There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information

Michigan Telecommunications and Technology Law Review, Dec 2010

Health information technology (HIT) has become a signal element of federal health policy, especially as the recently enacted American Recovery and Reinvestment Act of 2009 (Recovery Act or ARRA) comprises numerous provisions related to HIT and commits tens of billions of dollars to its development and adoption. These provisions charge various agencies of the federal government with both general and specific HIT-related implementation tasks including, inter alia, providing funding for HIT in various contexts: the implementation of interoperable HIT, HIT-related infrastructure, and HIT-related training and research. The Recovery Act also contains various regulatory provisions pertaining to HIT. Provisions of the Recovery Act that address HIT directly require the establishment of the Office of the National Coordinator for Health Information Technology (ONCHIT or ONC) at the Department of Health and Human Services (HHS) and specify incentive payments for health care professionals and hospitals to implement, improve, and maintain HIT under the Medicare and Medicaid programs.[...] [D]espite the considerable promise of HIT, implementation can be difficult, and deliverable off-the-shelf benefits are unclear to many providers, independent of price and payment questions. Other significant impediments to HIT adoption include complex "cultural

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information

IVol. There is a Time to Keep Silent and a Time to Speak , the Hard Part is Knowing W hich is W hich: Striking the Balance between Privacy Protection and the Flow of Health Care Information Daniel J. Gilman 0 1 James C. Cooper 0 1 Federal Trade Commission 0 1 0 This Articlesibrought to you for free and open access by the Journals at University of Michgian Law School Scholarship Repository. It has been accepted for inclusion in Michgian Telecommunications and Technology Law Review by an authorized administrator of University of Michgian Law School Scholarship Repository. For more information , please 1 Part of theHealth Law Commons , Privacy Law Commons, and theScience and Technology Follow this and additional works at: ttlr Recommended Citation Daniel J. Gilman & James C. Cooper, There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information, 16 Mich. Telecomm. & Tech. L. Rev. 279 (2010). Available at: - Commons Daniel J. Gilman, J.D., Ph.D., is an Attorney-Advisor in the Office of Policy Planning at the Federal Trade Commission. James C. Cooper, J.D., Ph.D., is Attorney-Advisor to Commissioner William E. Kovacic at the Federal Trade Commission. The views expressed in this Article are those of the authors alone, and do not necessarily represent the views of the Federal Trade Commission or any of its commissioners. The authors would like to thank Maureen K. Ohlhausen, William E. Kovacic, and Arlene Holen for their helpful comments regarding earlier drafts of this Article and related materials. Faults in this Article should, of course, be attributed to the authors alone. 3. Data Security Requirements ........................................ 4. Legal U ncertainty ........................................................ III. STRIKING THE BALANCE .......................................................... IV. CONCLU SIO N.......................................................................................... PREEMPTION VERSUS FEDERALISM IN PRIVACY REGIMES ........ 343 331 332 334 353 Every positive value has its price in negative terms. -Pablo Picasso INTRODUCTION Here comes a transformation, again. Health information technology (HIT) has become a signal element of federal health policy, especially as the recently enacted American Recovery and Reinvestment Act of 2009 (Recovery Act or ARRA)' comprises numerous provisions related to HIT and commits tens of billions of dollars to its development and adoption.2 These provisions charge various agencies of the federal government with both general and specific HIT-related implementation tasks including, inter alia, providing funding for HIT in various contexts: the implementation of interoperable HIT, HIT-related infrastructure, and HIT-related training and research. The Recovery Act also contains various regulatory provisions pertaining to HIT. Provisions of the Recovery Act that address HIT directly require the establishment of the Office of the National Coordinator for Health Information Technology (ONCHIT or ONC) at the Department of Health and Human Services (HHS)' and specify incentive payments for health care professionals and hospitals to implement, improve, and maintain HIT under the Medicare and Medicaid programs. 4 I. The "American Recovery and Reinvestment Act of 2009" is the short title of H.R. I, "Making supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal stabilization, for fiscal year ending September 30, 2009, and for other purposes." American Recovery and Reinvestment Act of 2009 (Recovery Act), Pub. L. No. 111-5, 123 Stat. 115 (2009). 2. Although $19, $20, and $22 billion price tags have been associated with Recovery Act HIT spending, HIT-related outlays contemplated in the statute appear to be much higher still. A partial tally may be gleaned from notes 3-4, infra. See generally Letter from Douglas W. Elmendorf, Dir., Cong. Budget Office, to Hon. Charles E. Grassley, Ranking Member, Comm. on Fin., U.S. S., tbl.2 (Mar. 2, 2009), 03-02-MacroEffects ofARRA.pdf. 3. See Recovery Act § 3001. The Congressional Budget Office (CBO) has estimated budget authority of $2 billion and outlays of $1.98 billion associated with Title XIII. Letter from Douglas W. Elmendorf, supra note 2, at tbl.2. 4. For these provisions in Division B, Title IV, of the Recovery Act, CBO estimates net outlays at $20.819 billion. Letter from Douglas W. Elmendorf, supra note 2, at tbl.2. That estimate supposes substantial savings in later years. For example, CBO-estimated total outlays for Medicare incentives total $36.347 billion from 2009 through 2015, but anticipated negative Although the magnitude of this commitment to HIT is striking, the impetus is clear enough.' Many have argued that the growth of HIT is critical to improving quality and efficiency in health care delivery.6 It appears that HIT has the potential to reduce medical errors,' duplicative testing and procedures, 8 and substantial administrative costs now attributed to incomplete, hard-to-find, or otherwise faulty paper records.9 Although significant use of computers in health care dates to at least the 1950s, many areas of health care trail other sectors of the economy in their use of information technology. How is it that in many practices, the use of expensive and highly sophisticated technology-such as magnetic resonance imaging-is common, but the use of simple technologysuch as computerized lookup tables to check both general and patientspecific contraindications for prescription medicines-is not? The answer is not so simple. On the one hand, certain barriers to widespread adoption of HIT have been plain enough and are well documented. As described below, the costs of adoption, which are borne chiefly by health care providers, can be high, including not only the acquisition of hardware and software but often costs associated with modifying HIT systems to suit particular practices, training for users, and prospective maintenance and updating costs.' ° At the same time, the benefits of adoption tend to be distributed, accruing mostly to payers, patients, and public health rather than to the health care providers who pay the direct costs of adoption. The Recovery Act promises to shift that balance of costs and benefits in a way that is bound to be significant. Specifically, the Act's financial incentives for adoption should make at least a marginal difference for many practitioners, practices, and hospitals. The problem of adoption has not, however, been a simple problem of misaligned incentives, and it is unlikely that the allocation or reallocation of funds will remove all of the barriers to the widespread adoption of fully functioning, interconnected, HIT systems by U.S. health care providers. First, despite the considerable promise of HIT, implementation can be difficult, and deliverable off-the-shelf benefits are unclear to many providers, independent of price and payment questions. Other significant impediments to HIT adoption include complex "cultural" barriers among practitioners and patients, standard-setting issues, network externalities, and regulatory costs. These are surveyed briefly below, both because some general background is useful to our particular discussion and because these impediments are, in various ways, interrelated. Our focus in this Article, however, will be on one particular species of regulatory costs-those imposed by certain sorts of privacy and data security regulations, with special attention to state law privacy and data security regimes. There are several reasons for this focus. First, lowering these sorts of barriers may sometimes be tractable and cost-effective. Regulatory reform is not always low-hanging fruit, but it may be more practicable in the short run than, say, reworking the medical practice habits of several generations of established, working physicians. Second, emerging research casts new light on the relationship between privacy regulation and HIT in ways important to HIT policy. Recently, several authors have provided cogent analyses of the implications of HIT for health information privacy, and have suggested regulatory modifications to ensure that privacy remains protected." In addition, emerging research suggests that, by increasing the costs of inter-hospital communication of health information, certain state privacy laws tend to suppress the network benefits associated with HIT, and thus tend to reduce the rate of HIT adoption by 91 xx/doc9168/05-20-HealthIT.pdf.bcsi-scanDA3493EE5FC9D524=0&bcsi-scan-filename= \05-20-Health[T.pdf. II. See, e.g., Sharona Hoffman & Andy Podgurski, Electronic Health Record Systems, 22 HARV. J.L. & TECH. 104, 121-22 (2008); Sharona Hoffman & Andy Podgurski, Protecting Electronic Private Health Information, 48 B.C. L. REV. 331, 335-38 (2007); Nicolas P.Terry & Leslie P.Francis, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. ILL. L. REV. 681,682. A Time to Keep Silent and a ime to Speak hospitals in those states that have such laws.'2 That result may not be wholly surprising, as many stakeholders have suggested that certain state laws may impede HIT adoption,' 3 and that the mix, or patchwork, of state regulation is problematic as it stands.' 4 Third, building on both these strands of research, we will argue that policy makers should consider tradeoffs between two important policy goals that are to some extent in tension: (1)regulatory protections for health information privacy and (2) the flow of health information, which is a central goal of HIT. The Recovery Act does not seem to recognize such tradeoffs, although we hope that they may figure in its implementation. At one level, tradeoffs between privacy and HIT are inevitable. HIT facilitates the collection, storage, processing, and flow of health information. Privacy and data security depend, at least, on the absence of unwanted access to or sharing of health information. Hence, many of the benefits associated with HIT arise from rapid and low-cost information sharing between disparate parts of the health care system, but laws designed to protect health privacy are designed to make the flow of health care information more costly. Indeed many states have been working to update and harmonize their regulatory requirements in this area in recognition of such problems.'" In this Article, we examine the balance between patients' legitimate concerns about the breach of health information privacy and security, on the one hand, and the HIT-associated benefits that may be threatened by excessive and highly variable privacy regulation, on the other. As has been argued in the context of financial privacy,6 we contend that HIT privacy policy should be guided by the 12. See, e.g., Amalia R. Miller & Catherine Tucker, Privacy Protectionand Technology Diffusion: The Case of Electronic Medical Records 55 MGMT. SC. 1077 (2009) (discussing the differential effects of state law medical privacy regimes on hospitals' adoption of HIT). 13. See, e.g., LINDA L. DIMITROPOULOS, PRIVACY AND SECURITY SOLUTIONS FOR INTEROPERABLE HEALTH INFORMATION EXCHANGE: NATIONWIDE SUMMARY 6-3 (2007) [hereinafter NATIONWIDE SUMM.] ("Several states reported that antiquated laws written for paper-only environments created significant barriers to electronic health information exchange."). 14. See, e.g., Linda Dimitropoulos & Stephanie Rizk, A State-Based Approach to Privacy and Security for Interoperable Health Information Exchange, 28 HEALTH AFF. 428, 428-29 (2009) ("An interoperable system of HIE [health information exchange]-that is, one in which various parties can share and exchange data among them-will have difficulty accommodating the current range of variation in policy requirements."); see also, e.g., J.Thomas Rosch, Comm'r, F.T.C., Where Do We Go From Here?-Some Thoughts on the Future of the Consumer Protection Mission (Jan. 29, 2007) (transcript available at speeches/rosch/070129RoschABAconsprotconf.pdf). 15. See, e.g., NATIONWIDE SUMM., supra note 13, at 6-39 to 6-44 (reporting on various cross-state and interstate initiatives to address interstate variation, including efforts to harmonize state medical privacy laws across certain states). 