207
Health Information Ownership: Legal Theories and Policy Implications
Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*
ABSTRACT
This Article explores the nature and characteristics of health information that make it subject to federal and state laws and the existing legal framework that confers rights and responsibilities with respect to health information. There are numerous legal and policy considerations surrounding the question of who owns health information, including whether and how to confer specific ownership rights to health information. Ultimately, a legal framework is needed that reflects the rights of a broad group of stakeholders in the health information marketplace, from patients to providers to payers, as well as the public’s interest in appropriate sharing of health information.
TABLE OF CONTENTS
I. INTRODUCTION .................................................................... 208 II. THE UNIQUE NATURE OF HEALTH INFORMATION ................ 209
A. Definitions of Health Information .................................. 210 1. Health Information Characteristics .................... 210 2. Health Information Types ................................... 212
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH INFORMATION ...................................................................... 214
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP ................. 219 A. Property law ................................................................... 220 B. Intellectual Property Law ............................................... 225 C. Federal Privacy Law ...................................................... 226
1. Constitutional Law .............................................. 226 2. HIPAA .................................................................. 228
* The authors thank Jennifer Ansberry, JD, MPH, Maanasa Kona, JD, LLM, and Resa Cascio, JD, LLM, for their valuable research contributions to this paper.
208 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
3. Other Federal and State Statutes and Regulations Protecting Health Information Privacy .......................................................... 231 a. The Genetic Information Non-Disclosure
Act of 2008 (GINA) ............................ 232 b. Privacy Act and FOIA ............................... 233 c. 42 C.F.R. Part 2 ........................................ 234
D. Contract Law .................................................................. 235 E. State Law ....................................................................... 236
V. POLICY CONSIDERATIONS .................................................... 237 VI. CONCLUSION ....................................................................... 241
I. INTRODUCTION
The concept of owning information invokes thoughts of property and profit. Property ownership means that the owner may use the property as he or she wishes. The owner may modify it, destroy it, transfer it by sale or donation, and permit others to use it according to his or her terms, among other things. However, ownership of health information is less clear. In some cases, the law ascribes clear ownership rights over part or all of a health record, but in other cases, information may be used by a number of parties without clear ownership rights, even for the person who is the subject of the information. Stakeholders at the state and federal levels struggle with these issues as more uses for health information are developed, technological advancements enable greater mobility, and accessibility and ownership of health information becomes more significant, yet the answer to the ownership question remains unclear. Numerous potential solutions to the health information ownership question exist. One option would be to allow each person to own the information held in her personal medical records, even if another person created the record. Another might be to give ownership of the patient’s information to the healthcare provider who recorded that information. Or perhaps the many rights surrounding health information amount to ownership or make ownership irrelevant in a highly regulated environment.
This Article will explore the existing laws that confer rights and responsibilities with respect to health information, discuss various legal theories of ownership that could apply to health information, and consider the implications of applying them in the current health information policy landscape. In Part I, the Article will explore the nature of health information and the various
2016] HEALTH INFORMATION OWNERSHIP 209
characteristics that may make it subject to federal and state regulation. In Part II, the Article will explore the legal and policy landscape surrounding health information regulation, considering why ownership of health information is of particular relevance now. In Part III, the Article will discuss the various laws and legal theories that apply to health information, giving full ownership rights or rights to access, use, and control it. Finally, in Part IV, the Article will discuss policy considerations surrounding the question of health information ownership, including the implications of conferring specific ownership rights over health information. While there is no one solution to the question of health information ownership, given the complex bundle of overlapping rights under state and federal laws that apply, the Article highlights the policy considerations that weigh against treating health information exclusively as property. Ultimately, a legal framework is needed that reflects the rights of the many stakeholders in the health information marketplace, from patients to providers to payers, as well as the public’s interest in the appropriate sharing of health information.
II. THE UNIQUE NATURE OF HEALTH INFORMATION
In some ways, health information is similar to other types of personal information: it contains unique details about a particular individual. Like financial information, it can be used improperly to discriminate against an individual and, like private photos or personal thoughts, it can be embarrassing if disclosed publicly. In other ways, health information is unique. For example, disclosing health information to others is necessary both for proper medical treatment of the person who is the subject of the information and also for the business purposes of potentially many different people or entities, such as doctors for treatment and billing purposes and health insurance companies for payment purposes. Health information may be relevant to third parties, as in the case of communicable diseases or inheritable genetic conditions. Before considering how laws apply to health information, it is important to define what health information is and explain what makes it subject to regulation.
210 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
A. Definitions of Health Information
The most basic definition of health information is any information concerning the health of at least one person.1 When considering law and policy, however, the regulated information must be specifically defined. For example, the physical medical record, the content of the record, biological samples taken from a person, and data aggregated from many different people can all be considered “health information,” but they may be treated differently under the law. Not all health information is subject to regulation, and information that is regulated may be subject to laws that overlap or directly contradict each other.2
1. Health Information Characteristics
There is no single legal framework governing “health information;” rather, information may be subject to one or more laws and/or regulations depending on the information’s specific characteristics. For purposes of applying legal protections and restrictions, health information can be defined based on a variety of characteristics, such as its content, its source, and its form. These characteristics are not mutually exclusive, so that multiple overlapping rights and obligations may apply to a particular record or piece of information, complicating the question of ownership.
Content focuses on the substance of the information. The American Health Information Management Association (AHIMA) defines health information as “the data related to a person’s medical history, including symptoms, diagnoses, procedures, and outcomes.”3 This content-based definition is perhaps the broadest possible way to describe health information, as there are no limitations related to its source, form, or subject. The Office for the National Coordinator for Health Information Technology (ONC) uses a slightly narrower definition, recognizing health information as information about an individual’s medical condition or history where the information can be used to identify an individual.4 Indeed, identifiability is a critical
1. What Is Health Information?, AM. HEALTH INFO. MGMT. ASS’N, http://www.ahima.org/careers/healthinfo [https://perma.cc/8NV9-5VL4] (last visited Oct. 27, 2016). 2. See, e.g., Beverly Cohen, Reconciling the HIPAA Privacy Rule with State Laws Regulating Ex Parte Interviews of Plaintiffs' Treating Physicians: A Guide to Performing HIPAA Preemption Analysis, 43 HOUS. L. REV. 1091, 1105–07 (2006). 3. What Is Health Information?, supra note 1. 4. What Is “Health Information” for Purposes of the Mobile Device Privacy and Security Subsection of HealthIT.gov?, HEALTHIT.GOV, https://www.healthit.gov/providers-
2016] HEALTH INFORMATION OWNERSHIP 211
component underlying most federal and state laws and regulations governing health information.5
Health information can also be categorized by its source, which refers to the person or the entity that initially collected the information, as well as the setting in which the information was generated or collected. Sometimes, the individual subject of the information or the individual’s family members may be the information collector. Health information may also be collected by entities providing care, paying for care,6 performing public health functions, conducting research, or delivering other services that may incidentally involve healthcare information, such as those provided by prisons, schools, or universities. Laws focusing on the source alone may protect information only in its collected form, meaning the information itself is not protected but the list, database, or other collected information format is protected, as in the case of a business record, such as a patient list. Moreover, these laws may only protect information held by a certain party, such as a substance abuse treatment facility.
Lastly, the form of medical information indicates the method by which information is collected and stored. Health information may be tangible, such as a tissue sample, or intangible, such as an individual’s memory about his or her health or an individual’s genetic information. Intangible health information becomes tangible once it is recorded or extracted from the individual. Tangible health information is stored digitally or on paper, or as preserved physical samples, such as those kept in biobanks. Some legal protections and restrictions apply to health information by virtue of its form or medium, such as laws granting ownership of a medical record to the healthcare provider that holds it.7 In that case, the information is protected health information because it is contained in a medical record, but the protection may not follow the information once it leaves the medical record.
professionals/faqs/what-health-information-purposes-mobile-device-privacy-and-security-sub [https://perma.cc/72JC-NQT2] (last visited Oct. 27, 2016). 5. See, e.g., Health Insurance Portability and Accountability Act (HIPAA) of 1996 § 1177, 42 U.S.C. § 1320d(6) (2012) (defining an “offense” by referring four times to “identifiable health information” or “health identifier”). 6. Health insurers, for example, are entities that pay for care, though other entities may be involved in payment. This would include the federal government when it directly pays providers to deliver care to a specific population for which it has responsibility, such as veterans. 7. E.g., S.C. CODE ANN. § 44-115-20 (West 2016) (a physician is the owner of medical records that were made in treating a patient and are in his or her possession, as well as the owner of records transferred to him or her concerning prior treatment of the patient); V.A. CODE ANN. § 54.1-2403.3 (West 2016) (medical records maintained by any healthcare provider are the property of the healthcare provider or the provider’s employer).
212 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
2. Health Information Types
When considering ownership and regulation of health information, it is important to understand what may be owned or regulated. Laws may regulate only a certain type of health information, as in the case of state laws granting ownership of genetic information to the subject of the information,8 which can complicate matters if a certain record contains multiple types of information. It is important to understand the terms used by policymakers and stakeholders to delineate different types of information because these definitions may determine what rights and responsibilities apply to that information.
The medical and health policy communities have adopted several commonly used terms to define certain types of health information. The term “clinical data,” for example, refers to health information collected in a clinical setting by a provider from a patient.9 Clinical data may include patient histories, lab results, x-rays, or provider notes.10 Clinical data is stored in electronic health records (EHRs) and electronic medical records (EMRs), paper-based medical records, and clinical trial records.11
“Administrative data” is information collected from patients by healthcare stakeholders, such as providers and payers, in connection with the patient’s care or payment for care.12 Administrative data is used primarily for business purposes like record keeping or billing and may include patient demographic and insurance information.13
8. E.g., ALASKA STAT. ANN. § 18.13.010 (West 2016) (“DNA sample and the results of a DNA analysis are the exclusive property of the person sampled or analyzed.”); COLO. REV. STAT. ANN. §§ 10-3-1104.6, -1104.7 (West 2016) (indicating genetic information is the property of the individual); FLA. STAT. § 760.40 (2016) (“[R]esults of . . . DNA analysis, whether held by a public or private entity, are the exclusive property of the person tested.”); GA. CODE ANN. § 33-54-1 (West 2016) (“Genetic information is the unique property of the individual tested . . . .”); LA. STAT. ANN. §§ 22:1023, 40:2210 (2016) (“[I]nsured’s or enrollee’s genetic information is the property of the insured or enrollee . . . .”). 9. Data Resources in the Health Sciences, U. WASH., http://guides.lib.uw.edu/hsl/data/findclin [https://perma.cc/3TXB-EQT5] (last visited Nov. 2, 2016). 10. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., COMMON CLINICAL DATA SET 2 (2015), https://www.healthit.gov/sites/default/files/commonclinicaldataset_ml_11-4-15.pdf [https://perma.cc/G37Q-LPP2]; see also What Is Health Information?, supra note 1. 11. See, e.g., INST. OF MED., CLINICAL DATA AS THE BASIC STAPLE OF HEALTH LEARNING: CREATING AND PROTECTING A PUBLIC GOOD: WORKSHOP SUMMARY 45 (National Academies Press 2010), http://www.ncbi.nlm.nih.gov/books/NBK54296/ [https://perma.cc/9VDT-SPY9]. 12. Id. at 100. 13. Id. at 126.
2016] HEALTH INFORMATION OWNERSHIP 213
Administrative data may be found in EHRs and EMRs, paper-based medical records, and practice management systems.14
Finally, “patient-generated health data” (PGHD) is “health- related data created, recorded, or gathered by or from patients” or patients’ family members or other caregivers in non-clinical settings.15 PGHD may be generated or collected by mobile apps, personal health records (PHRs), and home health equipment that does not automatically transmit to a provider, such as a blood glucose monitor.16
Other common terms refer to the content of the information. “Biospecimens” are physical materials taken from an individual, including tissue, blood, urine, or other human-derived material,17 as well as the information derived from the material, such as extracted DNA.18 A biospecimen can comprise subcellular structures, cells, tissue, organs, blood, gametes (sperm and ova), buccal swabs, embryos, fetal tissue, exhaled breath condensate, and waste (urine, feces, sweat, hair and nail clippings, shed epithelial cells, and placenta).19 “Genetic information” refers to information about an individual’s genetic makeup and the genetic makeup of an individual’s family members, as well as information about the manifestation of a disease or disorder in an individual’s family members, such as a family medical history.20 Both biospecimens and genetic information may be defined and regulated according to their form as well as content, as in the case of a rule applying only to the physical sample taken from a body.
