed, this Article
more generally illustrates the complexity of benefits and barriers that
may be associated with HIT, and the interrelationships between them.
Interleaving extant-and changeable-state regulatory schemes into this
developing matrix is likely a herculean task, supposing it is tractable at
Health information technology shows great promise, but it will be
costly to implement on a national scale. By providing significant
financial incentives, the recently enacted Recovery Act will further HIT
adoption greatly, but significant non-financial barriers remain. Perhaps
the paramount regulatory barriers are those designed to protect privacy.
Consumers clearly value health information privacy-both for the sake
of maintaining autonomy over intimate details of their lives and because
they worry about financial and physical harms that can come from data
breach. The extant mix of federal and state regulations-chiefly consent
requirements and, to a lesser extent, breach notification
requirementsalso impede HIT adoption by making it more costly to share health
information via interoperable systems. At the same time, many privacy
regulations do not appear to provide net benefits, at least in terms of the
tangible harms they seek to suppress. Because most benefits are likely to
be intangible, a regulatory regime that strikes the correct balance
between privacy and HIT adoption can only follow a richer understanding
of patients' intrinsic valuations of privacy, which are likely to vary across
the population and contexts of care. Further, given that consumers
clearly are concerned about their medical privacy-perhaps overly
sothe market should not be discarded as a source of privacy protection.
Calibrating the correct mix of state and federal health privacy
regulation also requires balance. Allowing health privacy regimes to vary
across states permits experimentation and regulations that more closely
match local privacy preferences, to the extent that preferences vary on a
state level. These benefits, however, increase the cost of developing and
implementing interoperable HIT on a national scale, as well as the cost
of the flow of health information over channels already established.
Although HIPAA expressly sets only a federal floor of privacy protection,
the recent federal push behind HIT adoption on a national scale,
combined with HIPAA and Recovery Act privacy provisions, suggest at least
a policy rationale for reconsidering the federal preemption of state health
National Survey of Physicians, 359 NEW ENG. J. MED . 50 , 50 ( 2008 ) (basing these statistics
on a national survey of 2,758 physicians) . 39 . Ashish K. Jha et al., Use of Electronic Health Records in U .S. Hospitals, NEw ENG.
J. MED . 1628 , 1628 ( 2009 ). 40 . Many have been concerned about rates of adoption of HIT in different areas of
support services have been slow to meet demand . See, e.g., Wood, supra 31 , at 169; Berg,
supra 31, at 200 . 41. See Miller & Tucker, supra note 12, at 1080 . 42. See David J. Brailer , Interoperability: The Key to Future Health Care System,
HEALTH AFF. w5-19 , w5 - 20 ( 2005 ), http://content.healthaffairs.org (use the search bar to lo-
cate the document and then follow the hyperlink ). 43 . See Hoffman & Podgurski, supra note I1, at 113 (reporting that the average Medi-
care patient visits seven different physicians in a given year); see also Brailer , supra note 42,
at w5- 19 . 44 . See Jan Walker et al., The Value of Health Care Information Exchange and herop-
erability , HEALTH AFF. w5-0 , w5 -13 - w5- 14 ( 2005 ), http://content.healthaffairs.org (use the
search bar to locate the document and then follow the hyperlink ). 73. Id. at 18 . 74. Id . 75 . With regard to small offices, "[estimates of annual costs for operating and main-
taining the system ... range between about 12 percent and 20 percent of initial costs." Id.
tices, 24 HEALTH AFF . 1127 ( 2005 ); Samuel J . Wang et al., A Cost-Benefit Analysis of
Electronic Medical Records in Primary Care, 114 AM. J. MED . 397 ( 2003 ) ) . Hospital operat-
ing costs vary by size and type of hospital but are estimated to be about 19% of acquisition
costs, or $2,700 per bed . CONG. BUDGET OFFICE, supra note 10 , at 18 . 76. Michael F. Furukawa et al., Adoption of Health Information Technologyfor Medica-
tion Safety in U.S. Hospitals, 2006 , 27 HEALTH AFF. 865 , 868 ( 2008 ). 77 . Id. at 867 . 78. Id. at 868 . 79. Id. at 867 . 80. See , e.g., Gans et al., supra note 37 , at 1323 , 1325. Also, "[blecause of the structure
equipment expenditures are funded directly from physician income . " Id. at 1329 . 81. See , e.g., Dr . Kevin Car', Physician Senior Manager for Clinical Transformation
Health Care Delivery 153-54 (Apr. 24 , 2008 ) (transcript available at http:l/www.ftc.gov/
bc/healthcare/hcd/docs/hcdwksptranscript.pdf); Kolodner, supra note 34, at 294; Wood, supra
note 31, at 177 . 82. Wood , supra note 31, at 17 1 . 298 . "This much has been categorically settled by the Court, that obscene material is
unprotected by the First Amendment." Miller v . California , 413 U.S. 15 , 23 ( 1973 ) (citations
omitted) . 299 . See Thompson v. W. States Med . Ctr., 535 U.S. 357 , 367 - 68 ( 2002 ) (re-affirming
speech) (citing Cent. Hudson Gas & Elec . Corp. v. Pub. Serv. Comm'n of N.Y. , 447 U.S. 557
( 1980 )). 300 . Ward v. Rock Against Racism , 491 U.S. 781 , 791 ( 1989 ). Such regulation of pro-
798. 301. Breard v. Alexandria , 341 U.S. 622 , 642 ( 1951 ). 302 . Hill v. Colorado , 530 U.S. 703 , 716 ( 2000 ) (quoting Olmstead v . United States , 277
U.S. 438 , 478 ( 1928 ) (Brandeis , J., dissenting)) . 303 . Id. at 717 . 304 . "This common-law 'right' is more accurately characterized as an 'interest' that
States can choose to protect in certain situations." Id. (citing Katz v . United States , 389 U.S.
347 , 350 - 51 ( 1967 )). 305 . See Bartnicki v. Vopper , 532 U.S. 514 ( 2001 ); The Fla . Star v. B. J.F ., 491 U.S. 524
( 1989 ) ; Cox Broad . Corp. v. Cohn, 420 U.S. 469 ( 1975 ).