16. See J. Howard Beales, III & Timothy J. Muris, Choice or Consequences: Protecting Privacy in Commercial Information, 75 U. CHI. L. REV. 109, 118-20 (2008). expected consequences of breach-both tangible harms and the impact on the intrinsic value that patients find in health information privacy. Data suggest that the former harms are small, and we suggest that policy makers should develop a keener understanding of the latter, which is likely to vary across the population in both quality and magnitude. We investigate the expected tangible privacy harms related to HIT and find them to be less stark than some may believe. For example, from 2001 to 2005, about 0.111% of the adult population suffered medical insurance account misuse (defined as the use of personal information to obtain or receive payment for medical treatment, services or goods), and only 0.0148% of the adult population had their personal data used to create a new medical insurance policy.'7 Further, it does not appear that consent or breach-notification requirements significantly reduce the tangible harms caused by the privacy violations that do occur. Rather, most benefits from medical privacy regulations likely accrue in the utility that patients derive from the fact that they have dominion over their personal medical information. This likelihood strongly suggests that policy makers need to develop a clearer understanding of patients' underlying preferences for medical privacy before expanding regulatory burdens, as they ought to be wary of adopting costly regulations that may promise modest tangible benefits. In light of the existing data on consumer preferences for privacy, we propose a modified federal Privacy Rule that maintains the exception to consent for medical treatment, but also allows privacy-sensitive patients to sequester their records from interoperable HIT systems altogether. We also suggest that breach notification triggers should be related to actual risk of harm and that a focus on data security may be a more efficient substitute for both consent and breach notification requirements. We also focus on the costs associated with varying state regulation of medical privacy. Although we do not advocate any particular legislative response to the costs of state regulation, we explain how the express preemption of state health information privacy and data security provisions could be an efficient response to the costs of those provisions. In addition, although the implied preemption arguments advanced by the petitioners (and rejected by the U.S. Supreme Court) in another health 17. See SYNOVATE, 2006 IDENTITY THEFT SURVEY REPORT 17, 19 (2007), http:H I/SynovateFinalReportlDTheft2006.pdf [hereinafter SYNOVATE 2006 REPORT]. These calculations are based on an estimate of 3.7% of the adult population being a victim of ID theft. Id. at II. Of the surveyed victims of ID theft, 3% suffered reported misuse of existing medical insurance accounts. Id. at 17. Also, 0.04% of surveyed ID theft victims reported that new medical insurance accounts were opened using the stolen information. Id. at 19. Thus, .03 * .037 = 0.00111 of the adult population suffered misuse of their existing medical insurance accounts and .004 * .037 = 0.000148 of the adult population suffered new medical insurance account fraud. care context, that of Wyeth v. Levine, '8 are precluded by statute in this one,' 9 policy arguments in favor of preemption in this area may enjoy certain advantages that, at least in the Court's view, were not available to the petitioners in Wyeth. Nothing in the following discussion should be read to assail the notion that some form of regulatory intervention is appropriate to safeguard the substantial consumer interests at stake in the area of health information privacy.2° But excessive regulation, or a poorly integrated patchwork of federal and state regulations, could impede innovations that would be beneficial to health care consumers, public health, and the fisc.2' Even well-intentioned regulations can be costly, and the research community only recently has begun to grapple with the broader costs-including the economic and health costs-of various means of safeguarding consumer privacy. Because substantial attention rightly is being paid to the consumer interests at stake in HIT privacy and data security, we focus here on the other side of the cost/benefit divide. This Article is unique because, in addition to its use of independent research, it draws heavily from information gathered at a 2008 Federal Trade Commission workshop that examined certain innovations in health care delivery (the Workshop).22 The Article proceeds as follows. Part II comprises several brief background sections: (a) summarizes certain general information about HIT development and adoption; (b) reviews certain costs and benefits associated with HIT; and (c) provides an overview of federal and state health information privacy and data security law. Part III returns to the question of benefits and barriers associated 18. Wyeth v. Levine, 129 S. Ct. 1187, 1193-94(2009). 19. Regulations promulgated under HIPAA with regard to "the privacy of individually identifiable health information shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." Health Insurance Portability and Accountability Act of 1996 (HIPAA) § 264(c)(2), 110 Stat. 2033-34, 42 U.S.C. § 1320d-2 (2009). 20. See, e.g., United States v. Skodnek, 933 F. Supp. 1108 (D. Mass. 1996) (describing harms to consumers related to defendant psychiatrist who was fined and incarcerated following convictions for making false claims to the Medicare program, mail fraud, obstruction of justice, and witness intimidation); cf ALAN F. WESTIN, How THE PUBLIC VIEWS PRIVACY AND HEALTH RESEARCH 13-14 (2008), available at healthcarewrkshp/534908-00001.pdf (suggesting through nationwide survey data that 58% of respondents believe medical-record privacy is insufficiently protected). 21. See Amalia Miller, Professor, Dep't of Econ., Univ. of Va., Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 225-32, 251-52 (Apr. 24, 2008) (transcript available at http://www.ftc.govlbclhealthcarelhcdldocs/ hcdwksptranscript.pd). 22. The main web page for the April 24, 2008 FTC Workshop, Innovations in Health Care Delivery, with links to the Workshop agenda, a complete transcript of the Workshop itself, supporting materials, and public comments, is available at http:// .shtm. with HIT, providing a more focused discussion of network effects in HIT. Part IV examines consumers' demand for privacy generally and health information privacy specifically. Part V then analyzes the implicit tradeoffs between various types of privacy regulation and the adoption and application of HIT. Part VI considers the federal preemption of state regulation of health information privacy and data security as a feasible policy response to the costs of regulatory variation. I. TECHNICAL, MARKET, AND REGULATORY BACKGROUND A. The Development and Adoption of HIT As noted above, many areas of health care trail other sectors of the economy in their use of information technology. Recent years, however, have seen a proliferation of utilities, systems, hardware, and analytics, including electronic health records, personal health records, electronic prescribing, and the collection, analysis, and flow of increasingly rich types of health information. Generally speaking, HIT "refers to computer applications for the practice of medicine. 23 "Applications" in this context, encompass software and hardware applications and their outputs, as well as analytic, training, and other support services that might enhance the use of such applications. The Recovery Act stipulates that "'health information technology' means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information. 24 Just as the Recovery Act thus defines HIT generally for certain of its own purposes, it is important to understand that HIT comprises myriad products and services, such as (a) electronic medical records-including patient records, clinical decision support, laboratory records, health plan records, records exchange systems, and personal health records, (b) clinical ancillaries and other kinds of clinical information systems, such as labs, radiology, and image management systems, (c) biomedical devices, including medical device data systems, (d) population HIT, including "not just public health reporting, which is moving to an electronic basis, but also registries such as disease registries, immunization registries, and . . . statistical analysis and reporting such as quality of process, quality of outcomes and health disparities 23. CONG. BUDGET OFFICE, supra note 10, at I. 24. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 3000(5), 123 Stat. 115, 229 (2009). analysis that would count in the population health area of health IT," and (e) applications serving the administrative and financial sectors of medicine.2 Note, too, that there appears to be substantial variation in usage in broader discussions of HIT,26 and that definitions may continue to change in the course of HIT development. As a practical matter, this Article makes no attempt to force the larger HIT policy discussion-including published research-to conform to particular stipulated definitions of HIT applications. At the same time, certain extant definitions of central HIT applications provide a useful baseline. In 2008, the National Alliance for Health Information Technology offered the following definitions in a report to the ONC: " * " Electronic Medical Record [eMR]: An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one health care organization. Electronic Health Record [eHR]: An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization. Personal Health Record [PHR]: An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual. 27 25. At the FTC Workshop, Mr. Ferguson provided roughly this overview of HIT applications, devices, and services. James Ferguson, Exec. Dir., Health I.T. Strategy & Policy, Kaiser Permanente, Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 135-36 (Apr. 24, 2008) (transcript available at healthcare/hcd/docs/hcdwksptranscript.pd f). 26. See, e.g., OFFICE FOR CIVIL RIGHTS, U.S. DEP'T OF HEALTH & HUMAN SERVS., PERSONAL HEALTH RECORDS AND THE HIPAA PRIVACY RULE I, http://www.hhs.govlocr/ privacy/hipaa/understanding/speciallhealthit/phrs.pdf (last visited Mar. 24, 2010) ("There is currently no universal definition of a [Personal Health Record], although several relatively similar definitions exist within the industry.") 27. NAT'L ALLIANCE FOR HEALTH INFO. TECH., DEFINING KEY HEALTH INFORMATION TECHNOLOGY TERMS 6 (2008), (use the search bar to locate the document and then follow the hyperlink). For the most part, the Recovery Act appears to have borrowed from these in its stipulated HIT definitions.28 Also important is electronic prescribing (eRx), which has been "defined by the eHealth Initiative as 'the use of computing devices to enter, modify, review, and output or communicate drug prescriptions.' ,,29 Again, many have argued that the growth of HIT is centrally important to improving quality and efficiency in health care. 0 Both the general promise of HIT and its demonstrated efficiencies in particular implementations have garnered substantial private and public commitment to HIT development and adoption. Large IT businesses are increasingly involved in HIT development;3 ' large employers have been interested in the potential benefits of HIT for their health care benefits programs; and prior to the Recovery Act's enactment, HHS and other federal agen28. For example, under the Recovery Act, an "electronic health record" (eHR) is "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff." Recovery Act § 13400(5). 29. Agency for Healthcare Research and Quality, Electronic Prescribing, http:I/ (follow the "Electronic Prescribing" hyperlink in the "Key Topics" box) (last visited Mar. 24, 2010). We stipulate the use of "eRx" as a convenient abbreviation for electronic prescribing for the purposes of this Article. 30. See, e.g., Hillestad et al., supra note 6, at 1103. 31. For example, the Workshop included a presentation on Microsoft's Health Vault, a platform supporting web-based PHRs and the development of various HIT applications that might interconnect with such PHRs. George Scriban, Senior Product Manager, HealthVault, Microsoft, Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 235-48 (Apr. 24, 2008) (transcript available at hcd/docs/hcdwksptranscript.pdf). Discussion also included the third-party PHR application Google Health, which, like Health Vault, provides individual health care consumers with webbased tools with which to populate their records. See Deven McGraw, Dir., Health Privacy Project, Ctr. of Democracy and Tech., Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 145 (Apr. 24, 2008) (transcript available at; see also Google Health, (last visited June 6, 2008). At the same time, part of what is striking about HIT development is the extent to which health care providers themselves have found it necessary to develop such proprietary HIT systems. At the Workshop, the Mayo Clinic's Dr. Wood remarked, "We found the need to develop [Mayo's applications] mostly on our own, because we have not found opportunities with partners who can develop them with us.'" Dr. Douglas Wood, Dept. of Med., Health Care Policy Research Group, Mayo Clinic, Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 169 (Apr. 24, 2008) (transcript available at hcdwksptranscript.pdf). Another panelist noted that Marshfield Clinic has developed its core HIT systems since implementing its first eMR module in 1985. Thomas Berg, Dir. & Special Projects Manager, Clinical Info. Servs., Marshfield Clinic, Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 200-01 (Apr. 24, 2008) (transcript available at http://www.ftc.govlbc/healthcare/hcd/docs/hcdwksptranscript.pdf). 32. For example, Dossia is a consortium of large employers, including AT&T, Applied Materials, BP America, Inc., Cardinal Health, Intel Corporation, Pitney Bowes, SanofiAventis, and Wal-Mart, who jointly developed and provide a PHR system for the voluntary use of their employees. A Dossia web site describing the consortium, its PHR, and its privacy policies is available at cies had devoted considerable resources to the development and promotion of HIT."3 Today, some large medical centers and health care systems are all but paperless, with systems at Marshfield Clinic, the Mayo Clinic, and Kaiser Permanente being described at some length at the FTC Workshop." For example, Marshfield Clinic-which comprises about 45 health care facilities in Wisconsin and has integrated eHRs for about 2 million patients-reported that all specialties in its various clinics use the same integrated eHRs and that all inputs into the eHRs by the roughly 1200 physicians affiliated with Marshfield are done electroni35 cally. At the same time, the adoption of HIT, interoperability of HIT systems, and integration of health information has in many places lagged behind expectations. 36 In fact, paper-based patient record systems still dominate in U.S. medical practice, especially in small practice settings.37 Only about four percent of U.S. physicians have access to a fullyfunctional eHR system, and only about thirteen percent have access to a 33. For example, although the ONC is established by statute under the Recovery Act, it initially was created to spearhead and integrate HIT initiatives in response to a 2004 executive order. 2004 Exec. Order, supra note 5. 34. Other systems, such as the Department of Veterans Affairs' (VA's) VistA system, also were discussed. See, e.g., Berg, supra note 31, at 199-201 (discussing the Marshfield Clinic); Ferguson, supra note 25, at 134-35 (discussing Kaiser-Permanente); Dr. Robert M. Kolodner, Nat'l Coordinator, Health Info. Tech., Dep't. of Health & Human Servs., Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 293 (April 24, 2008) (transcript available at hcdwksptranscript.pdf) (discussing the VA); Wood, supra note 31, at 169 (discussing the Mayo Clinic); see also, e.g., Gov'T ACCOUNTABILITY OFFICE, GAO-04-0224, INFORMATION TECHNOLOGY, BENEFITS REALIZED FOR SELECTED HEALTH CARE FUNCTIONS 36 (Oct. 2003) (regarding Kaiser-Permanente), available at http:// [hereinafter GAO 2003 REPORT]; Id. at 46-47 (regarding Mayo Clinic); Id. at 61-62 (regarding VA's VistA). 35. Berg, supra note 31, at 199-201. 