14. Id. at 69. 15. Patient-Generated Health Data, HEALTHIT.GOV, https://www.healthit.gov/policy- researchers-implementers/patient-generated-health-data [https://perma.cc/6QHJ-T7MT] (last visited Oct. 27, 2016). 16. Id. 17. OFFICE OF BIOREPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., NCI BEST PRACTICES FOR BIOSPECIMEN RESOURCES 59 (2011), http://biospecimens.cancer.gov/bestpractices/2011-NCIBestPractices.pdf [https://perma.cc/WAH2- 3WQS] (last visited Oct. 27, 2016). 18. NAT’L INST. OF HEALTH, GUIDELINES FOR HUMAN BIOSPECIMEN STORAGE AND TRACKING WITHIN THE NIH INTRAMURAL RESEARCH PROGRAM 3 (2013), https://oir.nih.gov/sites/default/files/uploads/sourcebook/documents/ethical_conduct/guidelines- biospecimen.pdf [https://perma.cc/QU9E-CDR4] (last visited June 28, 2016). 19. OFFICE OF BIORESPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., supra note 17, at 59; Jonathan S. Miller, Can I Call You Back? A Sustained Interaction with Biospecimen Donors to Facilitate Advances in Research, 22 RICH. J.L. & TECH. 1 (2015). 20. Adapted from the definition of “genetic information” set forth in GINA Title I. See Genetic Information Nondiscrimination Act of 2008 § 201, 42 U.S.C. § 2000ff (2012).
214 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH INFORMATION
In recent years, evolving technology has made health information more accessible and more meaningful to individual consumers, providers, payers, and researchers. Value-based purchasing policies have created incentives for providers to collect, analyze, and report more data about individual patients.21 Wearable devices collect and record health information such as activity, heart rate, and blood sugar level, enabling individuals to monitor, and thus better manage their own health.22 These and other self-management tools, such as Consumer Health Informatics (CHI) applications, are particularly useful for patients with chronic conditions. For example, researchers have found that the use of such tools can positively affect health outcomes in the cases of breast cancer, alcohol abuse, smoking cessation, obesity, diabetes, mental health, and asthma.23 CHI applications also include electronic PHRs and patient portals, some of which function as peer interaction systems by which users can communicate with others who have similar conditions.24 Individuals may also choose to share personal health information freely online through websites specifically designed to aggregate information from patients, such as PatientsLikeMe,25 as well as on social media.26 Providers even share patient information on social media (with privacy protections in place), essentially crowdsourcing medical diagnosis and treatment.27
21. See, e.g., Linking Quality to Payment, MEDICARE.GOV, https://www.medicare.gov/hospitalcompare/linking-quality-to-payment.html [https://perma.cc/D5FK-XVJQ] (last visited Oct. 27, 2016). 22. See John Comstock, CES 2016: Running List of Health and Wellness Devices, MOBIHEALTH NEWS (Jan. 6, 2016), http://mobihealthnews.com/content/ces-2016-running-list- health-and-wellness-devices [https://perma.cc/U4B3-WSJ2]. 23. JOHNS HOPKINS UNIV. EVIDENCE-BASED PRACTICE CTR., IMPACT OF CONSUMER HEALTH INFORMATICS APPLICATIONS, at v (2009), http://www.ahrq.gov/downloads/pub/evidence/pdf/chiapp/impactchia.pdf [https://perma.cc/8H5Q- L9KR]. 24. Bisk, Defining the Concept of CHI, and Exploring How It Is Democratizing Healthcare for Patients, USF HEALTH, http://www.usfhealthonline.com/resources/key- concepts/consumer-health-informatics/#.V2xi0jkrK2x [https://perma.cc/5TET-T7GU] (last visited Nov. 2, 2016). 25. Live Better, Together!, PATIENTSLIKEME, https://www.patientslikeme.com [https://perma.cc/R66M-K49F] (last visited Nov. 2, 2016). 26. See Patricia Sanchez Abril & Anita Cava, Health Privacy in a Techno-Social World: A Cyber-Patient's Bill of Rights, 6 NW. J. TECH. & INTELL. PROP. 244, 247–48 (2008). 27. See, e.g., Alex Mohensi, Doc APProvED: ‘Instagram for Doctors,’ 36 EMERGENCY MED. NEWS 22 (2014), http://journals.lww.com/em- news/Fulltext/2014/04000/Doc_APProvED___Instagram_for_Doctors_.15.aspx [https://perma.cc/2B9P-GKDX]; see also Esther K. Choo et al., Twitter as a Tool for
2016] HEALTH INFORMATION OWNERSHIP 215
Technology is also enabling the use of “big data” drawn from health records, which promises to improve the quality of healthcare, allow a greater understanding of patient and provider behaviors, and even find new treatments for conditions like cancer. “Big data” refers to very large datasets containing vast quantities of a variety of information types that arrive and must be processed quickly.28 It also invites concern about commercial uses by information resellers and marketers, as well as nefarious uses like identity theft and discrimination.29 Cybersecurity experts estimate that a stolen medical record is worth ten times more than stolen credit card information because of medical information’s greater profit potential.30 In the legal data market, health information is collected and sold to companies such as credit bureaus, advertisers, and investigators. An appendix to a 2013 Government Accountability Office (GAO) report on information resellers listed characteristics that the credit reporting company Experian used to identify individuals to include in marketing lists it created and provided to its clients.31 The characteristics included an extensive list of heath conditions, including potentially sensitive conditions like Alzheimer’s disease, cancer, clinical depression, diabetes, erectile dysfunction, epilepsy, irritable bowel syndrome, menopause, Parkinson’s disease, and prostate problems.32 The business of gathering health data for commercial purposes can be significant; for example, IMS Health, one of the leading providers of such intelligence, reported approximately $1.5 billion in annual revenue for its information segment in each of the last five years.33 IMS Health draws information from a variety of sources, including over 500 million patient medical records and over fourteen million healthcare providers and organizations (Figure 1). These millions of
Communication and Knowledge Exchange in Academic Medicine: A Guide for Skeptics and Novices, 37 MED. TCHR. 411, 413 (2014). 28. Bernard Marr, Big Data a Game Changer for Healthcare, FORBES (May 24, 2016, 1:55 AM), http://www.forbes.com/sites/bernardmarr/2016/05/24/big-data-a-game-changer-in- healthcare/#28efa52f3c75 [https://perma.cc/UYA3-MJKC]. 29. Id. 30. Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers Than Your Credit Card, REUTERS (Sep. 24, 2014, 2:24 PM), http://www.reuters.com/article/us- cybersecurity-hospitals-idUSKCN0HJ21I20140924 [https://perma.cc/X7QQ-4SVD]. 31. U.S. GOV’T ACCOUNTABILITY OFFICE, INFORMATION RESELLERS: CONSUMER PRIVACY FRAMEWORK NEEDS TO REFLECT CHANGES IN TECHNOLOGY AND THE MARKETPLACE 52–53 (2013), http://www.gao.gov/assets/660/658151.pdf [https://perma.cc/U8JQ-SZZZ]. 32. Id. at 53. 33. IMS HEALTH HOLDINGS, INC., 2015 ANNUAL REPORT 38 (2015), http://s2.q4cdn.com/521378675/files/doc_downloads/2016/IMS_2015_Annual- Report_Final_Final.pdf [https://perma.cc/V35F-JGCT]. $1.5 billion per year is a lot of money to make just from aggregating and selling health data.
216 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
records and pieces of patient information are combined into a dataset that is sold as a product to a variety of users.34 These practices illustrate how one’s health information may be commodified—that is, turned into a product for someone else’s profit. In this landscape, legal ownership of information becomes a critical question.
Figure 1: Data combined by IMS Health for its “Market Insights”
health information business sector35
Courts are confronting these new data uses and considering
where they fit in existing legal structures, such as intellectual property law. Two cases decided by the US Supreme Court in recent years illustrate the challenge of sorting out legal rights where corporate interests in personal information are concerned.36 In 2013, in Ass’n for Molecular Pathology v. Myriad Genetics, Inc., (Myriad), the Court considered a challenge to a patent held by Myriad Genetics on genetic tests for certain genes that increase the risk of breast and ovarian cancer.37 The tests involved isolating natural DNA strands and creating synthetic complementary DNA that mirrored the original isolated strands with slight alterations.38 The Court ruled that synthetically created complementary DNA is patentable, while isolated natural DNA is not.39 Although the case appeared to be a relatively straightforward application of intellectual property law, granting corporations a protectable property interest in material derived from an individual’s DNA could have far-reaching implications.40 If a corporation can create a commodity from DNA, selling it and preventing others from making competing products, 34. Id. 35. Global, National and Subnational Insights, QUINTILESIMS, http://www.imshealth.com/en/solution-areas/market-insights [https://perma.cc/NG8J-YY56] (last visited Nov. 12, 2016). 36. See generally Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107 (2013); Sorrell v. IMS Health Inc., 564 U.S. 552 (2011). 37. Myriad, 133 S. Ct. at 2110–11. 38. Id. at 2111. 39. Id. 40. Id. at 2113, 2120.
2016] HEALTH INFORMATION OWNERSHIP 217
other activities that amount to ownership of a person’s biological material are not far off.
In 2011, the Court considered the constitutionality of legal restrictions on the use of collected personal information in Sorrell v. IMS Health Inc.41 Sorrell dealt with a common marketing practice, wherein pharmacies collect prescriber-identifying information when processing prescriptions and sell this information to “data miners.”42 Data miners use this information to produce reports on prescriber behaviors, de-identified with respect to patients but identifying the prescribing physician, which they lease to pharmaceutical manufacturers.43 Manufacturers then employ “detailers,” commonly known as pharmaceutical sales representatives or “drug reps,” who use the reports to strategically market and promote their drugs to physicians.44
The Vermont law in question prohibited pharmacies from selling or disclosing prescriber-identifying information for marketing purposes without the prescriber’s consent and further prohibited pharmaceutical manufacturers and marketers from using prescriber- identifiable information for sales marketing and promotion practices.45 The majority used a First Amendment free speech analysis to strike down the statute because it imposed a burden on the protected speech of the regulated pharmacies, manufacturers, and marketers, including plaintiff IMS Health, thereby restricting communication.46
The dissent, however, argued that Vermont’s law regulated commercial activity rather than speech and thus imposed no significant burden on free speech.47 Because the majority interpreted restrictions on the use of health information as a free speech violation rather than regulation of health information use and exchange for commercial purposes, the Court may have made it very difficult for legislators to regulate the activity of collecting and disseminating personal information, including health information, for profit. With respect to ownership of health information, it may not be possible after Sorrel to give ownership rights over health information to a particular individual or entity through statute, regulation, or common
41. Sorrell, 564 U.S. at 557. 42. Id. at 558. 43. Id. 44. Id. 45. VT. STAT. ANN. tit. 18, § 4631(d) (West 2010), invalidated by Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011). 46. Sorrell, 564 U.S. at 563–65. 47. Id. at 591–92.
218 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
law because another party may be able to claim a constitutional right to use the information for their own purposes.
The legal status of health information is the subject of robust debate and the legal landscape is in flux. Scholars debate what legal framework—whether property law, tort law, or constitutional protections of free speech—should apply to health information.48 Members of the public debate the ethics of using personal health information without consent, as in the case of Henrietta Lacks, whose cancer cells were taken, replicated, and later commodified for valuable research for decades without her consent and without her family’s knowledge.49 Policymakers debate the proper balance between the potential benefits of data derived from personal information and the need to protect privacy and other rights.50
At the federal level, ONC is leading efforts to define the rules of the road for the use and exchange of health information. For example, ONC released a set of guiding principles related to health information exchange governance in 2013, which were designed to serve as a common framework for organizations engaging in the data exchange for healthcare purposes.51 In 2015, ONC released the Federal Health IT [Information Technology] Strategic Plan 2015– 2020,52 which highlights the importance of protecting health information privacy and security in order to support and advance “widespread use of all forms of health IT.”53 According to the Plan, clarifying federal and state laws governing the privacy and security of health information is a key component of promoting greater adoption of health information technology.54
48. See, e.g., Barbara J. Evans, Much Ado About Data Ownership, 25 HARV. J.L. & TECH. 70, 74 (2011) (arguing against propertization of health data); Bonnie Kaplan, Selling Health Data: De-Identification, Privacy, and Speech, 24 CAMBRIDGE Q. HEALTHCARE ETHICS 256 (2015) (comparing property and free speech framework and suggesting tort law as alternative); Paul M. Schwartz, Property, Privacy, and Personal Data, 117 HARV. L. REV. 2055, 2056 (2004) (criticizing tort law as comprehensive framework and suggesting property law as proper framework). 49. See generally REBECCA SKLOOT, THE IMMORTAL LIFE OF HENRIETTA LACKS (Random House 2010). 50. See, e.g., Marc A. Rodwin, Patient Data: Property, Privacy & the Public Interest, 36 AM. J.L. & MED. 586, 617 (2010). 51. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., GOVERNANCE FRAMEWORK FOR TRUSTED ELECTRONIC HEALTH INFORMATION EXCHANGE 1 (2013), https://www.healthit.gov/sites/default/files/GovernanceFrameworkTrustedEHIE_Final.pdf [https://perma.cc/8WX9-DBFT]. 52. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., FEDERAL HEALTH IT STRATEGIC PLAN 2015–2020, at 4 (2015), https://www.healthit.gov/sites/default/files/9-5- federalhealthitstratplanfinal_0.pdf [https://perma.cc/BSG4-943T]. 53. Id. 54. Id. at 43.
2016] HEALTH INFORMATION OWNERSHIP 219
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP
In law, ownership generally means legal title to something combined with the exclusive right to possess it.55 Legal title gives the owner a variety of rights, including rights to control, use, profit from, dispose of, and prevent others from using the thing that is owned.56 This concept is straightforward in the case of an object or piece of real estate. In the case of health information, ownership is usually less clear. A patchwork of laws grants various rights and obligations with respect to health information and medical records, including privacy, confidentiality, and the rights to access, amend, and direct the transfer of one’s health information.57 Some rights come from specific laws and regulations, while others are derived from broader principles of law, like privacy and property.58
Some states have laws granting specific ownership over medical records or health information either to the healthcare provider or, in New Hampshire, to the individual who is the subject of the information.59 Some of these state laws use the term “own” or “owner,” while others use the term “property.”60 In Wyoming, the law refers to the physical conveyance for the information, giving the provider ownership of “the paper, microfilm, or data storage unit upon which the patient’s information is maintained [and stating that patients] do not have a right to possess the physical means by which the information is stored,” although they must be given access to “pertinent information.”61 In New Hampshire, the state’s Patients’ Bill of Rights law states: “[m]edical information contained in the medical records at any facility licensed under this chapter shall be deemed to be the property of the patient.”62 This law is unique among states and, since providers retain a property interest in their business records, it is not clear how the conflicting property rights of patients and providers would be resolved in case of a dispute. There are also cases finding that medical records are the property of the healthcare
55. Ownership, BLACK’S LAW DICTIONARY (10th ed. 2014). 56. E.g., Jane B. Baron, Property as Control: Case of Information, 18 MICH. TELECOMM. & TECH. L. REV. 367, 384 (2012). 57. E.g., Mark A. Hall, Property, Privacy, and the Pursuit of Interconnected Electronic Medical Records, 95 IOWA L. REV. 631, 649–50 (2010). 58. See id. 59. Who Owns Medical Records: 50 State Comparison, HEALTH INFO. & L., http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state- comparison [https://perma.cc/3H2N-XNF5] (last visited Nov. 12, 2016). 60. See id. 61. 024-052 WYO. CODE R. § 003 (LexisNexis 2016). 62. N.H. REV. STAT. ANN. § 151:21 (2016).
220 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
provider who created them, even where there is no statute or regulation to that effect.63
While ownership is significant, it may not determine who can do what with health information. Patients may have rights with respect to their medical records under some federal privacy laws and regulations.64 Many states have specific laws addressing how providers must maintain, protect, and dispose of records, as well as laws giving patients, providers, and others access to medical records, regardless of ownership status.65 The following discussion addresses the legal theories that could potentially serve as the basis for ownership of health information, including property law, intellectual property law, and privacy law.
A. Property law
In the United States, there is no recognized property interest in one’s own personal information.66 There may be property interests in specific types of information, as in the case of medical information under the New Hampshire law67 referenced above, or in the physical container that houses the information, such as a computer or diary.68 When information about individuals is compiled from public data or by an entity with legal access to the information, such as a credit card company, it can be sold without the permission of the subjects of the information, who are not entitled to any compensation.69 Information about customers, such as mailing lists, can be distributed alongside real property when a business is transferred.70
Property can be defined broadly as “any interest in an object, whether tangible or intangible, that is enforceable against the
63. See, e.g., Holtkamp Trucking Co. v. David J. Fletcher, M.D., L.L.C., 932 N.E.2d 34, 43 (Ill. 2010) (holding that medical records were physician’s property); McGarry v. J.A. Mercier Co., 262 N.W. 296, 297–98 (Mich. 1935) (holding that x-ray negatives were the property of the physician who made them, not the patient). 64. Hall, supra note 57, at 649–50.
65. See States, HEALTH INFO. & L., http://www.healthinfolaw.org/state [https://perma.cc/6DWF-FVSR] (last visited Nov. 13, 2016). 66. Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVIS L. REV. 379, 403 (2003). 67. N.H. REV. STAT. ANN. § 151:21 (2016). 68. Hall, supra note 57, at 646–47. 69. Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1352–53 (Ill. App. Ct. 1995). 70. E-7.04 Sale of a Medical Practice, AM. MED. ASS’N, https://www.denbar.org/docs/AMA%20(Professionalism)%20E-7.pdf?ID=2373 [https://perma.cc/5P5Y-WBAT] (last updated Sept. 26, 2005).
2016] HEALTH INFORMATION OWNERSHIP 221
world.”71 As explained by the California Supreme Court, applying a broad definition, “[t]he term ‘property’ is sufficiently comprehensive to include every species of estate, real and personal, and everything which one person can own and transfer to another. It extends to every species of right and interest capable of being enjoyed as such upon which it is practicable to place a money value.”72 Others have limited the definition of property to the specific set of “legally sanctioned property forms” defined by legislatures.73 This Article uses a broad definition, modified to apply to health information. Thus, a property interest in health information may be defined as any interest in the health information that is enforceable against the world. Property rights under this definition are distinguished from the more limited rights that apply under the terms of a contract, where rights are enforceable only against a party to the contract, or rights that only apply in certain settings or for certain users, such as health information privacy and security regulations. When considering property rights in personal information, courts have historically held that such information belongs to no one until it is collected, at which point it belongs to the collector.74 Thus, when a company collects the names, addresses, phone numbers, and shopping histories of its customers, that information may become a protected piece of property that can be transferred along with other corporate property when the business is sold or sold outright as a product itself.75
In the healthcare context, medical records typically belong to the physician, hospital, or another provider that created them.76 Thinking of healthcare like any other service industry, the medical record is a record of the service provided to the customer. For the healthcare provider, the information in a medical record is necessary for a number of purposes other than patient care. These include receiving payment for the service from an insurance company, complying with state and federal reporting requirements, supporting business functions such as profit-sharing among partners and paying taxes, and defending the provider in case of any claim of malpractice.77 71. Schwartz, supra note 48, at 2058. 72. Yuba River Power Co. v. Nevada Irrigation Dist., 207 Cal. 521, 524 (1929). 73. Thomas W. Merrill & Henry E. Smith, Optimal Standardization in the Law of Property: The Numerus Clausus Principle, 110 YALE L.J. 1, 10 (2000). 74. Bergelson, supra note 66, at 403. 75. E.g., Julia N. Mehlman, If You Give a Mouse a Cookie, It's Going to Ask for Your Personally Identifiable Information: A Look at the Data-Collection Industry and a Proposal for Recognizing the Value of Consumer Information, 81 BROOK. L. REV. 329, 331 (2015). 76. E.g., Hall, supra note 57, at 646–47. 77. Stanley J. Reiser, The Clinical Record in Medicine Part 2: Reforming Content and Purpose, 114 ANNALS INTERNAL MED. 980, 984 (1991).
222 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
As business records, medical records and the information they contain can be transferred when, for example, a partner leaves a medical practice or a practice merges with another institution.78 Custody of medical records may be made part of an employment contract between a practice and an individual physician or part of a contract for the sale of a practice.79 Patients cannot take the original medical record away from the provider who created it, as it remains a vital business record of the service provided.
On the other hand, the property interest in medical records is not exclusive to the individual or entity that created them.80 Because of the many rights held by individual patients with respect to their medical records, records may not be disposed of in the same manner as other property.81 Medical records cannot be destroyed or given to others without following the procedures prescribed by federal and state laws.82 Providers cannot prevent individuals from taking the information in their records and giving it to a competing provider.83 The property interest a physician has in medical records is fundamentally different than the property interest he or she has in an x-ray machine or stethoscope.84 Thus, while medical records are certainly property, they are a unique type of property.
Turning to the information contained in the medical record, it may be the property of the person or entity that collected it. In general, the collected form of the information may be “property,” which courts have recognized,85 rather than the individual pieces of the information itself. In the case of a customer list, for example, the list may be considered property in its collected form. However, when the names of some of the individuals from that customer list are available elsewhere, such as in a phone book, it cannot be said that the phone book contains the property of the company that collected the customer list. In other words, the fact that health information may be
78. WILLIAM H. ROACH JR. ET AL., MEDICAL RECORDS AND THE LAW 333 (Jones and Bartlett Publishers 4th ed. 2006). 79. Id. at 339. 80. Mark A. Hall & Kevin A. Schulman, Ownership of Medical Information, 301 J. AM. MED. ASS’N. 1282, 1282–84 (2009). 81. See generally id. 82. E.g., Christine L. Glover, To Retain or Destroy? That Is the Health Care Records Question, 103 W. VA. L. REV. 619, 625–26 (2001). 83. See Hall & Schulman, supra note 80, at 1282–84. 84. Id. 85. E.g., In re Nw. Airlines Privacy Litig., No. CIV.04-126(PAM/JSM), 2004 WL 1278459, at *4 (D. Minn. June 6, 2004) (where airline passengers’ personal information was compiled and combined with other information to form a record, and the record itself became the airline’s property).
2016] HEALTH INFORMATION OWNERSHIP 223
the property of one party in its collected form does not mean that the information itself is the property of the collector wherever it exists.
Whether or not the collected health information, like that in a medical record, could be the property of the person who is the subject of the information remains in question. In general, courts have refused to recognize property rights in information about oneself, even as they recognize causes of action where personal information is misused, as in the case of identity theft or misappropriation of an individual’s name or likeness for profit.86 Individuals have been unable to prevent the distribution of information about them by investigators, credit companies, and magazine publishers.87 Certainly, health information cannot be the exclusive property of the subject, since the information itself is contained in business records of the health providers who recorded the information and must be exchanged with others, such as regulators, insurance companies, and other providers, in order to do business.
What about genetic information, which is even more closely tied to an individual than a name or photograph? Does genetic information, such as a DNA sequence, have a special status as property even where other health information does not? In the famous Moore v. Regents of the University of California,88 a physician at UCLA Medical Center isolated a cell line from the patient Moore’s T-lymphocytes, extracted from biological samples taken during his treatment.89 The physician made agreements to profit from commercial development of the cell line and resulting products. Moore sued, claiming, among other causes of action, that the biological samples that yielded the cell line were his property that was illegally converted by the physician.90 To prove the tort of conversion, the “plaintiff must establish an actual interference with his ownership or right of possession . . . [w]here plaintiff neither has title to the property alleged to have been converted, nor possession thereof, he cannot maintain an action for conversion.”91 In Moore, the California Supreme Court held that Moore did not have an enforceable property interest in his cells under existing law, partly because he did not 86. I.J. Schiffres, Annotation, Invasion of Privacy by Use of Plaintiff's Name or Likeness in Advertising, 23 A.L.R.3d 865 § 4 (1969). 87. E.g., Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1351 (Ill. App. Ct. 1995); Shibley v. Time, Inc., 341 N.E.2d 337, 340 (Ohio Ct. App. 1975); U.S. News & World Report, Inc. v. Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996). 88. Moore v. Regents of Univ. of Cal., 793 P.2d 479, 487 (Cal. 1990) (rejecting individual's claim of property right in his genetic information). 89. Id. at 481. 90. Id. at 482. 91. Id. at 488.
224 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
expect to retain possession of them after they were taken from his body.92 The court declined to extend conversion to the facts in Moore, noting the chilling effect on medical research and development of treatments that would result from giving every patient a property interest in their biological samples taken in the course of treatment and any resulting research or innovation.93 Interestingly, genetic information is one type of health information where states have given individuals a property interest under the law. In Alaska,94 Colorado,95 Florida,96 Georgia,97 and Louisiana,98 state statutes declare genetic information, DNA samples, or the results of DNA analysis to be the property of the individuals who are the subject of the information. Likewise, reproductive material has been deemed property after it has been removed from the body.99 In general, reproductive material itself is not sold but “donated,” although the donor may receive substantial compensation in exchange for her “donor services.”100 Indeed, egg donation is an $80 million market.101 Largely self regulated, there are industry guidelines limiting the amount of compensation an egg donor may receive, though no limits apply to sperm donation. These limits were challenged in a class action102 brought by egg donors that was settled in early 2016.103 Thus, given this history of treating reproductive material as property or allowing the sale of reproductive material using contracts in the same way other goods are sold, there is potentially a greater degree of ownership that applies to reproductive material than to other biological material or, more broadly, to health information.
In contrast, the status of preserved embryos is much less clear. Some courts have held that as potential persons, embryos cannot be
92. Id. at 488–89. 93. Id. at 494. 94. ALASKA STAT. ANN. §§ 18.13.010–.030, .100 (West 2016). 95. COLO. REV. STAT. ANN. §§ 10-3-1104.6, 1104.7 (West 2016). 96. FLA. STAT. § 760.40 (2016). 97. GA. CODE ANN. §§ 33-54-1 to -8 (West 2016). 98. LA. STAT. ANN. § 22:1023 (2016). 99. E.g., Kurchner v. State Farm Fire & Cas. Co., 858 So. 2d 1220, 1221 (Fla. Dist. Ct. App. 2003) (holding that sperm outside of the body is property for purposes of insurance claim). 100. Kamakahi v. Am. Soc’y for Reprod. Med., No. C 11-01781 SBA, 2013 WL 1768706, at *3 (N.D. Cal. Mar. 29, 2013). 101. Id. 102. Kamakahi v. Am. Soc’y for Reprod. Med., No. 11-CV-01781-JCS, 2015 WL 1926312, at *1 (N.D. Cal. Apr. 27, 2015). 103. Jacob Gershman, Fertility Industry Group Settles Lawsuit over Egg Donor Price Caps, WALL ST. J. (Feb. 3, 2016, 11:01 AM), http://blogs.wsj.com/law/2016/02/03/fertility- industry-group-settles-lawsuit-over-egg-donor-price-caps/ [https://perma.cc/989S-CHXF].