36. "Despite the efforts of the National Committee on Vital and Health Statistics ... and other groups, progress in health IT in the United States has been too slow." Robert M. Kolodner et al., Health Information Technology: Strategic Initiatives, Real Progress, HEALTH AFF. w39 1, w391-w392 (2008), hlthaff.27.5.w391 v 1; see also CONG. BUDGET OFFICE, supra note 10, at 3 ("Despite the potential of health IT to increase efficiency and improve quality, though, very few providers as of 2006, about 12 percent of physicians and I I percent of hospitals have adopted it") . But cf Edward H. Shortliffe, Strategic Action in Health Information Technology: Why the Obvious Has Taken So Long, 24 HEALTH AFF. 1222, 1223 (2005) (examining slow growth in HIT "in context by assessing what has succeeded and what still remains to be realized, while asking what barriers exist that have prevented optimal progress to date"). 37. David Gans et al., Medical Groups' Adoption of Electronic Health Records and Information Systems, 24 HEALTH AFF. 1323, 1325-26 (2005). basic system. According to one recent paper, "only 1.5% of U.S. hospitals have a comprehensive electronic-records system (i.e., present in all clinical units), and an additional 7.6% have a basic system (i.e., present in at least one clinical unit). Computerized provider-order entry for medications has been implemented in only 17% of hospitals.!' Indeed, the most basic policy issue in HIT may be the relative pace of its development and adoption. That is, given the public and private benefits anticipated with HIT-many of which have been observed in particular institutional settings-how is it that HIT markets are not more developed?40 Why is HIT use not more common? B. PotentialBenefits and Costs of HIT 1. Benefits Broadly, HIT benefits flow from two sources: stand-alone and network efficiencies.4 Stand-alone efficiencies are those that accrue internally to an office, clinic, or hospital from its use of HIT, and may include reduced administrative and error costs. Network benefits are those that are realized across multiple health care service providers: when various parts of the health care system are able to communicate efficiently, each part enjoys increasing benefits as the scope of the network from which information may be drawn increases. In HIT such network benefits are likely to be more substantial than stand-alone benefits. 42 Most patients see multiple providers in a given year," and providers often rely on external entities to perform lab and radiology work." But, as the former National Coordinator for HIT has explained, A 7me to Keep Silent and a lime to Speak "[flragmentation ...results in errors, duplication, lack of coordination, and many other problems.*"' Although the flow of information should reduce fragmentation, the benefits of HIT on a national scale are very difficult to predict. As a CBO report has observed, "[n]o aspect of health IT entails as much uncertainty as the magnitude of its potential benefits.'"6 A well-cited RAND report estimates that "effective EMR implementation could eventually save more than $81 billion annually. '4 Others have been critical of the RAND estimates.48 The CBO, for example, has argued that the RAND study does not adequately distinguish between possible and likely benefits to HIT adoption, concluding that it is "not an appropriate guide to estimating the effects of legislative proposals aimed at boosting the use of health IT.' 49 Such disputes may be difficult to resolve in any precise way in the short run. In brief, possible HIT benefits may be substantial, highly variable according to particular implementations, and otherwise uncertain. At least locally, HIT has led to concrete qualitative improvements in health care services, according to process measures or outcome measures. One FTC Workshop panelist described, for example, a hospital system's adherence to the evidence-based process standard of ACE inhibitor prescription following myocardial infarction ("heart attack") upon discharge. In that case, implementation of evidence-based HIT clinical guidance at InterMountain Healthcare reportedly increased adherence to the standard from about 65% to about 95%-a process improvement-which reduced significantly the readmission rate-an 45. Brailer, supra note 42, at w5-19; see also Hoffman & Podgurski, supra note II, at 113 (stating that when doctors do not communicate and coordinate a patient's care "any one of them may miss vital information that is critical to the individual's welfare"). 46. CONG. BUDGET OFFICE, supra note 10, at 6. 47. Hillestad et al., supra note 6, at 1103. 48. CONG. BUDGET OFFICE, supra note 10, at 8-9 (claiming RAND overestimates probable benefits of HIT); but cf David U. Himmelstein & Steffie Woolhandler, Hope And Hype: Predicting The Impact Of Electronic Medical Records, 24 HEALTH AFF. 1121, 1122 (2005) (arguing that the RAND analysis is a form of "hype" that "reveals a disturbing array of unproven assumptions, wishful thinking, and special effects"). We note that the RAND report's estimate is not generated by precisely the same problem as the CBO's critique of that estimate. Briefly, the RAND report addresses possible benefits of large-scale eMR adoption. Although the authors provide reasons to think that their estimate represents neither a "best case" nor a "worst case" scenario, they recognize that "the currently useful evidence is not robust enough to make strong predictions." Hillestad et al., supra note 6, at 1104-05. The CBO Report offers very useful analysis, but it does not offer any particular cost-benefit analysis attached to any particular legislative proposal, and like the RAND report, itdoes not appear to approach a comprehensive assessment of possible benefits (or costs) to HIT adoption. 49. CONG. BUDGET OFFICE, supra note 10, at 4. outcome improvement." That is consistent with survey data suggesting that physicians who employ eHRs report greater avoidance of costly medical errors, including, "having averted a known drug allergic reaction (80%) or a potentially dangerous drug interaction (71%), being alerted to a critical laboratory value (90%), ordering a critical laboratory test (68%) and providing preventive care (69%). A 2003 General Accounting Office (GAO) Report, based on data from ten private and public health care delivery organizations, three insurers, and one community data network, described substantial efficiency gains in both administrative function and delivery of care across settings.12 For example, Mayo Clinic, a 1,951-bed teaching hospital, achieved annual savings of about $8.6 million by replacing paper medical charts with electronic medical records for outpatients, $2.85 million by replacing manual medical record handling processes with electronic access to lab results and reports, $ 2.9 million by automating correspondence, and $7 million by reducing un-billable tests and billing patients directly. 3 Single-site studies have also been promising. For example, a study of the effects of eRx at Brigham and Women's Hospital indicated "large differences ... for all main types of medication errors: dgoiesse!.'errors, frequency errors, route errors, substitution errors, and aller50. Dr. Mark Dente, Vice President, Health Care Solutions & Integrated IT Solutions, GE Health Care, Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 277 (Apr. 24, 2008) (transcript available at hcd/docs/hcdwksptranscript.pdf) (describing HIT benefits at InterMountain Healthcare, a network of hospitals and clinics in Utah). Dr. Dente also described improvements in ventilator management with the implementation of evidence-based systems at InterMountain. In that case, he reported both significant improvement in the survival rate and a significant savings, approximately $120,000 per case, due to the implementation of HIT-based clinical support. Id. at 276-77. 51. DesRoches et al., supra note 38, at 54 (reporting on "fully functional" eHRs, although those with more basic systems reported "the same effects but less commonly"). 52. See generally, GAO 2003 REPORT, supra note 34. 53. Id. at 46, 48. 54. David W. Bates et al., The Impact of Computerized Physician OrderEntry on Medication Error Prevention, 6 J. AM. MED. INFORMATIcs ASS'N. 313, 313 (1999); see also, e.g., Hagop S. Mekhjian et al., Immediate Benefits Realized Following Implementation of Physician Order Entry at an Academic Medical Center, 9 J. AM. MED. INFORMATICS Ass'N. 529, 529, 539 (2002) (reporting that the joint introduction of computerized physician order entries (CPOEs) and eMR systems at Ohio State University Health System improved patient care by, for example, reducing tum-around times and eliminating all nursing and physician transcription errors); Kirsten Colpaert et al., Impact of Computerized Physician Order Entry on Medication Prescription Errors in the Intensive Care Unit: A Controlled Cross-Sectional Trial, 10 CRITICAL CARE R21 (2006), availableat http:l/ (reporting that HIT implementation in the ICU resulted in significant decreases in the occurrence and severity of medication errors). A ime to Keep Silent and a 7me to Speak At the same time, it is not clear from either the GAO Report or other studies that the reported efficiency gains represent net gains for the adopters. Also, although single-site studies demonstrating gains in clinical quality at academic medical centers are promising, results have been somewhat mixed, and there have been relatively few studies measuring qualitative gains using longitudinal national data. One recent study employing national data observes that EMRs "have a clear and statistically significant effect on patient safety," as they are associated with fewer infections attributable to medical care in hospitals, but that the observed effect is limited to one of the study's quality measures and, while "promising," is "small."5 In addition, the promise of any gains may be at risk, as there have been significant problems with particular HIT implementations.-56 Electronic prescribing illustrates both the potential benefits of HIT and the extent to which such benefits are uncertain prior to implementation. As noted above, eRx has long been considered an important and tractable area for HIT development and adoption. Preventable medication errors are numerous. The oft-cited 2006 IOM Report, PREVENTING MEDICATION ERRORS, for example, estimated that "at least 1.5 million preventable ADEs [adverse drug events] occur each year in the United States."'7 These errors inevitably impose medical costs, which, in turn, may impose substantial expense on private and public payers.18 The IOM Report suggested that eRx holds special promise for error avoidance,59 and there are good reasons to agree. First, many errors 55. Stephen T. Parente & Jeffrey S.McCullough, Health Information Technology and PatientSafety: Evidencefrom PanelData, 28 HEALTH AFF. 357, 358 (2009). 56. See, e.g., Yong Y. Han et al., Unexpected IncreasedMortality After tmplementation of a CommerciallySold Computerized Physician Order Entry System, 116 PEDIATRICS 1506, 1506 (2005) (reporting an unexpected increase in mortality rates among children who were referred and admitted to the hospital after eRx implementation); Ross Koppel et al., Role of ComputerizedPhysician OrderEntry Systems in FacilitatingMedical Errors,293 J.AM. MED. ASS'N. 1197, 1198 (2005) (documenting errors associated with implementation of a widelyused, commercially-available computerized provider order entry system); Ceci Connolly, Cedars-SinaiDoctors Cling to Pen and Paper,WASH. POST, Mar. 21, 2005, at AOl (describing an unsuccessful attempt to implement a hospital-level electronic health record system and reporting that up to 30% of such implementations fail). 57. INST. OF MED., supra note 7, at 5. 58. Id. at 5, 132. That cost estimate excludes both errors of omission (cases where medication ought to have been prescribed and administered, but was not) and the larger economic costs-such as missed work days-imposed by preventable ADEs. The report noted that there are large gaps in our understanding of the costs of medication errors. Id. at 58. Nevertheless, the report also suggested that, for example, in-hospital adverse drug events alone might conservatively be estimated to cost $ 3.5 billion per year, in 2006 dollars. Id. at 132. 59. Id. at 229 ("By 2008, all prescribers should have plans in place to implement electronic prescribing.") ; see also Gilad J. Kuperman et al., Medication-RelatedClinical Decision Support in Computerized Provider Order Entry Systems: A Review, 14 J. AM. MED. appear to be caused by basic coding or information processing failures that should be amenable to automated control.' In addition, adverse events due to faulty drug or dose identity checking, failures in drug knowledge, and limited patient knowledge (i.e., patient history, current and recent medications, etc.), 61 should be reduced by eRx supported by adverse drug events62 and direct financial costs. 63 eMRs and computerized drug information. In particular institutional settings, eRx has been associated with substantial reductions in preventable On the other hand, there have been significant problems with particular implementations of eRx systems." For example, although eRx implementation at the Children's Hospital of Pittsburgh appeared to reduce adverse drug events significantly during a nine-month study period,6 a subsequent study of mortality rates among children who were referred and admitted to the hospital showed an unexpected increase in mortality after implementation.i Such problems seem to arise in transition to an eRx system, with incomplete or fragmented eRx systems, or with poor integration between training and practice standards on the one hand and the HIT systems on the other. Those are not necessarily longterm, much less intractable, problems. Still, they suggest the potential for large transition costs in eRx adoption and may raise questions about the INFORMATICS Ass'N. 29, 29 (2007) (reviewing literature and concluding that "CPOE ...with clinical decision support ... can improve patient safety and lower medication-related costs"). 60. INST. OF MED., supra note 7, at 121-22 (errors include transcription errors, ordertracking errors, and inter-service communication errors). 61. Id. 62. See, e.g., David W. Bates et al.s,upra note 54, at 313; Hagop S.Mekhjian et al., supra note 54, at 529, 539; Kirsten Colpaert et al., supra note 54. 63. See, e.g., W.M. Tierney et al., Physician Inpatient Order Writing on Microcomputer Workstations: Effects on Resource Utilization, 269 J. AM. MED. Ass'N. 379, 379 (1993) (concluding that a network of microcomputer workstations for writing all inpatient orders significantly lowered patient charges and hospital costs); cf David W. Bates et al., The Costs of Adverse Drug Events in Hospitalized Patients, 277 J. AM. MED. ASS'N. 307, 307 (1997) (discussing substantial costs of ADEs and preventable ADEs). 64. See, e.g., Ceci Connolly, supra note 56, at A01 (describing an unsuccessful attempt to implement a hospital-level electronic health record system and reporting that up to 30% of such implementations fail). 65. Jeffrey S. Upperman et al., The Impact of Hospitalwide Computerized Physician Order Entry on Medical Errors in a Pediatric Hospital, 40 J.PEDIATRIC SURGERY 57, 57 (2005). 