2016] HEALTH INFORMATION OWNERSHIP 225
property to be transferred like other marital property,104 while others have freely enforced contracts that determine how embryos are to be used or disposed of in the case of a separation.105 As the practice of assisted reproduction continues to become more common, the legal approach to the disposition of embryos may be informative for the question of health information ownership. At least two people have simultaneous and valid legal interests in a frozen embryo, created from their biological material, which is somewhat analogous to multiple parties having valid interests in a piece of health information.
As these examples illustrate, the practice of treating health information as property under the law has an uneven history. There are some forms of health information, such as medical records created by a healthcare provider in the course of doing business, that the law is comfortable treating as property. Other forms, such as biological materials and genetic information, have been treated differently. Because an ownership interest may be claimed in intangible information rather than the physical form of the record, some have proposed that health information be protected under intellectual property law.106
B. Intellectual Property Law
Intellectual property laws (which include trademark, copyright, and patent mechanisms) confer the rights of property on creations of the mind, such as scientific discoveries, artwork, designs, and written work, which one could not otherwise have an exclusive interest.107 The term “[i]ntellectual property relates to items of information or knowledge, which can be incorporated in tangible objects at the same time in an unlimited number of copies at different locations anywhere in the world.”108 In order to be protected by a patent, which is the mechanism that would apply to most healthcare-related intellectual property, the discovery in question cannot be simply a “consequence of the body’s natural processes.”109 Even if the natural phenomenon in question is not identical across every person, if “the genetic
104. Davis v. Davis, 842 S.W.2d 588, 593, 604 (Tenn. 1992). 105. E.g., Litowitz v. Litowitz, 48 P.3d 261, 274 (Wash. 2002). 106. See Schwartz, supra note 48, at 2076. 107. See What Is Intellectual Property?, WORLD INTELL. PROP. ORG., http://www.wipo.int/about-ip/en/ [https://perma.cc/HS98-PTZU] (last visited Nov. 14, 2016). 108. SRIKANTH VENKATRAMAN, UNDERSTANDING DESIGNS ACT 115 (2010). 109. Genetic Techs. Ltd. v. Bristol-Myers Squibb Co., 72 F. Supp. 3d 521, 530 (D. Del. 2014).
226 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
correlations . . . exist apart from any human action,” the discovery is unpatentable.110 Most of the health information about an individual that is collected in medical records and databases is merely reporting on the observed biological state and processes of the individual who is the subject of the information. As such, it could not be protected by intellectual property law, even if a human made the observation.
Courts in the United States have rejected attempts to patent diagnostic procedures and medical treatments.111 However, it is possible for a physician to use a very specialized technique for evaluating or treating a patient and for that technique to be protected by copyright or patent laws.112 The US Patent and Trademark Office (USPTO) issued guidance to illustrate what considerations may allow a procedure for evaluating or treating a natural process to be protectable.113 If such protection is granted, the physician may be able to shield the protected part of the evaluation from disclosure. Thus, there is some capacity for health information to be protected by intellectual property law, but it is limited under current standards.
C. Federal Privacy Law
1. Constitutional Law
The US Constitution does not explicitly enumerate a right to privacy.114 However, various amendments to the Constitution grant rights that relate to personal autonomy, an aspect of privacy insofar as individuals can choose whether or not to participate in certain activities or be subject to certain experiences, such as “the right to be left alone.”115 The US Supreme Court has also identified a right to privacy under the Fourteenth Amendment.116 Under the Fourteenth 110. Id. (citing Genetic Techs. Ltd. v. Agilent Techs., Inc., 24 F. Supp. 3d 922, 927 (N.D. Cal. 2014) (stating correlations between variation in non-coding and coding regions alone are unpatentable natural laws despite not being “universal” or “immutable scientific truths”)). 111. E.g., Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1298 (2012); PerkinElmer, Inc. v. Intema Ltd., 496 Fed. Appx. 65 (Fed. Cir. 2012). In Australia, by contrast, medical treatments are considered patentable. Apotex Pty Ltd v Sanofi-Aventis Australia Pty Ltd [2013] HCA 50. 112. See Memorandum from Andrew H. Hirshfeld, Deputy Comm’r for Patent Examination Policy, U.S. Patent and Trademark Office, to the Patent Examining Corps (Mar. 4, 2014), http://www.uspto.gov/patents/law/exam/myriad-mayo_guidance.pdf [https://perma.cc/3T4R-Z8C6]. 113. Id. 114. Julie K. Freeman, Medical Records and the U.S. and Pennsylvania Constitutions’ Right to Privacy, 70 Pa. B.A. Q. 93, 95 (1999). 115. Robert E. Mensel, The Antiprogressive Origins and Uses of the Right to Privacy in the Federal Courts 1860–1937, 3 FED. CTS. L. REV. 109, 124 (2009). 116. See, e.g., Roe v. Wade, 410 U.S. 113, 164 (1973).
2016] HEALTH INFORMATION OWNERSHIP 227
Amendment, a law is unconstitutional if it infringes upon the exercise of a fundamental right, such as the right to privacy, without a “compelling” state interest.117 The right to privacy is defined and determined on a case-by-case basis; for example, the Court has identified a specific right to privacy with respect to decisions about “family, marriage, motherhood, procreation, and child rearing.”118
One aspect of the privacy concept is the ability to control one’s own information.119 However, existing Supreme Court case law does not recognize within the right to privacy a right to control information, though it has specifically declined to foreclose that possibility for the future.120 As it currently stands, the right to control one’s information, health-related or otherwise, is not considered a fundamental right, and thus any law infringing upon that ability need only be rationally related to a legitimate government purpose.121 Ten states explicitly recognize an individual’s right to privacy in their constitutions.122 These states prohibit unreasonable or unwarranted invasions of privacy, though none specifically include the right to control one’s personal information as an aspect of “privacy.”123 In general, however, the right to information privacy has been conferred primarily by statute and regulation rather than by courts’ application of a constitutional right.124
There is no comprehensive federal statutory framework governing health information privacy and security,125 rather a patchwork of federal laws that often overlap or even contradict each other. The primary function of these laws and regulations is to limit the ways in which lawful holders of the information may use and share it with or without the subject of the information’s consent.126 Although federal privacy laws and regulations do not explicitly confer an ownership interest in health information, they do grant information holders some ability to direct and control how the
117. Id. at 155–56. 118. Paris Adult Theater v. Slaton, 413 U.S. 49, 65 (1973). 119. See Hall & Schulman, supra note 80, at 1282–84. 120. ERWIN CHEMERINSKY, CONSTITUTIONAL LAW: PRINCIPLES AND POLICIES 856 (3d ed. 2006). 121. See id. 122. Privacy Protections in State Constitutions, NAT’L CONF. ST. LEGISLATURES (Dec. 3, 2015), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy- protections-in-state-constitutions.aspx [https://perma.cc/VG3R-Q6MY]. 123. See id. 124. See id. 125. Jane Hyatt Thorpe & Elizabeth A. Gray, Big Data and Public Health: Navigating Privacy Laws to Maximize Potential, PUB. HEALTH REP. 130(2):171–75 (2015). 126. E.g., Hall, supra note 57, at 657.
228 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
information is used.127 Some laws and regulations give individuals explicit rights with respect to their health information when it is in the possession of certain lawful holders of that information.128 These laws vary considerably in terms of the health information they protect and the entities they govern, though all of these laws apply only to identifiable information.129
2. HIPAA
The most widely referenced federal framework related to health information are the Health Insurance Portability and Accountability Act of 1996 (HIPAA)’s130 Administrative Simplification provisions131 and their enabling regulations—the Privacy, Security, Breach Notification, and Enforcement Rules, known collectively as “the HIPAA Rules.” Under HIPAA, individually identifiable health information is oral or recorded information created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse that identifies or could be used to identify an individual, and relates to the individual’s care or to his past, present, or future mental or physical health condition or payment for care.132 The HIPAA Rules do not apply to individually identifiable health information held in certain types of records, such as education records, or about individuals deceased for over fifty years.133 The information subject to HIPAA is referred to as “protected health information” (PHI). Much health-related information exists outside of HIPAA’s protections, including PGHD,134 consumer and sentiment data describing patient activities and preferences (i.e., exhaust data),135
127. See id. 128. See id. at 646. 129. Id. at 659. 130. Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. No. 104-191, 110 Stat. 139 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.). 131. See, e.g., id. at §§ 261–62. 132. 45 C.F.R. § 160.103 (2016) (“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual . . . .”). 133. Id. 134. Patient-Generated Health Data, supra note 15. 135. Nicolas P. Terry, Big Data Proxies and Health Privacy Exceptionalism, 24 HEALTH MATRIX 65, 85 (2014), http://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?article=1005&context=healthmatrix [https://perma.cc/RR4R-Z4Y4].
2016] HEALTH INFORMATION OWNERSHIP 229
and de-identified information—though these types of information may be subject to other laws and regulations.136
The HIPAA Rules only regulate the use, disclosure, and management of PHI when it is in the possession of certain entities.137 These are Covered Entities (health plans, healthcare clearinghouses, and most healthcare providers)138 and their Business Associates (entities that have access to PHI in the course of performing certain services for or functions on behalf of a Covered Entity);139 HIPAA does not govern individually identifiable health information when it is in the possession of non-regulated entities (i.e., neither Covered Entity nor Business Associate), even if the information meets the definition of PHI.140
The HIPAA Rules collectively serve as the federal floor for identifiable health information privacy and security.141 The HIPAA Privacy Rule, as its name suggests, governs the privacy and confidentiality of PHI.142 It dictates when and to whom a Regulated Entity is permitted to disclose PHI, which can be grouped into three broad categories:
1. Required Disclosures: a Regulated Entity must disclose PHI to the individual subject of the information upon request143 and
136. See generally What Is “Health Information” for Purposes of the Mobile Device Privacy and Security Subsection of HealthIT.gov?, supra note 4. 137. 45 C.F.R. § 160.102(a), (b) (2016). 138. 45 C.F.R. § 160.103 (defining “covered entity” to include “[a] health plan,” “[a] health care clearinghouse,” and “[a] health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter”); see also § 160.103 (defining “health care clearinghouses” to include businesses or agencies that process nonstandard health information they receive from other entities into a standard format); § 160.103 (where “health information”—information (identifiable or not) that is created by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and that relates to an individual’s healthcare or an individual’s past, present, or future physical or mental health or condition or payment for care— has a broader definition than “protected health information”); 45 C.F.R. § 162 (2016) (defining “covered health care provider” as one who electronically transmits health information in connection with “covered” transactions, which include, but are not limited to, benefit eligibility inquiries and claims). 139. 45 C.F.R. § 160.103 (defining “business associate” to include those who provide “legal, actuarial, accounting, consultation, data aggregation . . ., management, administrative, accreditation, or financial services”). 140. See, e.g., Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (codified at C.F.R. pts. 160, 164). 141. See 45 C.F.R. § 160 (2016); see also 45 C.F.R. § 160.203 (2016); 45 C.F.R. § 164.502 (2016). 142. See generally 45 C.F.R. §§ 164.500–.534 (2016). 143. 45 C.F.R. § 164.502(a)(2)(i), (4)(ii) (2016).
230 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
to the Secretary of the US Department of Health and Human Services (HHS) for enforcement and compliance purposes;144
2. Prohibited or Limited Disclosures: a Regulated Entity may not disclose PHI for certain purposes145 (e.g., most sales of PHI146) and must obtain an individual’s authorization to disclose certain types of PHI (e.g., psychotherapy notes147) in almost all circumstances;148 and
3. Permissive Disclosures: a Covered Entity149 may disclose [most] PHI without first obtaining the subject’s authorization for a variety of purposes (though some of these purposes require that, where practicable, the individual be given the opportunity to informally object to the disclosure150).151
Any disclosures not required, permitted, or prohibited by the Privacy Rule require written authorization from the individual subject of the PHI.152 The “permissive disclosure” exceptions were designed to permit Covered Entities to engage in fundamental healthcare activities without being burdened by authorization requirements.153 Permissive exceptions include disclosures for purposes of treatment, payment, and healthcare operations,154 as well as a variety of purposes that benefit the public good, such as disease surveillance, national security, and law enforcement activities.155 These exceptions are so broad that Covered Entities essentially retain greater control over PHI than the actual subject of the information.156 However, in an 144. 45 C.F.R. § 164.502(a)(2)(ii), (4)(i). 145. See 45 C.F.R. § 164.502(a)(5). 146. 45 C.F.R. § 164.502(a)(5)(ii). 147. 45 C.F.R. § 164.508(a) (2016). 148. 45 C.F.R. § 164.508(a)(2). 149. See 45 C.F.R. § 164.502(a)(1); see also 45 C.F.R. § 164.502(a)(3) (stating that a business associate may only disclose PHI as required by its business associate contract or the law). 150. 45 C.F.R. § 164.510 (2016). 151. 45 C.F.R. § 164.512 (2016); see also OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND DISCLOSURES: EXCHANGE FOR TREATMENT 1 (2016), http://www.hhs.gov/sites/default/files/exchange_treatment.pdf [https://perma.cc/8WK6-F6D5]; OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND DISCLOSURES: EXCHANGE FOR HEALTH CARE OPERATIONS 1 (2016), http://www.hhs.gov/sites/default/files/exchange_health_care_ops.pdf [https://perma.cc/22LV-LN9M]. 152. 45 C.F.R. § 164.502(a)(1). 153. See, e.g., Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14776 (proposed Mar. 27, 2002) (to be codified at C.F.R. pts. 160, 164). 154. 45 C.F.R. § 164.506 (2016). 155. 45 C.F.R. § 164, §§ 510, 512 (2016). 156. See infra notes 168–73.
2016] HEALTH INFORMATION OWNERSHIP 231
effort to balance an individual’s interest in his or her own information with the need to enable proper functioning of the healthcare system, the Privacy Rule establishes six rights individuals have with respect to their PHI:
1. To be notified of uses and disclosures a Covered Entity may make;157
2. To request restrictions on some uses and disclosures, though a Covered Entity is only required to comply with such a request in very limited circumstances;158
3. To request that a health plan or a covered provider communicate PHI confidentially (i.e., by alternative means or at alternative locations), though a health plan is only required to comply in specific circumstances;159
4. To inspect and obtain a copy of PHI or have the Covered Entity transmit a copy of PHI to a designated third party;160
5. To amend PHI in certain circumstances;161 and
6. To receive an accounting of disclosures of PHI made in the preceding six years, though many types of disclosures are exempt from the accounting requirement.162
While the HIPAA Privacy Rule grants an individual substantial rights, including access to and some measure of control over their health information, because of the many exceptions to and limitations on these rights, they do not equate to the full control that ownership under a property theory would convey.163
3. Other Federal and State Statutes and Regulations Protecting Health Information Privacy
Some other federal statutes and regulations protect health information primarily based on its content. These include: 42 C.F.R. Part 2 (Part 2),164 which protects identifying information about
157. 45 C.F.R. § 164.520(a)(1) (2016). 158. 45 C.F.R. § 164.522(a) (2016). 159. 45 C.F.R. § 164.522(b). 160. 45 C.F.R. § 164.524 (2016). 161. 45 C.F.R. § 164.526 (2016). 162. 45 C.F.R. § 164.528 (2016). 163. Hall, supra note 57, at 649. 164. 42 C.F.R. § 2 (2016).
232 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
substance abuse treatment patients, the Genetic Information Non- Disclosure Act of 2008 (GINA),165 which protects individuals’ genetic information, and the Patient Safety and Quality Improvement Act of 2005 (PSQIA),166 which protects identifiable patient safety work product. Other laws protect health information primarily based on its source. These include: the Fair Credit Reporting Act (FCRA),167 which protects medical information in consumer reports, the Privacy Act of 1974,168 which protects individually identifiable information— including health information—held by the federal government, the Family Educational Records Privacy Act (FERPA),169 which protects identifiable information—including health information—in education records, and the Public Health Services Act’s Title X,170 which protects health information collected by Community Health Centers.
a. The Genetic Information Non-Disclosure Act of 2008 (GINA)
GINA protects individuals’ genetic information171 from being used for certain purposes.172 Under Title I of GINA, health plans and health insurance issuers may not use genetic information to make coverage-related decisions about beneficiaries.173 Health plans and issuers generally may not even request that a beneficiary undergo genetic testing or provide genetic information, though there are limited exceptions.174
Title II of GINA prohibits employers from using genetic information to discriminate against employees or applicants and from using genetic information in employment decisions.175 Employers are generally prohibited from acquiring genetic information about an 165. Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. No. 110-233, 122 Stat. 881 (tit. II codified at 42 U.S.C. § 2000ff). 166. Patient Safety and Quality Improvement Act (PSQIA) of 2005, Pub. L. No. 109-41, 119 Stat. 424 (codified in scattered sections of 42 U.S.C.). 167. Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681–1681x (2012). 168. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified at 5 U.S.C. § 552a). 169. Family Educational Records Privacy Act (FERPA) of 1974, 20 U.S.C. § 1232g (2012) (implementing regulations at 34 C.F.R. § 99). 170. 42 C.F.R. § 51c.110 (2016). 171. “Genetic information” includes family medical history, information from genetic tests and services, requests for and receipt of genetic services, and participation in clinical research that includes genetic services. See, e.g., Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. No. 110-233, tit. I, § 101(d), 122 Stat. 881, 883 (2008). 172. Note that GINA does not apply to life insurance plans, long-term care plan issuers, or disability insurers. Genetic Discrimination, NAT’L HUM. GENOME RES. INST., https://www.genome.gov/10002077/ [https://perma.cc/CF84-PPR3] (last updated May 2, 2016). 173. See, e.g., GINA tit. I, § 102(a)(4). 174. See, e.g., GINA § 101(b). 175. See, e.g., GINA tit. II, § 202(a).
2016] HEALTH INFORMATION OWNERSHIP 233
employee or applicant for any reason,176 with some exceptions where the acquisition is unintentional or for certain legitimate business purposes. Title II also requires that employers keep [legally acquired] genetic information confidential,177 and lists several purposes for such information may be disclosed without the individual subject’s consent.178 GINA permits, but does not require, employers to disclose genetic information to the employee upon written request.179
GINA mandated amendments to HIPAA to ensure that “genetic information” is included within the definition of PHI, and that Title I’s prohibition on the use of genetic information by health insurers for underwriting purposes is also explicitly prohibited under HIPAA.180 GINA’s protections give individuals some control over their genetic information by limiting not just how that information can be used, but whether it can be obtained at all.181 GINA was enacted to ensure that individuals were not discouraged from utilizing genetic testing, technologies, research, and related therapies out of fear of discrimination.182
b. Privacy Act and FOIA
The Privacy Act of 1974 protects identifiable information about individuals, including health information, held or collected by the federal government.183 Generally, a federal agency may not release individually identifiable information to anyone without the subject of the information’s written consent.184 There are multiple exceptions to this prohibition, including for several legitimate governmental purposes, statistical research, and as required by the US Freedom of Information Act (FOIA).185 The Privacy Act does provide individuals certain rights with respect to their information, including the right to receive an accounting of certain disclosures made within the last five years,186 the right to review and obtain a copy of the information upon request,187 and the right to request an amendment to the information,
176. GINA § 203(b). 177. GINA § 206(a). 178. GINA § 206(b). 179. Id. 180. GINA tit. I, § 105(a). 181. GINA § 101(d). 182. GINA § 2(5). 183. 5 U.S.C. § 552a (2012). 184. § 552a(b). 185. Id. 186. § 552a(c)(3). 187. § 552a(d)(1).
234 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
though the agency is not required to comply with such a request.188 While the Privacy Act does give individuals some control over their information, it does not limit the information that may be collected or stored by a federal agency, though such limitations may exist in other laws or regulations.189 An individual cannot restrict, or even request that an agency restrict, how information is used or disclosed.190 Thus, the Privacy Act is quite broad, though its reach is limited by its relationship to FOIA.191
Under FOIA, any person may access any information contained in federal agency records,192 including individually identifiable information otherwise protected by the Privacy Act, unless the information is specifically exempted from disclosure.193 Generally, these exemptions prevent disclosure of information that is considered sensitive or of a personal nature; the most pertinent of these is exemption 6, which protects “personnel, medical, and similar files” where disclosure “would constitute a clearly unwarranted invasion of personal privacy.”194 Exemption 6 essentially closes the privacy gap created by the Privacy Act’s exception for FOIA-related disclosures.195 While exemption 6 does not give an individual more control over his or her health information in the possession of the federal government, the opportunities for such information to be shared without the individual’s consent is limited almost entirely to governmental and law enforcement functions.196
c. 42 C.F.R. Part 2
42 C.F.R. Part 2 protects identifying information, recorded or not, that could or does reveal that an individual received substance abuse treatment;197 Part 2 applies to all federally-assisted programs198 providing substance abuse diagnosis, treatment, or 188. § 552a(d)(2). 189. § 552a(b)(1). 190. Id. 191. U.S. GOV’T GEN. SERVS. ADMIN., YOUR RIGHT TO FEDERAL RECORDS: QUESTIONS AND ANSWERS ON THE FREEDOM OF INFORMATION ACT AND THE PRIVACY ACT 16 (2009), https://www.justice.gov/sites/default/files/oip/legacy/2014/07/23/right_to_federal_records09.pdf [https://perma.cc/2V3V-R7BF]. 192. 5 U.S.C. § 552(a)(6)(A) (2012). 193. § 552(b). 194. § 552(b)(6). 195. See id. 196. See id. 197. 42 CFR § 2.12(a)(1)(ii), (a)(2) (2016). 198. A program is “federally assisted” if it is conducted by any federal department or agency (directly or under contract), is carried out under any federal license, certification,
2016] HEALTH INFORMATION OWNERSHIP 235
referral.199 While Part 2 information is also protected health information (PHI) and Part 2 programs are almost always Covered Entities, Part 2’s protection for patient identifying information provides much greater control to patients than HIPAA would otherwise provide.200 In general, Part 2-covered information may not be disclosed without the patient’s written consent,201 with limited exceptions. Part 2 also prohibits recipients of covered information from further disclosing the information without written consent or unless otherwise permitted by Part 2.202 Part 2 grants individuals some rights with respect to their covered information, though these are limited to the right to be informed of Part 2’s confidentiality protections203 and the right to access, inspect, and obtain a copy of his or her own records.204 Part 2’s provisions grant individuals the near- exclusive ability to control when and to whom their covered information is disclosed.205 Similar to GINA’s intended purpose, Part 2 was enacted to ensure that individuals were not discouraged from seeking substance abuse treatment due to privacy-related fears.206
Federal Privacy Law has been crafted to meet certain needs but is not a comprehensive regulatory scheme covering all types or uses of health information. It does not confer comprehensive ownership rights but does extend a number of rights and obligations over health information that may have the same effect as ownership under the law, in some circumstances, for those types and uses of information that are covered.
D. Contract Law
Contracts are a way to confer rights where they may or may not be granted by other legal authorities.207 Ownership can be
registration, or authorization (e.g., Medicare/Medicaid providers, providers with a DEA number), or receives any federal financial assistance (e.g., grants, federal tax-exempt status). § 2.12(b). 199. § 2.12(e)(2). 200. See, e.g., U.S. DEP’T OF HEALTH & HUMAN SERVS., THE CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENT RECORDS REGULATION AND THE HIPAA PRIVACY RULE: IMPLICATIONS FOR ALCOHOL AND SUBSTANCE ABUSE PROGRAMS 4 (2004), http://archive.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdf [https://perma.cc/FSH9-E35P]. 201. 42 C.F.R. § 2.1(a) (2016). 202. 42 C.F.R. § 2.12(d)(2)(iii). 203. 42 C.F.R. § 2.22(a) (2016). 204. 42 C.F.R. § 2.23(a) (2016). 205. See § 2.12. 206. 42 C.F.R. § 2.3(b)(2) (2016). 207. See RESTATEMENT (SECOND) OF CONTRACTS § 1 (AM. LAW INST. 2016).
236 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
granted, transferred, or revoked through the use of contracts.208 Regardless of ownership, any number of rights and responsibilities with respect to information can be delineated in a contract and enforceable in court with penalties for any breach.209 The limitation of a contract is, of course, that it is only enforceable against the parties to the contract.210 Thus, any protections granted to information by a contract will not follow the information if it is transferred to another person who, or entity that, is not a party to the contract.211
Contracts may be used to limit or expand rights and responsibilities over information even where the information in question is already regulated, as in the case of Business Associate Agreements (BAAs) that regulate how Business Associates of Covered Entities must manage protected health information in order to comply with HIPAA.212 Even though the health information held by a Covered Entity is already regulated under HIPAA, the BAA can be used to extend the HIPAA’s protections and liability for any breach to another entity.213
Contracts are a powerful way for parties to establish rights and responsibilities under the law, but they are limited because they only bind the parties to the contract. The privacy of people who are the subject of the information may be protected or left vulnerable by the terms of contracts to which they are not a party and which they cannot enforce.