66. Han, supra note 56, at 1506; see also, e.g., Koppel, supra note 56, at 1198 (claiming that the implementation of a widely-used and commercially-available CPOE system in an urban tertiary-care teaching hospital was associated with numerous categories of errors). 67. The JAMA-published study noted, for example, that medication errors were exacerbated in the system under study by the fact that patient medication records were shown in small fonts, across a large number of screens (up to 20), where patient names did not appear on all screens, as well as by "hectic" workstations and "common" crashes of the CPOE system. See id. at 1200-01. extent to which efficie.nc6y1 gains realized in particular institutional settings can be generalized. 2. Costs One of the most obvious impediments to the adoption of HIT is its substantial cost. As discussed in the previous section, acquisition and implementation of HIT systems are costly, operating and maintenance costs are ongoing, and HIT investments may be regarded as at-risk. Regulatory costs, uncertainty, "cultural" aversions to HIT, and concerns about liability exposure also are likely to slow adoption. And yet, as one FTC Workshop panelist succinctly stated with respect to HIT investments, "there is no billing code for it'.69 HIT adoption costs are varied and substantial. The CBO has noted that adoption costs include: (1) the initial fixed cost of the hardware, software, and technical assistance necessary to install the system, (2) licensing fees, (3) the expense of maintaining the system, and (4) the "opportunity cost" of the time that health care providers could have spent seeing patients but instead must devote to learning how to use the new system and how to adjust their work practices accordingly. 0 Although the data is limited, and there is some evidence HIT system prices are falling, recent studies suggest that, (a) physicians' offices may be expected to pay initial costs of $25,000-$45,000 to acquire an officebased HIT system;7 (b) annual operating costs are 12-20% of initial cost; 72 (c) implementation costs for hospitals range from $3 million for 68. See Salomeh Keyhani et al., Electronic Health Records and the Quality of Care, 46 MED. CARE 1267 (2008). In this study, the authors conducted cross-sectional analyses of national data gathered in ambulatory care settings, including physician offices. Examining blood pressure control in particular, the authors generally failed to find a relationship between eHR adoption and the examined quality of care measures, and concluded that "[ilt is doubtful that presence of an EHR alone can improve the quality of care." Id. at 1270; see also Jeffrey A. Linder, et al., Electronic Health Record Use and the Quality ofAmbulatory Care in the United States, 167 ARCHIVES OF INTERNAL MED. 1400, 1400 (2007) (failing to find quality improvements, on most measures, associated with eHRs as implemented in ambulatory care settings). But cf DesRoches et al., supra note 38, at 50 (discussing quality improvements reported by ambulatory care providers). 69. Ferguson, supra note 25, at 195. There have long been concerns about misaligned payment incentives in health care markets associated with third-party payment and regulation. See, e.g., F.T.C. & DEP'T OF JUSTICE, IMPROVING HEALTH CARE: A DOSE OF COMPETITION, Exec. Summ. 5 (2004), available at http:l/ 040723healthcarerpt.pdf [hereinafter A DOSE OF COMPETITION]. For example, as the FTC/DOJ Report observes, "Government administered pricing by CMS inadvertently can distort market competition ....CMS never decided as a matter of policy to provide greater profits for cardiac surgery than many other types of service, but the [payment system] ... tends to do so." Id. at Exec. Summ. 16. 70. CONG. BUDGET OFFICE, supra note 10, at 17. 71. Id. 72. Id. smaller hospitals to $7.9 million for large hospitals;" and (d) average hospital operating costs are about 19% of one-time costs, or $2,700 per bed] 4 CBO and others also have observed substantial operating costs 75 associated with HIT. It appears that cost structures co-vary with rates of HIT adoption by type and size of practice setting. For example, "[l]arge hospitals (200 beds or more) have three to four times greater adoption rates than those of smaller hospitals (fewer than 50 beds),, 76 which may be due, in part, to the ability of larger facilities to "take advantage of economies of scale by spreading the fixed costs of health IT over a larger base. 7 7 Academic medical centers also have relatively high adoption rates, 8 perhaps because certain HIT costs may be shared with (and are especially valuable to) research and teaching functions of the hospitals. 79 Adoption rates also vary according to practice size in group practice settings, with small practice groups (5 full-time physicians or fewer) having the lowest rate of eHR adoption and the highest percentage of paper medical records. ° Large medical centers also have expressed concerns about costs resulting from the interruption or restructuring of work flow.8 ' The integrated HIT system implemented at the Mayo Clinic may be considered a success in many ways. At the same time, Mayo acknowledges that its eMR has "had its share of problems because it didn't really match the physician workflow."82 In some ways, such costs are among the various "cultural" barriers to HIT adoption, which have to do with providers' and patients' comfort levels with HIT. For example, HIT may influence the way health care professionals collaborate and interact, in addition to the way they keep and consult records and reference ou•tside- so u84rces;83 it may also influence the nature of patient/provider interactions. As one FTC Workshop panelist explained, in many smaller practices, providers may be especially likely to face the question "how ready and willing am Ito change the things that I do every single day"? 8' Patients also may be wary of the ability of HIT systems to protect their sensitive information. For example, survey data suggests that a large proportion of consumers have concerns about the adequacy of extant privacy protections for their medical records and about the risks that may be presented by inadequate privacy protections.6 Consumer apprehension about HIT can affect adoption rates of consumer-oriented HIT products, such as PHRs. It also may reduce demand-side pressures for providers to adopt HIT.87 The economic benefits of HIT adoption are thus uncertain, and HIT investments generally have been regarded as at-risk investments, potential benefits notwithstanding. Uncertainty reduces the present value of future HIT benefits, and thus private incentives for providers to adopt HIT. As noted above, implementation may be difficult and clinical improvements may be uncertain. Expected benefits are likely to be a positive function of one system's ability to communicate with others, but providers may be unsure whether a system they adopt today will prove to 83. See, e.g., Ferguson, supra note 25, at 138-39. 84. Id. 85. Carr, supra note 81, at 154; see also Gans et al., supra note 37, at 1325-26. 86. See, e.g., McGraw, supra note 31, at 142 ("[Tlhe survey data is also very clear that people have significant concerns about the privacy of their medical records, particularly in electronic form."); see also Wood, supra note 31, at 184 (regarding Mayo Clinic surveys of patient privacy concerns); Joy Pritts, Dir. for the Center of Med. Record Rights and Privacy, Health Policy Inst., Georgetown Univ., Address at Federal Trade Commission Workshop on Innovations in Health Care Delivery 287-88 (Apr. 24, 2008) (transcript available at; WESTIN, supra note 20,at 15 (providing nationwide survey data that suggests 58% believe medical record privacy is insufficiently protected); MARKLE FOUND., AMERICANS OVERWHELMINGLY BELIEVE ELECTRONIC PERSONAL HEALTH RECORDS COULD IMPROVE THEIR HEALTH (2008), available at; CAL. HEALTHCARE FOUND., THE STATE OF HEALTH INFORMATION TECHNOLOGY IN CALIFORNIA: CONSUMER PERSPECTIVE 2 (2008), available at http://www.chcf.orgldocuments/chronicdisease/ HITConsumerSnapshot08.pdf (stating that a survey of California health care consumers shows "most consumers in California are wary about using health information technology (HIT), such as personal health records (PHRs)" although many consumers are interested in HIT and use the Internet for health information); NATIONWIDE SUMM., supra note 13, at 6-36. 87. McGraw, supra note 31, at 195 ("But the improvements in health care quality and the cost reductions ... that are there as potentials, are going to drive the other actors in the system, consumers and purchasers ... to actually be on the demand side [of HIT adoption]."); Cf. Ferguson, supra note 25, at 138-39 (discussing popularity, among Kaiser consumers, of secure online communications with providers, online appointment scheduling, online lab results, and online Rx refills). [M]any providers and other covered entities require patient permission to disclose personal health information for treatment, payment, and health care operations to satisfy professional ethical requirements or for risk management .... ... required patient permission for treatment purposes, even if federal or state laws did not require such permission .. . Although variation in the requirement for and content of patient permission to disclose is due largely to state law and organizational practices, "HIPAA" is often cited as the basis for requiring patients' permission for treatment."' When relevant state and federal privacy regulations are not clear, parties may over-comply to avoid liability."" For example, ambiguous state law provisions regarding the circumstances that trigger breach notification requirements can lead to over-notification. '8 Further, unclear consent (or documentation of consent) requirements have led to subsStan28-9 tial variation in the form and content of authorization across providers. That variation, in turn, has made some providers unwilling to accept consent obtained by others.2' ° Vagueness in "minimum necessary" disclosure requirements under the Privacy Rule also seems to have had a chilling effect on electronic information exchange. T9 For example, because it often is technically impossible to segregate data fields in eHRs, many hospitals allow third-party payers to have access only to paper records.292 Note that Miller finds a one-time increase in HIT adoption associated with HHS' adoption of the HIPAA Privacy Rule.29' That is 286. NATIONWIDE SUMM., supra note 13, at 6-11. See also Dimitropoulos & Rizk, supra note 14, at 429 (discussing how broad variation exists in the "need for.., and the actual process of obtaining appropriate patient consent" in the context of identifying gaps and conflicts among state laws). 287. See STEVEN SHAVELL, FOUNDATIONS OF ECONOMIC ANALYSIS OF LAW 224-29 (2004). Of course, the countervailing consideration for breach notification is that breach notification appears to lead to a lot of customer churn. The size of this consideration may militate toward erring on the side of not sending notification. 288. See GAO 2007 REPORT, supra note 213, at 35. 289. See NATIONWIDE SUMM., supra note 13, at 6-3 (explaining that laws that are "silent with respect to certain aspects health information exchange" can lead to varied customs, which can hinder HIT). 290. Id. at 6-8 ("The lack of a standard permission form, even within a state, results in different health care entities' developing their own permission form requirements and refusing to honor permissions obtained by other entities, thereby interfering with the legitimate flow of information."). 291. The Privacy Rule requires that "a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." 45 C.F.R. § 164.502(b)(1) (2010). 292. NATIONWIDE SUMM., supra note 13, at 6-16. 293. Miller, supra note 21, at 252. interesting but not paradoxical. Certainly, the promulgation of the federal Privacy Rule did not reduce the regulatory obligations of health care providers. At the same time, for some providers, it may have lowered the lpeegracleiuvnecderctoasinttoyf aHnIdTexapdoosputiroentoprleiacbisieliltyy.2b94ecause it decreased providers' III. STRIKING THE BALANCE Although consumers demand privacy, it is not free. Privacy requirements can have positive effects on HIT adoption by helping to assuage consumers' concerns that their sensitive health information is secure, but beyond some threshold, it is important for policy makers to recognize that tradeoffs between privacy protection and HIT development, adoption, and use are likely inevitable. As one commenter has put it, the debate over privacy in health care should focus on "how much [privacy] we want to afford, which in turn is linked to thinking more carefully about losses from its breach."2'9 Certain forms of privacy regulation appear to impose relatively large costs on eMR use while conferring relatively little in the way of tangible countervailing benefits. Of course, some may object to such balancing.296 For example, Solove suggests that individual rights typically give way when pitted against the "common good."297 That may be a legitimate matter of more general concern, but it does not answer critical policy and legal questions, such as the level of resources that ought to be devoted to safeguarding particular rights, or the manner in which provisions protecting countervailing interests or rights ought to be balanced. One might take the position that fundamental rights-or their exercise or protection-are never in tension, but as we have discussed, that is entirely dubious in the instant case as it is more generally. Although exploration of such matters from a policy, legal, or ethical point of view would take us well beyond the scope of this Article, we should note that, as a general matter, our Constitutional framework balances fundamental 294. Id. (noting that some have theorized that this was because "HIPAA promoted some adoption of EMR by making HIPAA compliance easier to demonstrate with an electronic record than with a paper record"). 295. Mike Koetting, Comments on Privacy and Medicine, 30 J. LEGAL STUD. 703, 707 (2001). 296. See Terry & Francis, supra note 1I,at 699 ("This instrumental approach becomes dangerous when applied to institutional or industrial models of care. In such models, the notion too easily falls prey to arguments that see the generation, dispersal, and processing of longitudinal patient health information primarily as a necessity to reduce overall healthcare costs and to minimize medical error."). 297. Solove, supra note 207, at 761 ("Society will generally win when its interest are balanced against those of the individual."). A lime to Keep Silent and a Time to Speak rights, interests, privileges, and powers in no small part because it must. Even core civil liberties are not regarded as absolute. For example, under the First Amendment, content-based regulation of speech is presumptively invalid, but certain categories of speech--e.g., obscenity29-are subject to no protection and others-e.g., commercial speech 2 ---may be subject to substantial protection, but less than that afforded political, scientific, literary, or artistic speech. Generally, content-neutral regulation of speech is subject to intermediate scrutiny and certain species of restrictions generally are permissible. As the Court has said, "[o]ur cases make clear ... that even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech .... ,00 More generally, "[tlhe First and Fourteenth Amendments have never been treated as absolutes."' 