E. State Law
States have wide latitude to define their own privacy framework, and as a result, state privacy laws vary considerably in terms of scope and application.214 State health information laws may mirror federal requirements, be more protective than federal law, or govern health information that is not specifically protected by federal law.215 In general, governed entities must comply with any state laws
208. See id. 209. See, e.g., DAVID R. MELLOH, HIPAA PRIVACY AND MANAGED CARE ORGANIZATIONS IN THE ELECTRONIC ENVIRONMENT, at I (2000). 210. See, e.g., Winterbottom v. Wright (1842) 152 Eng. Rep. 402, 405 (holding breach of contract not available as remedy for injured mail-coach passenger because there was no “privity”). 211. See id. 212. 45 C.F.R § 164.504(e) (2016). 213. See id. 214. See States, supra note 65. 215. For more information about state laws governing health information, see id.
2016] HEALTH INFORMATION OWNERSHIP 237
that are more protective of patients’ rights,216 as well as any state laws governing data, patients, or entities not regulated by existing federal law.217 More protective state laws are generally content-based and focus specifically on highly sensitive information, such as HIV/AIDS test results,218 STD treatment information, and mental health information,219 and information about vulnerable populations, such as minors, incarcerated adults, and those declared legally incompetent.220 States also generally have laws governing state-based registries, compulsory health information reporting, health insurers, public health entities, and provider licensure—all of which may contain requirements related to data sharing and confidentiality.221
V. POLICY CONSIDERATIONS
As is evident from the discussion above, individuals in the United States have a patchwork of rights, sometimes overlapping, with respect to information about them held by others and the use of that information. These rights are more or less enforceable depending on their source and the jurisdiction in question. What happens when these rights conflict? For example, suppose one person has a property interest in information about a second person, such as ownership of a database containing health information, and the second person has a privacy interest in keeping his or her information from being sold to other entities. Whose rights prevail? Historically, individuals have needed to prove a tort violation with damages to enforce privacy rights, such as appropriation of one’s likeness, identity theft, or egregious invasion of privacy.222 The HIPAA Privacy Rule confers some specific rights but enforcement is limited for aggrieved
216. JOY PRITTS ET AL., PRIVACY AND SECURITY SOLUTIONS FOR INTEROPERABLE HEALTH INFORMATION EXCHANGE: REPORT ON STATE LAW REQUIREMENTS FOR PATIENT PERMISSION TO DISCLOSE HEALTH INFORMATION, at 1-2 to 1-3 (2009), https://www.healthit.gov/sites/default/files/290-05-0015-state-law-access-report-1.pdf [https://perma.cc/D48S-A2JY]. 217. Id. 218. State HIV Laws, CTRS. DISEASE CONTROL & PREVENTION, http://www.cdc.gov/hiv/policies/law/states [https://perma.cc/DWU5-KRG4] (last updated Aug. 29, 2016). 219. See generally INST. OF MED., IMPROVING THE QUALITY OF HEALTH CARE FOR MENTAL AND SUBSTANCE-USE CONDITIONS: QUALITY CHASM SERIES (National Academics Press 2006). 220. See, e.g., Carol A. Ford & Abigail English, Limiting Confidentiality of Adolescent Health Services, 288 J. AM. MED. ASSN. 752, 752 (2002). 221. See States, supra note 65. 222. Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal Information, 37 U.C. DAVIS L. REV. 379, 405 (2003).
238 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
individuals because there is no private right of action to enforce HIPAA.223
The European Union (EU) recently adopted a regulation for the protection of personal data across the EU that gives individuals broad rights to control the use of personal information about them.224 Adopted April 27, 2016, the EU General Data Protection Regulation includes a number of rights for individuals who are the subject of personal information and obligations of member states to protect that information, though as with other EU regulations, there are many ways in which member states’ application of the regulation will vary.225 Among the most significant aspects of the Regulation are the designation of “the right to the protection of personal data” as a fundamental right226 and the codification of a “right to be forgotten,” where individuals have the right to withdraw consent at any point and have their data erased by any data holder.227 Some have argued that this Regulation amounts to a property regime because it gives individuals substantial rights over their personal information akin to property rights.228 For example, the protections created by the Regulation run with the information and bind third parties with whom the individual subject of the information may have no relationship.229 The Regulation includes many exceptions, such as data processing necessary for public health, scientific research, and the provision of social services, and there will be substantial variation in how EU member states put the Regulation’s broad principles into effect in their individual jurisdictions.230 However, it creates a general right of access and control for the subject of the information, across all types of personal information, that is far more comprehensive than current US policies.
In contrast to the patchwork of rights that currently apply to health information in the US and even the more comprehensive EU regulation, ownership is a more concrete legal theory for enforcing rights in information that would give more certainty to the field.
223. See In re Nw. Airlines Privacy Litig., No. 04 Civ. 126 (PAM/JSM), 2004 WL 1278459, at *4 (D. Minn. June 6, 2004). 224. Council Regulation 2016/679, 2016 O.J. (119) (EU), http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC [https://perma.cc/W6KN-CRFV]. 225. See generally id. 226. Id. at 1. 227. Id. at 12–13. 228. Jacob M. Victor, The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy, 123 YALE L.J. 513, 515 (2013). 229. Council Regulation 2016/679, supra note 224, at ch.III, art. 17. 230. See, e.g., id. at ch.IX, art. 88.
2016] HEALTH INFORMATION OWNERSHIP 239
However, having enforceable ownership of personal information depends on the law recognizing the information as property or intellectual property.231 As discussed above, health information does not fit neatly under these legal constructs, though policymakers and courts may expand the definitions for the two types of protected information to grant ownership rights over health information. It may be, however, that information can never be “owned” the way a piece of real estate is owned because so many people have access to that information, by consent or by necessity, that one cannot be considered to be the exclusive owner of it.
Does it even matter whether an individual “owns” his or her health information? Where there are specific rights conferred with respect to my health information, such as under the HIPAA Privacy Rule, one maintains the right to access and share one’s information even where one’s healthcare provider owns the medical record.232 It may be that comprehensive privacy laws can grant enough rights to the individual and impose enough responsibilities on holders and users of personal health information that ownership becomes irrelevant because it would convey no additional benefit than already exists.
The legal structures governing privacy have not yet reached this ideal, but using a property approach that assigns ownership of information to the individual subject of the information may not be good public policy. Ownership implies that the thing that is owned can be taken away and potentially disposed of whenever desired by the owner. But such exclusive rights may conflict with other interests. In the case of medical records, those records exist also as business records documenting the healthcare provider’s services. The information may be valuable to the public, as information about the quality of care provided at a healthcare institution, data for scientific research, or evidence of a communicable disease, for example.
On the other hand, as health information is increasingly being commodified, profit-seeking by individuals and organizations—either traditional healthcare entities, such as providers and insurers, or third parties whose function is simply collecting and selling information—may call for increased protection for the subjects of the information. In the case of healthcare providers, ethical and practical considerations provide some protections for individuals. Providers
231. E.g., Hall, supra note 57, at 645. 232. For example, rights to request privacy protection for protected health information. See, e.g., 45 C.F.R. § 164.524 (2016).
240 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207
have a duty to avoid harm, to ensure informed consent, and to provide a certain standard of care regardless of their financial interest, in addition to complying with laws that protect patient privacy and govern medical research.233 However, other entities, such as data brokers, may have no such duties. If the law were to convey an ownership interest to the subject of the data being bought and sold, that individual would have an enforceable right not only to control the use of his or her information, but also the potential to profit directly from it or claim a share in any profit that results from its use by others. If patients were granted ownership interests over their information, it would be important to ensure that such rights did not inhibit important medical innovation and public health activities. These essential activities could be preserved through careful regulation because the law allows the restriction of property interests for the public good, as in the case of zoning laws and other regulatory takings.
In the healthcare setting, the potential for conflicting profit motives between patient and provider could chill a relationship that depends on honest exchange of information. If an individual can potentially profit from the sale of his or her information, that individual may wish to withhold it to prevent its disclosure through another route. Alternatively, a patient may simply wish to prevent his or her provider from making additional profit off of his or her information, which is certainly a disconcerting thought for many patients. While there have always been financial incentives in the US healthcare system, they have generally been limited to fees and reimbursements received for the provision of services.234 But it may be that, in addition to these usual sources of income, a provider will create a product from the personal information gathered about his or her patients and sell that for a profit. As research and technology venture further into the realm of personalized medicine, it may be that details about individual patients become more valuable, such as for use in creating treatments or tools to support diagnosis. We may see more cases similar to Moore,235 based on the use of specific information about patients to develop profitable products, perhaps revisiting the question of the use of genetic material.
233. Marc A. Rodwin, Financial Incentives for Doctors, 328 BMJ 1328, 1328–29 (2004), http://www.ncbi.nlm.nih.gov/pmc/articles/PMC420273/pdf/bmj32801328.pdf [https://perma.cc/2FTA-32S3]. 234. See, e.g., Mark Hagland, How Does Your Doctor Get Paid?, FRONTLINE, http://www.pbs.org/wgbh/pages/frontline/shows/doctor/care/capitation.html [https://perma.cc/7J4T-UJ9N] (last visited Nov. 14, 2016). 235. Moore v. Regents of Univ. of Cal., 793 P.2d 479 (Cal. 1990).
2016] HEALTH INFORMATION OWNERSHIP 241
VI. CONCLUSION
The legal environment surrounding health information is dynamic and varied. Because of the expanse of rights at issue and the fact that many of them are subject to regulation by all fifty states in addition to the federal government, there’s no single solution to address the issue of health information ownership. As illustrated, a variety of different laws and legal theories can be applied, potentially causing confusion for users of health information and the individuals who are the subject of the information. Valid rights and responsibilities can conflict. Unregulated activities appear that use health information in unanticipated ways, which may be threatening to the individual subjects of the information. Ownership is a familiar concept that some see as a simple way to clarify legal rights; indeed, many healthcare consumers may be surprised to discover that they don’t already own their health information. However, conferring ownership to one party may interfere with legitimate claims of another party or important public goals. For example, vesting full ownership of health information in patients under a property scheme may harm research, hinder performance measurement, and limit important public health activities like disease surveillance. On the other hand, vesting full ownership with healthcare providers may prevent oversight, inhibit quality improvement, reduce patient autonomy, and limit patients’ willingness to share information necessary for proper medical treatment. Given the balance of rights that must be struck to protect important public goals, we suggest that rights over health information should be resolved by new policies rather than under existing legal structures. As technology evolves to enable greater capability to digest health information and make it meaningful while the market responds to greater, more expansive uses of health information for a wider variety of stakeholders, policymakers at the federal and state levels should work to develop a legal framework to govern the many uses for and users of health information. It is important that this framework be as consistent as possible across settings and jurisdictions so that the many stakeholders in the health information marketplace know their rights and responsibilities and the public’s interest in appropriate sharing of health information is protected.
Copyright of Vanderbilt Journal of Entertainment & Technology Law is the property of Vanderbilt University Law School and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Project Case Study: A New Direction for Delta Pacific
Introduction
In a global business environment where organizations can no longer rely on traditional factors that historically lead to a competitive advantage such as access to proprietary technology, exclusive rights to raw materials, or proximity to customers and markets, many organizations have re-structured to capitalize on new success factors. In the United States that has resulted in a shift in many cases from product or service-based businesses to knowledge-based businesses (OECD, 1996; Powell & Snellman, 2004). Powell & Snellman (2004) define the key components of a knowledge economy as. .a greater reliance on intellectual capabilities than on physical inputs or natural resources." (p. 201). This case presents the challenges facing an organization as it transitions from its traditional business model to one that incorporates greater reliance on the knowledge of its workforce. The focus of this case is on the role of the organizational behavioral system in facilitating a successful transition to the new corporate strategy.
The Case Scenario
The Delta Pacific Company (DPC) has a long history of success. The company has been at the fore front in the development of information technology since the 1970s and led the market in technology development, manufacturing and sales throughout the 1980s to the mid-1990s. DPC was a success story. They consistently met or exceeded their profit targets, successfully integrated new technology into their products, and they were considered one of the best employers in the country. With generous benefit packages, a high quality of work life, industry leading salaries, and a corporate culture that considered its employees to be part of a family, potential employees were lined up for opportunities to join DPC.
However, with the advent of globalization, freer trade, and low cost overseas labor, DPC found itself slowly losing market share for its primary product: computer hardware. DPC had prided itself on producing and selling the best products and training its sales force to develop long term relationships with clients that brought them back year in and year out for DPC's technology. Along with hardware, DPC also sold service contracts and training classes for the end users of their products. By the late 1990s it became clear to the leadership at DPC that they could no longer compete with less expensive products being produced overseas. At one time they could sell their higher priced goods on the premise that they were of higher quality, but that was no longer the case. Foreign-made products were now being produced to match or even surpass the quality standards set by DPC. However, conversations between sales representatives and their clients did indicate one thing: the clients valued the personal interaction they had with the sales reps and the personalized advice that they could provide to their clients to help them to reach their goals. DPC recognized that they needed to make a change and they believed they had a new vision for their company.
As they entered the 21st century DPC moved away from hardware solutions to business challenges and shifted instead towards knowledge-based solutions. Rather than selling equipment, DPC began to market the extensive knowledge of their workforce. DPC would no longer sell the equipment; they would instead provide integrated knowledge-based solutions to information management problems. Essentially they would become a consulting firm that would assist their clients to set up systems that would facilitate information management. But now their solutions would go beyond hardware and encompass software, organizational design, data collection management, work flow and overall information management re-engineering. Sales reps underwent significant training to prepare them for their new roles. However, the redesigned jobs were not a good fit for all of the sales reps. some moved on to other types of positions within the company, but others left to pursue opportunities elsewhere.
As expected, profitability declined during the initial introduction of this new organization mission as employees became accustomed to their new roles. Due to the time taken to train employees, they were spending less time in the field with their clients generating revenue and more time in the classroom being oriented to their new roles. However, the decline persisted much longer than anticipated and the company's leadership team, board of directors and the shareholders were growing impatient with the slow returns. It became increasingly apparent that while the training, resources, and equipment were in place, significant changes in the organizational behavior system at DPC were necessary to ensure long term success.
Deliverable 6 - Successful Change Management
Top of Form
Bottom of Form
Assignment Content
1.
Top of Form
Competency
Examine leadership's role in executing successful change.
Student Success Criteria
View the grading rubric for this deliverable by selecting the “This item is graded with a rubric” link, which is located in the Details & Information pane.
Instructions
Delta Pacific Case Study
As the change leader for Delta Pacific Company (DPC), you know certain elements need to be in place by leadership for a change to be successful. DPC wants to change the culture from the more traditional manufacturing environment to one of a contemporary consulting environment.
Now it's time for you to help the leaders execute a successful change:
· Determine how leadership impacts the organizational culture during this change
· Examine elements that are critical to making this change sustainable
· Assess the top mistakes leaders make and determine the best way to avoid those mistakes
As the change leader, it is your responsibility to help ensure a successful change in the shift of DPC's organizational culture. Part of this includes alerting leadership to how their own behavior impacts change and how change can be sustainable.
Conduct academic research and create a plan to present to the CEO and board in which you complete the following successful change management plan:
· Explanation of leadership behaviors that impact organizational change.
· Description of critical factors that ensures this cultural shift will be sustainable.
· Examination of the top mistakes leaders make during a change.
· Explanation of your recommendations as to the best ways the leaders can avoid making those mistakes.
· Remember that this is a proposal. Make sure to format your paper properly for your proposal. A proposal is a persuasive document, so make sure to use proper language and tone. Remember, you are the change leader, and you are writing to the CEO. So use a tone in your proposal that is specific to your audience (the CEO).
Include your APA-formatted reference page with at least two credible sources.
MANAGEMENT SCIENCE Vol. 62, No. 4, April 2016, pp. 1042–1063 ISSN 0025-1909 (print) � ISSN 1526-5501 (online) http://dx.doi.org/10.1287/mnsc.2015.2194
© 2016 INFORMS
The Impact of Privacy Regulation and Technology Incentives: The Case of Health Information Exchanges
Idris Adjerid Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556, [email protected]
Alessandro Acquisti, Rahul Telang, Rema Padman H. John Heinz III Heinz College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
{[email protected], [email protected], [email protected]}
Julia Adler-Milstein School of Information, University of Michigan, Ann Arbor, Michigan 48109 [email protected]
Health information exchanges (HIEs) are healthcare information technology efforts designed to foster coordi-nation of patient care across the fragmented U.S. healthcare system. Their purpose is to improve efficiency and quality of care through enhanced sharing of patient data. Across the United States, numerous states have enacted laws that provide various forms of incentives for HIEs and address growing privacy concerns associ- ated with the sharing of patient data. We investigate the impact on the emergence of HIEs of state laws that incentivize HIE efforts and state laws that include different types of privacy requirements for sharing healthcare data, focusing on the impact of laws that include requirements for patient consent. Although we observe that privacy regulation alone can result in a decrease in planning and operational HIEs, we also find that, when coupled with incentives, privacy regulation with requirements for patient consent can actually positively impact the development of HIE efforts. Among all states with laws creating HIE incentives, only states that combined incentives with consent requirements saw a net increase in operational HIEs; HIEs in those states also reported decreased levels of privacy concern relative to HIEs in states with other legislative approaches. Our results contribute to the burgeoning literature on health information technology and the debate on the impact of pri- vacy regulation on technology innovation. In particular, they show that the impact of privacy regulation on the success of information technology efforts is heterogeneous: both positive and negative effects can arise from regulation, depending on the specific attributes of privacy laws.
Keywords : privacy; information systems; IT policy and management; economics of information systems; healthcare
History : Received April 19, 2012; accepted December 16, 2014, by Anandhi Bharadwaj, information systems. Published online in Articles in Advance November 13, 2015.
1. Introduction The U.S. healthcare system is in the midst of an infor- mation technology revolution. Adoption of electronic medical record (EMR) systems is quickly rising (Office of the National Coordinator for Health Information Technology 2012). In parallel, health information exchanges (HIEs) have emerged. HIEs provide infor- mation technology solutions that allow electronic information sharing between otherwise disconnected healthcare organizations. They are intended to facil- itate the exchange of patient health information between hospitals belonging to different health sys- tems or distinct physician practices. In turn, this enables patients’ health records to electronically fol- low them between care settings. HIEs are viewed as a particularly critical investment because much of the anticipated efficiency and quality gains from EMRs come from the ability to support the electronic exchange of patient data across healthcare providers
(Walker et al. 2005). Without HIEs, data are trapped in individual institutions, thereby inhibiting coordina- tion of care, resulting in avoidable medical errors, and driving up costs from duplicative utilization. This has resulted in substantial legislative activity1 aimed at realizing the vision of nationwide adoption of EMRs coupled with the ability to exchange data between them (Blumenthal 2010).
Legislative efforts have focused on creating a favor- able environment in which HIEs can flourish. The rationale for government involvement is that HIEs have experienced both slow growth rates and high failure rates across the United States (Adler-Milstein et al. 2009, 2011). Research on the underlying causes of these failures revealed an array of barriers to the
1 See, e.g., the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, 123 Stat. 226 (2009); and the Patient Protection and Affordable Care Act of 2010, Pub. L. No. 111-148, 124 Stat. 119 (2010).
1042
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1043
development of HIE efforts. Central among them are challenges related to financial sustainability (National eHealth Collaborative 2011, Vest and Gamm 2010, eHealth Initiative 2005–2010) and issues related to patient privacy (Simon et al. 2009, McDonald 2009, McGraw et al. 2009). These challenges have spurred 25 states (as well as the District of Columbia) to enact legislation to incentivize HIE efforts (e.g., by providing funding for HIE efforts), address privacy concerns, or, most often, both. However, the best approach to ameliorating the issues associated with HIE efforts remains unclear. In particular, HIEs have spurred significant debate over the appropriate bal- ance of patient privacy and the potential gains to healthcare providers and their patients. The sensitiv- ity of the digital health information that is exchanged by HIEs has made the role of patient consent espe- cially contentious.
One side of the debate is that consent require- ments add administrative costs and restrict the availability of patient information (National eHealth Collaborative 2011, Pritts et al. 2009). By contrast, Simon et al. (2009) find that patients felt that their consent should be obtained for the exchange of health information (i.e., an opt-in system); a system that assumed their willingness to participate with- out obtaining explicit consent (i.e., an opt-out system) would not be acceptable. Thus, policy makers seeking to foster the growth of HIE efforts face the same chal- lenge that emerges in other industries: how to address privacy concerns without overregulating the disclo- sure of personal information and stifling the growth and emergence of valuable information technology efforts reliant on it.
Careful empirical literature related to that chal- lenge has been recently emerging. Work by Miller and Tucker (2009) finds that the presence of privacy reg- ulation inhibits technology adoption by hospitals. In subsequent work, Miller and Tucker (2011) account for some of the variation in the statutory require- ments of privacy regulation and hospital character- istics, and they identify some heterogeneous effects of privacy regulation.2 Adopting a similarly granular approach to measuring privacy regulation, we explore whether different forms of privacy regulation enable or impede HIE efforts. Extending prior work, we dif- ferentiate between states that coupled privacy regula- tion with HIE incentives and those that did not. We posit that incentives could offset the significant costs associated with HIE efforts, including those that arise
2 For instance, they find that, although privacy regulation most often negatively impacted hospital technology adoption, it also had a positive effect on adoption in some cases (e.g., when laws had limits on redisclosure).
from varying degrees of privacy regulation. We eval- uate the impact of these laws compared to states with no laws pertaining to HIE efforts.
Our empirical strategy takes advantage of the fact that across different states policy makers have approached HIE challenges in different ways, enact- ing legislation that varied both in terms of the incen- tives they create for HIEs, and in terms of the types of privacy protections they afford to patient data exchanged through HIEs. Specifically, some states enacted legislation with HIE incentives alongside requirements for patient consent while other states enacted legislation with HIE incentives but with pri- vacy regulation that did not require consent. Yet other states enacted legislation with HIE incentives but no privacy regulation or only privacy regulation, or they did not enact relevant legislation at all. Our work leverages this variation to evaluate the impact of this legislation—in particular, the variation in privacy pro- tection afforded by these laws—on the propensity of regional healthcare markets to have an HIE working toward exchange capabilities (planning HIE) or an HIE that is actively exchanging patient health infor- mation between healthcare entities (operational HIE). We use semiannual data from a six-year period (2004– 2009) to compare the probability of a hospital refer- ral region (HRR)3 having an HIE in the planning or operational stage across states with variation in the extent to which legislation provided patients the right to consent to the exchange of their data by the HIE. We disentangle the impact of consent requirements from HIE incentives using between-state and across- time variation in consent requirements and regula- tions providing HIE incentives. We include HRR and time fixed effects and control for relevant observables (e.g., other elements of the laws, differences in HRR wealth, populations, health information technology (IT) adoption).
Although we show that privacy regulation without incentives had a negative effect on HIE efforts, we also find that privacy regulation, particularly regula- tion that includes consent requirements, was a nec- essary condition for incentives to positively impact HIE efforts. Incentives coupled with privacy regula- tion that included requirements for patient consent resulted in a 47% increase in the propensity of an HRR having a planning HIE and a 23% increase in the propensity of an HRR having an operational HIE. By contrast, incentives without any privacy regula- tion resulted in no measurable gain in the propensity of HRRs having planning or operational HIEs, and
3 HRRs are areas defined by the Dartmouth Atlas for Healthcare as regional healthcare markets for tertiary medical care that contain at least one hospital that performs major cardiovascular procedures and neurosurgery (Wennberg and Cooper 1996, p. 201).
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1044 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
incentives coupled with privacy regulation that did not include consent requirements resulted in either no gains (e.g., for planning HIEs) or comparably mod- est gains (a 9% increase in the propensity of an HRR having an operational HIE) that only offset but did not overcome the baseline negative effects of privacy regulation. As a result, of all attempts to incentivize HIE efforts, only those coupled with privacy regula- tion including consent requirements resulted in a net gain in HIE efforts. Specifically, HRRs in these states saw an 11% net increase in the propensity of having an operational HIE.
Our findings are bolstered by the fact that we do not find evidence that HIE laws are passed as a result of increased HIE activity (i.e., reverse causa- tion). We find consistent results when we consider the impact of unobservable state characteristics that may be correlated with the passage of HIE incentives (such as changes in political attitudes or public opin- ion toward the importance of health IT). Moreover, we find no correlation between consent requirements and the availability of funding or the number of patients covered by an HIE. We theorize that this sur- prising interplay between HIE incentives and consent requirements may be due to an association between incentives and privacy concerns. Specifically, we posit that incentives may be associated with an increased attention to and salience of HIE privacy concerns, which inhibits their effectiveness when they are not coupled with comprehensive privacy regulation (e.g., regulation with consent requirements). We find evi- dence in support of this interpretation: HIEs in states with incentives but no consent requirements were sig- nificantly more likely to report that privacy was a major challenge in their development relative to HIEs in states with other legislative approaches (includ- ing no law). By contrast, HIEs in states with con- sent requirements reported the lowest level of privacy concerns.
Our work contributes to two streams of literature. One stream relates to the adoption and the diffusion of IT in healthcare—in particular, the factors and bar- riers that impact their adoption (Angst and Agarwal 2009, Angst et al. 2010, Anderson and Agarwal 2011). Specific to HIEs, numerous national surveys have suggested that health privacy issues are some of the most significant barriers to HIE efforts (eHealth Initiative 2005–2010, Adler-Milstein et al. 2009, 2011). As a result, research has also focused on how to address privacy concerns associated with informa- tion technology in healthcare and HIE in particu- lar (Greenberg et al. 2009, McDonald 2009, McGraw et al. 2009). Within this stream of literature, which is largely nonempirical, experts disagree on the appro- priate solution for addressing privacy concerns. To our knowledge, our work is the first to empirically
evaluate the impact on the emergence of planning and operational HIEs of varying approaches to privacy regulation.