0' Speech rights and privacy rights have been variously connected. "The unwilling listener's interest in avoiding unwanted communication an aspect of the broader 'right to be let alone' that one of our wisest Justices characterized as 'the most comprehensive of rights and the right most valued ....,,30B'ut that right, too, is subject to variable protection, afforded special protection "in the privacy of the home, 3 °' but lesser protection elsewhere. Similarly, the Supreme Court has on several occasions grappled with the tension between First Amendment guarantees to the press to publicize facts and the rights of citizens to keep certain facts private.3 5 These cases have called on the Court to rule on "a conflict between interests of the highest order-on the one hand, the interest in the full and free dissemination of information concerning public issues, and, on the other hand, the interest in individual privacy and, more specifically, in fostering free speech."3°0 Of course, in a utilitarian calculus, to the extent that most individuals highly value a given "right" or interest, their collective valuation may trump other interests. 7 Hence, citizens may willingly agree ex ante to limit the circumstance under which the common good may trump an individual right. That is one route to constitutionalism (and in some sense to the rule of law), and it is not unrelated to the distinction between actbased and rule-based approaches to utilitarianism. But generally, the question whether to balance competing interests does not depend on a commitment to utilitarianism or any other form of consequentialism. It also does not require the repudiation of a rights-based approach to privacy or anything else. 0 8 Returning to our concrete policy concern, when designing laws to protect consumers' sensitive health information, there are two paramount questions. To what extent do those privacy laws reduce consumer harm? And, what benefits from HIT do those privacy protections impede? In answering the first question, it is important to note as a threshold matter that the baseline level of harm from PHI breach appears small. Further, the nexus between some privacy laws applied to HIT and harms from loss of privacy is tenuous. For example, it is unclear how state privacy laws that have stringent consent requirements reduce the risk of identity fraud; there is probably little connection between consent and avoidance of identity fraud within a treatment episode. Additionally, breach notification laws do not appear to reduce the incidence of identity fraud, and although the relationship between breach and risk of identity fraud may be direct, the available data suggest that it is very slight. Indeed, the broader class of breach notification requirements does not appear to pass a cost-benefit test. The average direct cost to responding to a breach (which almost surely is passed on to consumers) is $50,3o9 but the upper bound on the median expected cost from new account fraud (the most expensive type) in the event of a breach is $1.13."0 Indeed, 306. Bartnicki, 532 U.S. at 518. 307. See Solove, supra note 297, at 761. 308. See, e.g., H.L.A. Hart, Are There Any Natural Rights?, 64 PHIL. REV. 175, 176 (1955) ("[A]lthough ... all men are equally entitled to be free in the sense explained, no man has an absolute or unconditional right to do or not to do any particular thing or to be treated in any particular way; coercion or restraint of action may be justified in special conditions consistently with the general principle."); cf Alan Gewirth, Are There Any Absolute Rights?, 31 PHIL. Q. 1 (1981) (distinguishing "absolute rights" from those that may be "overridden:' or justifiably infringed). 309. See PONEMON INST., FOURTH ANNUAL US COST OF DATA BREACH STUDY 3 (2009). 310. This figure is calculated as follows: The Synovate 2006 study reports a median loss for new accounts and other frauds of $40 and 10 hours. Using the average hourly wage rate even for victims in the 90 h percentile of harm, the expected financial loss is only $24. Thus, extant breach notification requirements generally do not appear to be a good deal for consumers. None of the preceding discussion should suggest that consumers derive no benefit from privacy regulations or that concerns about the privacy of health information are unfounded or unimportant. As discussed already, many patients clearly place an intrinsic value on privacy; hence, regulations may provide benefits beyond those easily measured. Moreover, society may wish to subsidize the diminution of certain extreme harms." ' On the other hand, data available from behavioral experiments suggest that consumers are willing to supply private information for relatively small amounts of money or enhanced convenience shopping online.' 2 Further, several studies have found a mismatch between ex ante consumer responses to general questions regarding their desire for privacy protection and the actual tradeoffs they are willing to make when faced with immediate choices."' Although these studies were experimental in nature and generally involved personal information that may be seen as less sensitive than PHI, they again suggest that patients may be more willing to forego certain privacy protections in return for better and/or cheaper health care than survey data suggest, especially if the sacrificed protections are of limited efficacy in preventing tangible harms. And at least for some patients, at least some of the time, an interest in optimizing information flow may be critical. With respect to the second question-the costs of privacy requirements-empirical evidence suggests that HIT adoption rates are lower in states with stringent consent requirements. Adoption rates in these states are lower because the regulations suppress network effects associated with HIT adoption.' 4 Further, states with lower levels of HIT adoption appear to have higher infant mortality rates, even after controlling for possibly confounding variables.' 5 To the extent that the IOM is right from April 2009 of $18.50, this results in median costs from the most expensive type of identity fraud of $225. Data from IDAnalytics puts a range of the probability of a breached file being used in an incidence of identity fraud between 0.0001 and 0.005. 311. See, e.g., RICHARD A. POSNER, ECONOMIC ANALYSIS OF LAW 383-84 (6th ed. 2003) (arguing for direct regulation where injury may be very large or--on related but distinct grounds-where injuries are fatal). 312. See sources cited supra note 208. 313. Id. 314. See Miller & Tucker, supra note 12. 315. See Amalia R. Miller & Catherine Tucker, Can Healthcare IT Save Babies? (SSRN Working Paper Series, 2008), available at http://papers.ssm.consol3/papers.cfm?abstractid=l 080262#PaperDownload (describing effects of state law privacy regimes on infant mortality). Specifically, their research suggests that certain HIT adoption reduces infant mortality by about one percent, with gains that "are twice as large for reducing African American deaths about the potential for ameliorating serious adverse events due to medication errors by adopting appropriate HIT, we must note again that millions of such adverse events are on the table.' 6 Thus, by impeding the flow of health information between providers, stringent consent requirements may impose real human costs beyond their financial costs. Consent requirements also impose direct transaction costs on consumers and providers. Breach notification requirements impose expenses on firms that can impede adoption of HIT by health care entities, and may hinder entry by potential PHR providers. In this manner, these laws can lead to higher prices and reduced consumer choice. Although consent and breach notification requirements appear likely to retard HIT adoption, the benefits they provide appear primarily to be non-tangible; both types of requirements allow consumers to exercise some dominion over their health information by providing them a veto over who sees it in the ordinary course of business and notifying them when unauthorized access occurs. That suggests that policy makers need to develop a clearer understanding of consumers' underlying preferences for privacy and how these preferences vary throughout the populationand perhaps across treatment contexts-before undertaking costly regulations that appear to provide very modest tangible benefits."' Further, theoretical commitments about the foundations of privacy rights, or the nature of privacy interests, cross-cut questions about the ideal scope of privacy protections, the resources that ought to be devoted to privacy protections, or how best to tailor privacy protections to minimize harm to other important interests. Autonomy-based privacy rights principles may suggest a property rights regime under which medical information belongs to patients, with providers enjoined from sharing PHI with third parties without consent, but we should be wary of conclusory suggestions that the precise metes and bounds of such rights would be obvious. We suggest that until there is better information on the distribution of privacy preferences, policy makers should exercise special caution when considering new or extant consent and breach notification requirements. In light of the current state of knowledge of patients' privacy preferences, we offer regulatory reform proposals for consent, breach notification, and data security requirements. We make these suggestions mindful that the federal government is not the only player in this policy ...(as they are] for white deaths." Miller, supra note 21, at 233. It was predicted that eMR adoption, in that context, would cost roughly $450,000 per infant life saved. Id. at 234. 316. See supra notes 57-61 and accompanying text. 317. See Koetting, supra note 295, at 707 ("[Wie appear on the verge of incurring large expenses from limited health care funds and/or inhibiting appropriate access to medical information for solutions that have a low likelihood of solving the problems that are at the heart of people's concerns."). space. Indeed, the variation in state privacy regulations gives rise to the result that overly-stringent or inconsistent privacy laws can impede HIT adoption. Thus any approach inevitably has to grapple with the issue of federalism, which we leave for Part VI. One possible path forward for consent requirements would be to retain the Privacy Rule's carveout for treatment purposes, but also allow patients to opt out of HIT systems on a provider-by-provider basis. After a provider has joined an interoperable HIT network, it would give its patients the option to have their records sequestered from the shared system (both retroactively and prospectively). This approach to consent has at least three advantages. First, the Privacy Rule's treatment exception appears to be a good candidate for a majoritarian rule because it is unlikely that many consumers would object to providers sharing their medical information to enable treatment. 318 Survey evidence suggests that most patients are comfortable with the current treatment of medical records by their health care providers, 3'9 and although they have concerns about the privacy implications of HIT, they believe that the benefits from HIT outweigh the privacy risks.320 More generally, since the early 1990s, a majority of consumers have described themselves as either "privacy unconcerned" or "privacy pragmatists," who are willing to permit the use of their personal information in return for a benefit and sufficient safeguards. 3'2I Only around a quarter of the population can be described as "privacy fundamentalist," who feel that their privacy rights are not being handled correctly, desire only an opt-in rule, and are unwilling to trade 318. See Terry & Francis, supra note II, at 703 (arguing that consentless information flows be limited to providers within a patient's "circle of care,' which includes "practitioners that are immediately and directly involved in the care of the patient-and on an as-needed basis with another member of a patient's medical team"); Sunstein, supra note 200, at 712 (arguing that the presumption in favor of patient control over private information should be rebutted when disclosure is to other doctors on a patient's "medical team" because "if this is necessary for good treatment, the patient has no reasonable basis for complaint"). 319. See Harris Poll, supra note 195 (showing 70% of patients surveyed agree that they are satisfied with the way that doctors and hospitals treat their personal health information, and 63% agree that the increased use of computers to record and share patient medical records can be accomplished without jeopardizing proper patient privacy rights). 320. See Beckey Bright, Benefits of Electronic Health Records Seen as Outweighing Privacy Risks, WALL ST. J., Nov. 29, 2007, available at SB I119565244262500549.html (reporting results from aWall Street Journal Online/Harris poll that finds although 51% (down from 61% in 2006) of those surveyed believe that the use of electronic medical records makes it more difficult to ensure patient privacy, 60% (and 72% of those that currently use electronic medical records) agree that the benefits of electronic medical records outweigh the privacy risks). 321. See Beales & Muris, supra note 16, at 118 (noting that the majority of consumers are privacy pragmatists who are "willing to provide information in exchange for benefits"); Westin, Opinion Surveys, supra note 208 (noting that since the early 1990s consumers have split into three groups: Privacy Fundamentalists (25%); Privacy Pragmatists (63%), and Privacy Unconcerned (12%)). privacy protections for benefits 2 2 These data suggest that most patients are satisfied with the status quo and are willing to allow providers to share their health information in return for benefits. Second, maintenance of the Privacy Rule would allow high and lowdemanders for privacy to self-select into different regulatory regimes rather than force patients to pool into a regime that provides either inefficiently high or low levels of privacy. Because those who opt out would internalize the costs of their decisions, in terms of lost HIT benefits, they would do so only if they value their privacy more highly than those benefits.1 23 The remainder of the population, who are willing to accept the Privacy Rule's requirements, will also enjoy the full benefits of HIT, whatever they prove to be. Although the choice of default position is irrelevant in a world without transaction costs, 2' in the real world an opt-in default is likely to be more efficient than an opt-out default. As noted above, it is likely that the majority of patients would choose to participate in HIT networks under the status quo. An opt-in default would economize on aggregate transaction costs by requiring fewer people to make a decision. Further, it may be costly to make an opt-in/optout decision and the opt-in default is likely to cause less harm.326 Third, by eliminating consent for individual information requests for treatment purposes, this approach would not affect the marginal cost of the flow of information.327 It is important to note, however, that this result is only obtained if opt-out occurs at the provider level. If the general regime were to allow privacy-sensitive patients to require their providers to obtain and document consent for each discrete instance of information 322. See id.; Harris Poll, supra note 195, at I ("[A]bout 25 percent of the public consistently feels that their legitimate privacy rights are not being handled properly by business, employer, or government organizations."). 323. Indeed, the opt-out choice would not necessarily be so stark, as it would provide high-demanders for privacy two sorts of choices: they could opt out of HIT systems generally, internalizing the costs implicit in opt-out decisions, but they could also choose ad hoc use of HIT systems in particular contexts in which private assurances or protections more closely matched their preferences (for example, in a particular practice setting, or with a utility, where special protections substantially exceeded those given publicly). 324. For example, these opt-out patients would not enjoy monetary and non-monetary benefits from enhanced communication among health care providers to coordinate care. See Terry & Francis, supra note II, at 701-02. They would, of course, enjoy some, as public health or various benefits accruing to the public fisc would be at least partly available to the larger population, although we should acknowledge that, at the margin, these may be diminished according to the number of opt-outs. 325. R.H. Coase, The Problem of Social Cost, 3 J.L. & EcoN. 1,15 (1960). 326. See Beales & Muris, supra note 16, at 114-18 (discussing how, in the context of consumer financial information, the informational costs of exercising choice regarding whether to opt-in to or opt-out of an information-sharing regime can swamp expected benefits, such that the default position often becomes the status quo). 327. See Terry & Francis, supra note II, at 703. sharing (even for legitimate treatment or reimbursement purposes) or to demand other ad hoc mandates-say, to select certain records or parts of records from providers to be excluded from the HIT network-that would foist costs on those remaining in the system by suppressing network externalities, and thus HIT adoption rates.12' Further, it would reduce providers' willingness to rely on electronic records for treatment decisions to the extent that they have concerns about accuracy, which would also raise costs and reduce HIT adoption rates .129 Finally, allowing patients to opt-out of the system on a record-by-record (or information within a record) basis would impose additional recordkeeping costs on providers, which likely could not be charged only to those who request the segregation of their information but, instead, would be built into everyone's charges. With respect to breach notification, triggers based on the relative risk of harm to consumers, rather than on mere incidence of access also appear to strike a desirable balance. For example, the FTC's proposed breach notification rule for PHRs moves in this direction by requiring notification only when the breach involves unencrypted data and allowing PHR vendors to rebut the presumption that breached data has been acquired. 30 This proposal, for example, would relieve a PHR vendor from the burden of notification when a staff member inadvertently accesses a database. Substitution away from consent and breach notification requirements into data security requirements may be more efficient. Because the former species of regulation implicate marginal costs of data transmission, they risk deterring beneficial sharing of health information. On the other hand, data security requirements implicate primarily (if not exclusively) fixed costs. Thus, these requirements may be more efficient than other forms of regulation to assure patient privacy from an error-costs perspective. Finally, although the preceding discussion has focused entirely on optimal types of regulation, it is worth exploring the extent to which government intervention is needed at all. The Constitution clearly protects citizens from unwarranted government collection and government-mandated disclosures of private information,"' and is likely to prohibit the state from setting a ceiling on the privacy protections that 328. See id. at 702-03. 329. This is a concern that has been raised about some approaches to PHRs, or PHR/eHR interfaces. See Dimitropoulos and Rizk, supra note 14, at 430; Koppel, supra note 56. 330. Health Breach Notification Rule, 74 Fed. Reg. 17,914, 17,915-16 (Apr. 20, 2009) (to be codified at 16 C.F.R. pt. 318). 331. See Whalen v. Roe, 429 U.S. 589, 599 (1977); United States v. Westinghouse Elec. Corp., 638 F.2d 570, 570 (3rd Cir. 1980). private parties may provide, for example, by mandating disclosures without consent. 32 There is, however, no Constitutional mandate for the government to set a privacy floor for private entities:" Private entities face competition in the marketplace. To the extent that health care providers and HIT vendors compete over privacy protections, the need for regulation may be diminished. In other areas of the economy, there is evidence that firms are aware that consumers value privacy and that firms compete on this dimension.3 If evidence of direct competition on this dimension of services is slight in the health care arena, it is nonetheless important to note that, for example, private PHR providers have expended resources on better understanding consumer knowledge and preferences. Microsoft, Google, Kaiser, and others prominently display their privacy policies on their PHR web sites:" The primary online PHRs are free and consequently generate revenue by attracting traffic for advertisers. In such double-sided markets, when something (e.g., overthe-air television, information or entertainment on a Web site) is given away to consumers, competition necessarily occurs in non-price dimensions to attract "eyes" or views. These corporate displays are one example. In many instances, regulation or liability is premised on informational asymmetries. It may be reasonable to assume that consumers are poorly positioned to appreciate all the risks associated with certain products, such that the market alone may fail to produce efficient precautions or levels of safety. 6 By contrast, in the face of information problems that cause them to overestimate their risks, consumers may demand "too much" privacy. For example, a large percentage of consumers say that 332. See Citizens for Health v. Leavitt, 428 F.3d 167, 180 (3rd Cir. 2005). 333. Id. 334. See, e.g., Peter Swire, Antitrust, Privacy, and Other Non-Price Competition, ICOMP Conference on Privacy Competition in the Online Market Place (Apr. 27, 2009), (describing how Google, Yahoo, Microsoft, and Ask compete over privacy features for search engines and how Facebook and MySpace compete over privacy for social networks); PAUL H. RuBIN & THOMAS M. LENARD, PRIVACY AND THE COMMERCIAL USE OF PERSONAL INFORMATION 40-42 (2002) (cataloging examples of the market disciplining firms for violating consumers' preferences for privacy). 335. In addition to a link to its "full Privacy Statement" prominently displayed on the opening page of Microsoft Health Vault's site for personal use, is the following: "Our HealthVault Privacy Principles: •You control the Microsoft HealthVault record you create. °You decide what goes into your HealthVault record. •You decide who can see, use and share your information. •Microsoft won't use your information in HealthVault to personalize ads or services without explicit permission'" Microsoft HealthVault, Personal/index.html (last visited Mar. 26, 2010); Google Health, Take Charge of Your Health Information, (last visited Mar. 26, 2010); Kaiser Permanente, Privacy Practices for Our Web Site, (last visited Mar. 26, 2010). 336. See SHAVELL, supra note 287, at 214-15. they mistrust HIT, but an even larger percentage reports that they are relatively ignorant about HIT.337 Similarly there appears to be a mismatch between consumer fears of loss from identity fraud after a breach and actual levels of harm. 8 These data indicate that consumers probably overestimate actual risk of harm associated with HIT and are unaware that HIT may tend to make records safer rather than more vulnerable. Further, it is dubious that patients are generally aware that stringent consent and breach notification requirements are likely to have a negative impact on HIT adoption and use. Thus, there are good reasons to be concerned that the market may produce "too much" privacy, and that the current level of demand for regulation to protect the privacy of electronic health information is greater than it would be in a world of perfect information. Politicians-who may be susceptible to some of the same information costs-may thus be biased toward over-regulation; some more knowingly may be tempted to take advantage of consumers' (and voters) relative lack of knowledge to push through self-aggrandizing, but harmful privacy regulations. As Professor Sunstein notes, in the face of "isolated but highly publicized cases, . . . [plolicy entrepreneurs, including candidates interested in reelection and good publicity, might well seek increasingly severe controls., 339 These informational issues again admonish policy makers to be cautious when developing privacy regimes to govern HIT. At the very least, policy defaults ought to be set to favor clarity over opacity, and to avoid disutility based on needless cues to information problems or counter-productive decision making biases.)40 IV. PREEMPTION VERSUS FEDERALISM IN PRIVACY REGIMES Leaving aside the stringency of any particular state regulatory regime, there are also costs associated with the patchwork of regimes. Although allowing states to experiment with different approaches to privacy is likely to have benefits, it also comes at a cost. Inconsistent state 337. See NATIONWIDE SUMM., supra note 13, at 6-39 (showing that although nearly half of consumers surveyed were apprehensive about using electronic health records, 57% reported not having "read, seen, or heard" anything about electronic health records prior to the survey, which suggests "a fundamental information gap about electronic health information exchange within the general consumer population"). 338. See PONEMAN INST., CONSUMERS' REPORT CARD ON DATA BREACH NOTIFICATION 5 (2008) (reporting that while 32% of those surveyed believed that following a data breach their likelihood of becoming an identity fraud victim was greater than 40%, the actual incidence of fraud was 2%, which suggests "consumers' fears about the possibility of becoming an identity theft victim do not reflect the actual rate of experience"). 339. Sunstein, supra note 200, at 713. 340. See generally, RICHARD H. THALER & CASS R. SUNSTEIN, NUDGE: IMPROVING DECISIONS ABOUT HEALTH, WEALTH, AND HAPPINESS (Yale Univ. Press 2008). privacy laws can impede cross-border communication of health information and can increase the cost of designing and implementing HIT systems. There appears to be broad recognition-even in the states themselves-that much is at stake in furthering interoperable HIT and that the current mix of state laws may be a serious barrier to doing so. For example, 42 states are now working in various consortia-under the auspices of the Health Information Security and Privacy Collaboration (HISPC) '-at diverse tasks aimed at furthering the flow of electronic health information, including efforts at harmonizing state health privacy and data security law. 2 Participants in these efforts have observed not only that "[m]any states have a series of antiquated, fragmented, and non-standardized laws that may unintentionally create a barrier to the appropriate exchange of electronic health information," but that "c' o'3mprehensive reform would be a resource-intensive task in most states. 1 A national study prepared for HHS observes that, Relevant laws and regulations developed and evolved largely in response to the paper-based health information exchange. Legal restrictions addressing health information exchange were often dispersed across many different statutes and regulations and are sometimes inconsistent with one another. Several states reported that antiquated laws written for paper-only environments created significant barriers to electronic health information exchange. Other states noted that laws were silent with respect to certain aspects of health information exchange, leading to varied business practices and customs." 341. HISPC was established through a contract with HHS to address the privacy and security challenges presented by electronic health information exchange through multistate collaboration ...Each HISPC participant had the support of its state or territorial governor and maintained a steering committee and contact with a range of local stakeholders to ensure that developed solutions accurately reflect local preferences. RTI INT'L HEALTH INFO. SECURITY & PRIVACY COLLABORATION (HISPC), (last visited Mar. 26, 2010). 342. See generally Health Info. Security & Privacy Collaboration (HISPC) Nat'l Conference, Bethesda, MD (Mar. 4-6, 2009) (conference agenda and other materials are available at (follow the "Health Information Security and Privacy Collaboration (HISPC) National Conference" hyperlink)). It should be noted that such consortia organized under HISPC tend to be smaller than national in scope. For example, at the March 2009 conference there was a report on harmonization efforts undertaken by an I Istate consortium chaired by Indiana. Id. 343. Julie Roth, Christina Stephan & Patricia Gray, Harmonizing State Privacy Laws for HIE, Health Info. Security & Privacy Collaboration (HISPC) Nat'l Conference (Mar. 5,2009), See supra note 342. 344. NATIONWIDE SUMM., supra note 13, at 6-3. For all of that, relatively little attention has been paid to the possibility of preempting state law requirements in this area. To be sure, a few commentators have recommended the express preemption of state health information privacy laws, generally because they see the requirements-and the task of compliance with them-as exceedingly complex or otherwise burdensome for health care providers or other business entities. 5 But more general considerations of the costs imposed within and across bodies of state law have been few, and many broad-ranging HIT policy discussions are silent regarding the possibility of preemption. For example, the HHS report mentioned in the preceding paragraph considers various state law issues and means of addressing them, and does not mention the possibility of broader preemption of state law.' At the 2008 FTC Workshop, three panels of participants addressed HIT-related issues, each incorporating privacy issues into its discussion, but no participants discussed the policy option of preemption, not even for the purpose of rejecting it 47 The Recovery Act generally retains the very limited sort of preemption contemplated under HIPAA, 48 under which the states may not waive the minimum requirements of HIPAA and the federal Privacy Rule, even as they are free to regulate unchecked "above" those minimum requirements. There may, of course, be reasons to advocate for state health privacy regulation, whether favoring particular requirements or the maintenance of state prerogatives. First, as consumers may be harmed by violations of their health information privacy, and as they may be poorly situated to 345. That is not to suggest that it has never been mentioned. See Testimony on the Proposed Rule on Confidentiality of Patient Records: Hearing on Health Insurance Portability and Accountability Act Before the S. Comm. on Health, Education, Labor and Pensions 106th Cong. (2000) (testimony of Joanna C. Horobin, Executive Vice President For Commercial Development, EntreMed Inc.) (suggesting the patchwork of state regulations is unworkable, and calling for new federal legislation that generally preempts state medical privacy law); Corey A. Ciocchetti, E-Commerce and Information Privacy: Privacy Policies as Personal Information Protectors, 44 AM. Bus. L.J. 55, 105-06 (2007) (advocating new federal law that "must contain an express preemption clause stating that the legislation is intended to serve as a ceiling as well as a floor"); cf Nicolas P. Terry, An eHealth Diptych: The Impact of Privacy Regulation on Medical Error and Malpractice Litigation, 27 AM. J.L. & MED. 361, 368 (2001) ("[T]he unsatisfactory 'more stringent' partial preemption provision [in current force] is likely to befuddle and annoy healthcare institutions with interstate businesses for years into the future. There may be even worse to come as state legislators are prodded by dissatisfied privacy advocates to pass statutes that fill perceived gaps in the PIHI regulations, thereby increasing the number of non-preempted protections."). 346. See NATIONWIDE SUMm., supra note 13. The term "preemption" does appear in the report, albeit in a different context. 347. See Address at FrC Workshop on Innovations in Health Care Delivery (Apr. 24, 2008) (transcript available at 348. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 13421(a), 123 Stat. 115, 229 (2009). provide (or contract) for protection against such harms, one may be concerned about the general question of the adequacy of the larger set of federal and state privacy regulations. At the FTC Workshop, panelists were generally in agreement that privacy concerns were important to HIT policy, and although some panelists were especially concerned about the costs of excessive regulation, others described the then-current mix of federal and state regulation as insufficiently protective of consumers' interests . It also could be argued that the states may offer an important "laboratory" for testing various regulatory responses to the problems presented by emerging or rapidly changing technologies. For example, Bruce Kobayashi and Larry E. Ribstein have argued that state consumer privacy law is generally superior to federal law in the realm of digital information precisely because of the dynamic nature of the underlying technologies and consumers' interaction with them."0 Where consumers' expectations of privacy remain unclear, there may not be a set of common, baseline costs and benefits associated with certain industry practices that is adequate to justify uniform federal law. State law, on the other hand, "emerges from 51 laboratories and therefore presents a more decentralized model that fits the evolving nature of the Internet .... [and] competition among state laws can mute the inefficient tendencies of interest group legislation. 35' In addition, "[t]he U.S. government's regulation of privacy rights could determine important aspects of the Internet's structure and reduce the flexibility and openness that has made the Internet a major economic force."3 ' The argument is far from decisive in the present case. First, we should note that Kobayashi and Ribstein expressly decline to extend their argument about the potential superiority of state law to the area of medical privacy. They distinguish "information that consumers clearly 349. Compare Pritts, supra note 86, at 287 ("People] will not adopt it [HIT] if there is not adequate trust that their information will be kept confidential."), with Miller, supra note 21,at 231, 233 (regarding costs of state law privacy protections-impact on HIT adoption and relationship between HIT adoption and neonatal mortality, respectively); Dente, supra note 50, at 274 (discussing the need to think about health needs and the importance of information "when we balance the need for connectivity, interoperability, information, with the rights of all of us to have ... patient privacy"). Cf Trenkle, supra note 177, at 281 ("[A] lot of things need to be balanced against privacy and security needs ....[But] it is not an either/or, it is something that needs to be worked together."). 350. Cf Bruce H. Kobayashi & Larry E. Ribstein, A Recipe for Cookies: State Regulation of Consumer Marketing Information, GEO. MASON L. & ECON. RES. PAPER No. 01-04, Feb. 2001, at 5-6 (arguing, on these grounds, that state consumer privacy law is generally superior to federal law, although expressly declining to extend the argument to medical privacy). 351. Id. at 5. 352. Id. at 4. expect to be kept private, such as medical records ... [from information] where such expectations are much less clear. 3" Presumably, if-ranging across the states-there are strong, background expectations of privacy regarding personal information in consumer medical records, the interest in having varied experimental responses to situations where such expectations are denied is considerably diminished.3 Second, where Kobayashi and Ribstein would apply their argument, it depends on the notion that "competition among state laws can mute the inefficient tendencies of interest group legislation 55 Perhaps this is true, but that also depends on the extent to which there can be such competition among state laws. With Internet privacy, crucial competitive mechanisms seem to be (a) enforcement, by the courts, of choice of law and choice of forum clauses and (b) the ability of web operators to "block transmission to states that do not enforce contractual choice. 356 Even in the more general realm of Internet privacy, "a" may be an unlikely counterfactual and "b" seems at least costly and very likely intractable. To the extent that the flow of information is not readily cabined, and where choice of law may be at issue, there may be reasons to wonder whether regulatory reach will be at least as powerful as regulatory competition. In this regard the U.S./E.U. experiences with data privacy law generally may be instructive, and at least one commentator has argued that there are conditions under which the regulatory interests of small states can prompt larger ones to "ratchet up" their regulatory requirements, even to some extent past their own perceived interests (and independent of the question whether one or another state had stumbled upon more efficient requirements). ' Rejecting the notion that global IT competition prompts a regulatory race to the bottom, Professor Shaffer suggests that, although "it is not a race to anywhere in particular, it can (more likely than not) give rise to a ratcheting up of national standards. This is particularly the case where foreign regulation has externalities, as is the case with data privacy protection. 35 8 Further, public choice problems may sometimes be exacerbatednot ameliorated-at the state level. For example, for many issues, 353. Id. at 5. 354. Of course the extent to which they are diminished may vary. Certainly, there may be significant heterogeneity in consumer preferences, interests, or expectations above some shared baseline, and the extent to which any particular regulatory regime satisfies either baseline needs or varied ones may be in question. 355. Kobayashi & Ribstein, supra note 350, at 5. 356. Id. at 5-6. 357. Gregory Shaffer, Globalization and Social Protection:The Impact of EU and International Rules in the Ratcheting Up U.S. Privacy Standards, 25 YALE J. INT'L L. I, 5-8 (2000). 358. Id. at 7. national stakeholders may be able to identify seed states in which lobbying costs are relatively low, countervailing business interests are relatively diminished, and-as is often the case-consumer interests are diffuse and costly to organize. Success therein achieved may be more than local: it may tend to lower the costs of lobbying in other states, producing, in efficient fashion (for the lobbying stakeholder), a sort of legislative cascade. 9 Finally, the notion of vigorous competition aided by the threat of virtual exit seems an especially poor fit in many health care contexts. Informed and well-counseled corporate parties may, for example, engage in arms-length negotiation over choice-of-law clauses on the basis of good and tolerably symmetric information about their own interests and the relevant choices of law.'60One may be less optimistic about such negotiations between large national payers, mid-sized regional or local providers, and individual patients, given an industry with notoriously poor price and quality information transparency,361wwhherbroehpboioeth provider practices and consumer expectations about such practices may be highly variable, and when individual patients may require real-time trauma treatment from a hospital with no local competition. Of course, even to the extent that a poor fit between certain bodies of state law may be costly, there are other possible policy responses besides expanding the preemptive reach of HIPAA. Harmonization efforts are, as 359. Without analyzing the factors behind any particular legislative cascade, we may observe, nonetheless, that it is not uncommon for similar legislation to be adopted across many states following a legislative success in one particular state. For example, California was the first to enact a data breach notification law, requiring companies to notify California residents whose unencrypted personal information was acquired by an unauthorized person. Prepared Statement of the Federal Trade Commission Before the S. Comm. on Commerce, Sci. and Transp. on Data Breaches and Identity Theft, 109th Cong. 11-12 (2005) (Congressional testimony by FTC Chairman Deborah Majoras on data breaches and identity theft, discussing the California breach notification law, CAL. Civ. CODE § 1798.82), available at Many states followed California's lead, and to date, 32 states have some form of data breach notification. We do not suggest that the states had no reason to be concerned about breach notification issues. We suggest, simply, that the progress of follow-on legislation across the states often proceeds at a pace that suggests something other than the application of policy experiments observed in different jurisdictions, not least because the pace of adoption makes it implausible that the costs and benefits of legislation, and its implementation, by early adopters has been analyzed by subsequent ones. 360. It may be, as well, that where market transactions commonly involve parties thusly situated, there is competitive pressure in favor of the convergence of state law regimes on a relatively efficient model, perhaps as we have seen with the dominance of Delaware corporate law. 361. See, e.g., Robert Wood Johnson Found., Choosing a Health Care Provider: The Role of Quality Information, Policy Brief No. 14 (May 2008), available at http://; A DOSE OF COMPETITION, supra note 69. noted, underway within consortia of states, as well as other possible state law reforms. But harmonization is a costly process in itself,162 and the results of considerable efforts under the auspices of HISPC over the past several years-although in many regards interesting-seem partial and limited. Wyeth v. Levine&6-3addressing very different health care policy and legal issues-may provide an interesting contrast with present preemption considerations. In that case, petitioner argued that state law claims, sounding in tort, that alleged a failure to adequately warn of the risks attending use of a drug product (administered in a particular way), were preempted by the regulatory oversight of the federal Food and Drug Administration (FDA)-in particular, by the approval of the marketing of the drug product, as safe and effective, under particular labeling, under the federal Food65, Drug, and Cosmetic Act (FDCA).3' The Court held that they were not.: Analogous implied preemption arguments are not available under HIPAA, the federal Privacy Rule, or the Recovery Act, because the question whether HIPAA may impliedly preempt more stringent state law requirements is rejected, expressly, by HIPAA itself. Regulations promulgated under HIPAA with regard to "the privacy of individually identifiable health information ... shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation."3' The interesting policy question, rather, comes in two parts. First, if the preemption/non-preemption provision did not exist, would colorable-or perhaps persuasive-implied preemption arguments be available to stakeholders burdened by state health privacy laws? Second, if so, to what extent might such arguments work as policy grounds for the express preemption of such state laws? The Court's contentious decision in Wyeth 6 7 rests on the rejection of two separate implied preemption arguments.316 First, the Court rejected the 362. Cf Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 STAN. L. REV. 1315, 1319-20 (2000) (regarding difficulties and harms of harmonizing privacy rules across national borders). 363. 129 S. Ct. 1187 (2009). 364. Id. at 1193-94. 365. Id. at 1190. 366. Health Insurance Portability and Accountability Act of 1996 (HIPAA) § 264(c)(2), 110 Star. 2033-34,42 U.S.C. § 1320d-2 (2009). 367. Writing for the minority, Justice Alito wrote, "[t]his case illustrates that tragic facts make bad law," and argued that, "[iun its attempt to evade Geier's applicability to this case, the Court commits both factual and legal errors." 129 S. Ct. at 1222 (Alito, J., dissenting) (citing Geier v. Am. Honda Motor Co., 529 U.S. 861 (2000)). 368. Id. at 1193. conflict preemption argument that, "it would have been impossible for [Wyeth] to comply with the state law duty ... without violating federal law. ' 9Although the FDA has the power to approve (or reject) proposed or extant labeling for a prescription drug product, FDA regulations do permit certain provisional changes to reflect "newly acquired information" upon the manufacturer's filing a supplemental application with the FDA (but prior to approval of that supplemental application). " More generally, the Court identified what it saw as "a central premise of federal drug regulation that the manufacturer bears responsibility for the content of its label at all times., 37 Hence, federal regulations-and in the Wyeth case, administrative decisions reached under those regulations-do not determine the appropriate level of warning. The appropriate level of warning is to be determined by the manufacturer, subject to FDA review. Absent HIPAA section 264, a different argument might be made about health information privacy. On the one hand, health care providers and other covered entities are free in various ways to implement their own privacy policies. On the other hand, no such entity can make unilateral changes-pending HHS approval or otherwise-to the basic requirements of HIPAA and the Privacy Rule; neither can it modify the rights HIPAA grants to patients and their representatives. There is, therefore, specific content to the requirements of federal law in the privacy case, and private parties may comply or fail to comply with those requirements, but they may not change them.372 In brief, whereas drug manufacturers-at least arguably-may disclose certain new risk information prior to administrative approval, health care providers may not disclose protected PHI, as proscribed under HIPAA and the Privacy Rule, without authorization. Second, the Court rejected Wyeth's argument that state law decisions regarding the adequacy of the labeling in question "would obstruct the purposes and objectives of federal ... regulations. 37 ' Against that possibility, the Court noted the absence of an express preemption provision in the FDCA. The Court also rejected the FDA's own view that the FDCA establishes "both a 'floor' and a 'ceiling' so that FDA approval of labeling ... preempts conflicting or contrary State law.' 374 Rather, the Court 369. Id. (holding otherwise at 1199). 370. Id. at 1196. 371. Id. at 1197-98. 372. As noted above, pertinent federal law includes not just HIPAA and the federal Privacy Rule but also the FTC Act and the Recovery Act. 373. Wyeth, 129 S. Ct. at 1193 (holding otherwise at 1204). 374. Id. at 1200 (internal quotations omitted) (citing 71 Fed. Reg. 3922, 3934-35 (2006)). preferred the FDA's older (and contrary) view that federal standards are "a floor upon which States could build."" Plainly, Congress now intends that HIPAA function as a floor, but not a ceiling, for health information privacy protection. But Congress also intends that, in general, the Office of the National Coordinator for Health Information Technology (ONC) carry out its duties "in a manner consistent with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information. '7 6 In particular Congress has declared that ONC activities will be directed toward "the utilization of an electronic health record for each person in the United Sates by 2014." 77 Considerable appropriations have been devoted to those HIT policy goals. To the extent that there is, as we have discussed, some tradeoff between state law protection of health information privacy and the rate of HIT adoption, the following question presents itself: If the costs of additional state law protections for health information privacy are substantial and "[m]any states have a series of antiquated, fragmented, and non-standardized laws that may unintentionally create a barrier to the appropriate exchange of electronic health information," while "comprehensive reform would be a resource intensive task in most states, 378 what is the point at which state purpose of the Recovery Act's HIT provpisriivoancsy? 37m9ay frustrate the larger law regulation of health information Field preemption, another type of implied preemption, may also be an interesting issue for policy purposes. Congressional intent to preempt state law may be inferred "where the scheme of federal regulation is sufficiently comprehensive to make reasonable the inference that Congress 'left no room' for supplementary state regulation. '80 Such cases are not unrelated to preemption arguments resting on the purposes and objectives of federal law, in that the Court has held that Congressional intent to preempt state law may be inferred where "the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on the same subject."3 8' Even though HIPAA was not intended, as drafted, to establish comprehensive health information privacy protection, 375. Id. at 1202. 376. American Recovery and Reinvestment Act of 2009 (Recovery Act), § 3001(b), 123 Stat. 115,229 (2009). 377. Id. at § 3001(a)(3)(A)(ii). 378. Roth et al., supra note 343. See supra note 342. 379. The Recovery Act provides that its two central HIT titles-tit. XIII of div. A and tit. IV of div. B-be referred to as the "Health Information Technology for Economic and Clinical Health Act" or the "HITECH Act." Recovery Act § 13001. 380. Hillsborough County v. Automated Med. Labs., Inc., 471 U.S. 707, 713 (1985) (quoting Rice v.Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). 381. Rice, 331 U.S. at 230. between the adoption of HIPAA and the adoption of the Recovery Act, many nonetheless would have viewed field preemption arguments as problematic in this context. For example, participants in the FTC Workshop and other commentators had expressed concerns about possible gaps in HIPAA,182 especially with regard to the treatment of business associates... and, more recently, in the emerging area of PHRs.3 4 As we have noted, however, the Recovery Act comprises provisions that address these substantial gaps with requirements (and possible penalties) pertaining to business associates,38 new requirements pertaining to PHR vendors and related entities,386 and provisions for new rule making in these areas by HHS and the FTC.38 The Recovery Act also calls for further study, directly by federal agencies and otherwise under federal aegis, with additional recommendations to Congress presumed to be forthcoming. If federal regulation does not (or will not soon) occupy the field, at what point might it? There is no sure answer to the question whether the elimination of HIPAA's Section 264 would establish the likely success of implied preemption arguments in the area of health information privacy. It may be that Wyeth has raised the bar for such arguments generally, but the extent to which the Court will read its holding to cabin more than the reach of the FDCA with regard to state law claims about drug labeling remains to be seen. Such implied preemption arguments would be difficult in any case, especially to the extent that the Court found applicable, and persuasive, the general notion that "the historic police powers of the States [are] not to be superseded by ... Federal Act unless that was the clear and manifest purpose of Congress"388 One might also suggest that the substantial structural complexity of the Court's implied preemption doctrine is exceeded greatly by the complexity of the doctrine's semanticshow it might be applied to novel circumstances is less clear than it could be. Possible implied preemption arguments do, however, point to policy grounds to consider express preemption. In brief, it is not clear that the 382. See, e.g., McAndrew, supra note 118, at 211 (regarding "certain gaps in the current HIPAA coverage"); McGraw, supra note 31, at 146-47 ( "gap" in HIPAA coverage); Pritts, supra note 86, at 289 ("gaps" in federal and state privacy protections). 383. McGraw, supra note 31, at 146 (identifying this as a "gap" in HIPAA); cf McAndrew, supra note 118, at 211-12 (noting many concerns about the lack of "level playing field" with business associates and how business associates handle PHI). 384. McGraw, supra note 31, at 146-47 (regarding "gaps" in HIPAA coverage, especially with regard to personal health records). 385. See American Recovery and Reinvestment Act of 2009 (Recovery Act), §§ 13401, 13404, 123 Stat. 115, 229 (2009) (regarding the application of security provisions and penalties and the application of privacy provisions and penalties, respectively). 386. Id.§ 13407. 387. See supra note 104 and accompanying text. 388. Wyeth v.Levine, 129 S. Ct. 1187, 1194-95 (2009) (internal citations omitted). web of state privacy and data security protections can be read consistently with federal privacy, data security, and HIT law, not least because it cannot be read consistently on its own-often, it seems, even the prospects of intrastate harmonization may be unclear. Moreover, it may be that the larger body of state law is at odds with the balancing of policy goals sought in federal HIT law. In particular, the Recovery Act's HIT provisions appear to balance substantial interests in health privacy against substantial interests in the development and adoption of interoperable HIT and, more than that, the actual flow of health information on a national basis. State law provisions do not appear to strike a similar balance, and it is not clear that they could. That is not simply a matter of adding or subtracting cost to the acquisition of HIT hardware and software or moving a metaphorical floor or ceiling up or down, but about optimizing a complex set of considerations about health care practice, health care funding, standard setting and certification, and more. The interplay between the HIT policy and standards advisory committees noted above should be instructive in this regard. Indeed, this Article more generally illustrates the complexity of benefits and barriers that may be associated with HIT, and the interrelationships between them. Interleaving extant-and changeable-state regulatory schemes into this developing matrix is likely a herculean task, supposing it is tractable at all. CONCLUSION Health information technology shows great promise, but it will be costly to implement on a national scale. By providing significant financial incentives, the recently enacted Recovery Act will further HIT adoption greatly, but significant non-financial barriers remain. Perhaps the paramount regulatory barriers are those designed to protect privacy. Consumers clearly value health information privacy-both for the sake of maintaining autonomy over intimate details of their lives and because they worry about financial and physical harms that can come from data breach. The extant mix of federal and state regulations-chiefly consent requirements and, to a lesser extent, breach notification requirementsalso impede HIT adoption by making it more costly to share health information via interoperable systems. At the same time, many privacy regulations do not appear to provide net benefits, at least in terms of the tangible harms they seek to suppress. Because most benefits are likely to be intangible, a regulatory regime that strikes the correct balance between privacy and HIT adoption can only follow a richer understanding of patients' intrinsic valuations of privacy, which are likely to vary across the population and contexts of care. Further, given that consumers clearly are concerned about their medical privacy-perhaps overly sothe market should not be discarded as a source of privacy protection. Calibrating the correct mix of state and federal health privacy regulation also requires balance. Allowing health privacy regimes to vary across states permits experimentation and regulations that more closely match local privacy preferences, to the extent that preferences vary on a state level. These benefits, however, increase the cost of developing and implementing interoperable HIT on a national scale, as well as the cost of the flow of health information over channels already established. Although HIPAA expressly sets only a federal floor of privacy protection, the recent federal push behind HIT adoption on a national scale, combined with HIPAA and Recovery Act privacy provisions, suggest at least a policy rationale for reconsidering the federal preemption of state health privacy laws. National Survey of Physicians, 359 NEW ENG. J. MED . 50 , 50 ( 2008 ) (basing these statistics on a national survey of 2,758 physicians) . 39 . Ashish K. Jha et al., Use of Electronic Health Records in U .S. Hospitals, NEw ENG. J. MED . 1628 , 1628 ( 2009 ). 40 . Many have been concerned about rates of adoption of HIT in different areas of support services have been slow to meet demand . See, e.g., Wood, supra 31 , at 169; Berg, supra 31, at 200 . 41. See Miller & Tucker, supra note 12, at 1080 . 42. See David J. Brailer , Interoperability: The Key to Future Health Care System, HEALTH AFF. w5-19 , w5 - 20 ( 2005 ), (use the search bar to lo- cate the document and then follow the hyperlink ). 43 . See Hoffman & Podgurski, supra note I1, at 113 (reporting that the average Medi- care patient visits seven different physicians in a given year); see also Brailer , supra note 42, at w5- 19 . 44 . See Jan Walker et al., The Value of Health Care Information Exchange and herop- erability , HEALTH AFF. w5-0 , w5 -13 - w5- 14 ( 2005 ), (use the search bar to locate the document and then follow the hyperlink ). 73. Id. at 18 . 74. Id . 75 . With regard to small offices, "[estimates of annual costs for operating and main- taining the system ... range between about 12 percent and 20 percent of initial costs." Id. tices, 24 HEALTH AFF . 1127 ( 2005 ); Samuel J . Wang et al., A Cost-Benefit Analysis of Electronic Medical Records in Primary Care, 114 AM. J. MED . 397 ( 2003 ) ) . Hospital operat- ing costs vary by size and type of hospital but are estimated to be about 19% of acquisition costs, or $2,700 per bed . CONG. BUDGET OFFICE, supra note 10 , at 18 . 76. Michael F. Furukawa et al., Adoption of Health Information Technologyfor Medica- tion Safety in U.S. Hospitals, 2006 , 27 HEALTH AFF. 865 , 868 ( 2008 ). 77 . Id. at 867 . 78. Id. at 868 . 79. Id. at 867 . 80. See , e.g., Gans et al., supra note 37 , at 1323 , 1325. Also, "[blecause of the structure equipment expenditures are funded directly from physician income . " Id. at 1329 . 81. See , e.g., Dr . Kevin Car', Physician Senior Manager for Clinical Transformation Health Care Delivery 153-54 (Apr. 24 , 2008 ) (transcript available at http:l/ bc/healthcare/hcd/docs/hcdwksptranscript.pdf); Kolodner, supra note 34, at 294; Wood, supra note 31, at 177 . 82. Wood , supra note 31, at 17 1 . 298 . "This much has been categorically settled by the Court, that obscene material is unprotected by the First Amendment." Miller v . California , 413 U.S. 15 , 23 ( 1973 ) (citations omitted) . 299 . See Thompson v. W. States Med . Ctr., 535 U.S. 357 , 367 - 68 ( 2002 ) (re-affirming speech) (citing Cent. Hudson Gas & Elec . Corp. v. Pub. Serv. Comm'n of N.Y. , 447 U.S. 557 ( 1980 )). 300 . Ward v. Rock Against Racism , 491 U.S. 781 , 791 ( 1989 ). Such regulation of pro- 798. 301. Breard v. Alexandria , 341 U.S. 622 , 642 ( 1951 ). 302 . Hill v. Colorado , 530 U.S. 703 , 716 ( 2000 ) (quoting Olmstead v . United States , 277 U.S. 438 , 478 ( 1928 ) (Brandeis , J., dissenting)) . 303 . Id. at 717 . 304 . "This common-law 'right' is more accurately characterized as an 'interest' that States can choose to protect in certain situations." Id. (citing Katz v . United States , 389 U.S. 347 , 350 - 51 ( 1967 )). 305 . See Bartnicki v. Vopper , 532 U.S. 514 ( 2001 ); The Fla . Star v. B. J.F ., 491 U.S. 524 ( 1989 ) ; Cox Broad . Corp. v. Cohn, 420 U.S. 469 ( 1975 ).

This is a preview of a remote PDF:

Daniel J. Gilman, James C. Cooper. There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information, Michigan Telecommunications and Technology Law Review, 2010,