Another stream relates to the economic and policy literature evaluating the impact of privacy protections on technological progress. Numerous consumer ser- vices thrive today thanks to the exchange and use of personal—and sometimes sensitive—information. The risks associated with the potential misuse of that information, however, have fueled a debate over the best approach to protecting consumers’ privacy and the role of regulation in that protection (Solove 2004, Lenard and Rubin 2005). This has led to a small but growing body of careful empirical analy- ses of that relationship (e.g., Miller and Tucker 2009, 2011; Goldfarb and Tucker 2011). We extend that work in various ways. First, this literature has either focused on contexts where technology incentives did not exist or (as in the case of work in the context of health IT) predated a paradigm shift in the pol- icy approach toward promoting health IT. Focusing on the interaction of various forms of privacy reg- ulation with previously unstudied attempts to pro- mote information technology efforts in healthcare, we document a surprising interplay between state initia- tives aimed at incentivizing HIE efforts and privacy regulation. We find that HIE incentives consistently offset the negative baseline effects of privacy regu- lation on HIEs and, more surprisingly, that incen- tives were more effective in doing so when coupled with privacy regulation that included consent require- ments. This suggests that the potential fixed costs that arise from regulatory privacy protection may be proactively managed by accompanying incentives for information technology efforts. Interestingly, coupling more comprehensive privacy protections (e.g., con- sent requirements, which seemingly impose higher costs on HIEs) with HIE incentives may sometimes be preferred if those protections alleviate privacy con- cerns that dampen the propensity of incentives to enable HIE efforts. Furthermore, research is emerg- ing that points to heterogeneous effects of privacy regulation on information technology efforts (e.g., the net effect of privacy regulation on hospital IT adop- tion may depend on the number of hospitals in a county; see Miller and Tucker 2011). By documenting the differential impacts on HIE efforts of privacy reg- ulation with and without incentives, we extend the understanding of the heterogeneous effects of privacy regulation on technology efforts. Thus, the findings presented here suggest that regulators may have an opportunity to provide meaningful privacy protection to patients while encouraging the growth and suc- cess of valuable information technology efforts. For instance, legislative efforts such as the HITECH Act of 2009, which couple significant incentives for health
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1045
IT with enhanced privacy protections for patients, may offer an effective approach toward providing improved patient privacy protections while encourag- ing the growth of valuable health information tech- nology solutions.
2. Background The healthcare delivery system in the United States is highly fragmented. Most people, over their life- time, receive care from multiple medical providers who practice in unaffiliated settings. As a result, dif- ferent pieces of a patient’s medical history reside in the various places in which they received care, forcing medical providers to make clinical decisions with incomplete information. This can contribute to a range of negative patient consequences, includ- ing missed diagnoses, duplicative testing, dangerous combinations of medications, and poor care coordi- nation. Prompted by estimates of gains in quality4
and efficiency5 of patient care, enabling clinical data to electronically follow patients between care delivery settings has gained substantial support. In particular, in recent years, there has been an increase in efforts to facilitate electronic exchange of patient data via HIEs.
HIEs are information technology service organiza- tions that provide a governance framework and tech- nology solution for exchanging patient data. Entities with clinical data, such as hospitals, physician prac- tices, and laboratories (“healthcare entities”), are the most common participants in an HIE, and they most often send and receive test results as well as care summaries.
HIE development typically occurs in two stages: planning and operational. In the planning stage, a group of healthcare stakeholders in a given com- munity initially come together informally to discuss the problem of care fragmentation and how best to address it. This is typically initiated by a large stake- holder in the community, either a healthcare delivery organization (e.g., a large hospital) or a payer (e.g., an insurer or large employer). If there is agreement to
4 Gains in quality of care may be realized from the increased avail- ability of comprehensive health information, which should allow clinicians to make better treatment decisions and fewer mistakes. This benefit would be especially salient in the emergency care con- text, in which the patient may not be able to report preexisting conditions or drug allergies (Vest and Gamm 2010). 5 Health information exchanges have the potential to significantly decrease the costs of providing healthcare. Walker et al. (2005) esti- mate that, when fully implemented, health information exchanges could yield approximately $78 billion in annual savings from administrative efficiencies and reducing redundant utilization. Jha et al. (2009) estimate that, in the United States, eliminating avoid- able instances of injury to a patient resulting from a medical intervention, such as administering the wrong medication, and redundant medical tests would save over $24 billion per year.
move forward into a more formal planning phase, this often proceeds in one of two ways: either a third-party organization is established or identified to serve as a formal HIE entity or one of the stakeholders agrees to serve as the lead entity. In our data set, two-thirds of efforts operated as established, independent organi- zations and the remaining one-third operated directly from within another organization (typically a hospi- tal or health system that spearheaded the effort). The formal planning phase consists of an array of inter- related decisions that include conducting an envi- ronmental scan and needs assessment, establishing a mission and goals, setting up a governance struc- ture, establishing legal and information sharing agree- ments, deciding on an approach to protect patient privacy (including patient consent), developing a sus- tainability plan and identifying revenue streams that at least cover operating costs, marketing to a broader group of potential stakeholders, and developing a technical infrastructure.6
The second stage begins when an HIE effort reaches operational status with a functional technology and administrative infrastructure and data start to be exchanged between healthcare entities. Although this is considered a key milestone, HIEs in this stage con- tinue efforts to increase participation from healthcare entities: increasing the quantity and quality of patient data available through an HIE makes the expected benefits of exchange more likely and also helps HIEs to achieve financial sustainability (only 33% of opera- tional exchanges in our data set reported covering the cost of operating an HIE with participant fees alone).
The last decade has seen significant growth in HIE activity, including the number of planned HIEs and an increasing number of HIEs that are opera- tional: in our data, we observe 15 total HIEs nation- wide in 2004, compared to 143 by the end of 2009. Despite substantial potential benefits, HIEs are not yet widespread, and many attempts to establish HIEs have failed (Adler-Milstein et al. 2009, 2011). This has spurred a growing body of work evaluating barri- ers to HIEs, which suggests that they have been hin- dered by financial sustainability challenges stemming from misaligned incentives from competing health- care entities and patient privacy concerns (eHealth Initiative 2005–2010, Adler-Milstein et al. 2009, 2011).
2.1. HIE Incentives Numerous HIEs have struggled to develop a sustain- ability plan and identify revenue streams. In part, this is due to misaligned incentives for HIE partici- pants (who are the primary source of HIE revenue) and the significant cost attached to the administra- tive and technical infrastructure necessary to facili- tate exchange. Although healthcare entities can derive
6 See National Rural Health Resource Center (2015).
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1046 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
some value from participating in an HIE (e.g., bet- ter quality of patient care), under the predominant healthcare reimbursement model of fee-for-service, redundant care translates into revenue, and physi- cians have little incentive to avoid care if they believe it is of even marginal value. Worse, HIE makes it easier for patients to switch healthcare providers, potentially resulting in some hospitals and physicians losing patients. Moreover, healthcare entities (e.g., hospitals and physician practices) are expected to pay for HIE when those paying for care accrue much of the benefit. For example, if a physician avoids order- ing a redundant test because he or she has access to the results of a diagnostic test performed in a differ- ent setting, the physician (or laboratory) loses revenue while the payer (and, downstream, the patient) accrue the savings. The challenges in sustaining HIE efforts that stem from these misaligned incentives for health- care entities have been exacerbated by the high costs of HIE efforts, with considerable resources required to develop administrative and technical infrastructure that meets regulatory requirements (e.g., privacy reg- ulation) while also addressing the concerns and needs of various HIE stakeholders. These challenges have led some to argue that HIE should be treated as a public good with support from the government (e.g., Vest and Gamm 2010).
A number of states have heeded these calls, enacting legislation that attempts to alleviate these concerns by incentivizing HIE efforts. Specifically, various state legislations included general provisions aimed at reducing the costs (financial, legal, man- agerial, coordination, or otherwise) associated with pursuing a health information exchange effort in the state. These laws and their typical provisions are described in more detail in §4.2.
2.2. HIEs and Privacy Issues of privacy are among the most widely cited barriers to HIE formation (Simon et al. 2009) and have materialized as significant costs to HIEs. HIEs differ from other forms of health IT (e.g., EMRs) in ways that have important implications for patient privacy. First, HIEs facilitate the exchange of infor- mation between multiple, unaffiliated organizations; thus the risk to the privacy of health information and associated concerns expressed by consumers may be substantially greater than with other tech- nologies. Also, HIEs are predicated on the idea of exchanging individual personal health information as opposed to aggregated population-level data, mak- ing privacy concerns salient and relevant. These unique challenges have spurred a stream of liter- ature evaluating how to best address privacy con- cerns while still encouraging HIE efforts (Greenberg et al. 2009, McDonald 2009, McGraw et al. 2009).
Scholars have expressed differing opinions about the appropriate way to address privacy concerns asso- ciated with HIEs. For example, Greenberg et al. (2009) and McDonald (2009) agree that federal pro- tections need to be revisited in light of a poten- tial nationwide health information network, which is envisioned to ultimately link regional and state-level HIEs; however, they differ on the need to update state protections. McDonald (2009) suggests that new restrictions beyond the protection afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) would interfere with efficient and safe care. Greenberg et al. (2009) advocate updates to state legislation to better address privacy issues spe- cific to HIEs. The ramifications of this debate can be observed in the significant heterogeneity in how states have tackled HIE privacy challenges. The variation in privacy regulation is described in more detail in §4.2.
3. Theory: Privacy Regulation, Incentives, and HIE Efforts
Although the stakeholders initiating HIE efforts and the specific model they pursue can vary, the mech- anism underlying the choice of stakeholders to start planning for exchange and whether or not an HIE becomes operational is the same: HIEs can only cre- ate value if healthcare entities (i.e., those with clinical data) participate in an HIE, which typically involves adhering to the terms set forth by the HIE and using its offered technology solutions to receive and send patient health information. The choice of healthcare entities to participate in an HIE is driven by an assessment of the costs and benefits that they will accrue. For example, a hospital would incur tech- nical costs, participation fees, and potential loss of patients as a result of reduced switching costs, as well as the increased legal risk from a data breach or misuse of patient data. This would be weighed against potential quality and efficiency gains from electronic access to more complete information about their patients, as well as reputational benefits from joining a community-based effort to improve care coordination. In addition, a broader group of stake- holders, which do not deliver care, may stand to benefit from cost reductions as a result of HIE and could also influence efforts to plan for an HIE and whether it becomes operational. For instance, a large payer may participate in an HIE effort and subsidize the costs to healthcare entities in order to encourage broader participation. This could be particularly likely if the net benefit to healthcare entities (absent these subsidies) was not sufficiently compelling to promote widespread participation (e.g., because of the mis- aligned incentives described earlier). In the remain- der of this section, we discuss how varying forms of
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1047
privacy regulation and incentives may have diverse effects on the expected benefits and costs of HIE.
3.1. Privacy Regulation and Consent Requirements
In principle, regulation that protects patients’ privacy may have a range of effects on the benefits and costs of HIE efforts. Consistent with early analysis of pri- vacy economics by scholars such as Stigler (1980) and Posner (1981), regulating the use of patient data may decrease availability of their information when it is needed by healthcare providers to make decisions, making promised benefits less likely. Regulation may also increase the cost of establishing and maintaining an HIE (for instance, by imposing additional techno- logical controls or administrative procedures to pro- tect individuals’ data). On the other hand, privacy regulation may have a positive effect on the choice to pursue an HIE. An established literature finds that privacy concerns can increase the cost of technol- ogy adoption and reduce its effectiveness (Angst and Agarwal 2009, Sheng et al. 2008). As a result, schol- ars have argued that assurances provided by regu- lation can assuage privacy concerns and positively impact the success of information technology efforts (Bamberger and Mulligan 2011, McGraw et al. 2009).
Naturally, privacy regulation is not monolithic; the extent to which privacy regulation impacts the ben- efits and costs of HIEs likely depends on the degree and type of reassurance it affords. In particular, one of the key differentiating features between regulatory approaches in the context of HIE is whether they include requirements for patient consent. Consent, or informed consent, is a cornerstone of the Organisa- tion for Economic and Cooperative Development’s privacy guidelines and the Federal Trade Commis- sion’s Fair Information Practice Principles. Generally speaking, consent in the context of HIE refers to the notion that patients should be informed about the risks and benefits associated with the electronic exchange of their health information and have the right to decide whether they would like to incur them. As in the case of privacy regulation in general, regu- lation specifically requiring consent can, in principle, produce an array of effects, both positive and nega- tive, on the emergence of planning and operational HIEs. A central concern relative to patient consent in the context of HIE is that it may result in lim- ited or patchy patient agreement to have their data included in the HIE (Lai and Hui 2006), in which case the potential benefits of HIE may be hindered. Healthcare entities may be less willing to participate in an HIE if they perceive a low likelihood of reaping efficiency and quality gains as a result of incomplete or low-quality patient data. Moreover, other stake- holders (e.g., payers) may be less willing to support
an HIE effort (i.e., subsidize the cost to healthcare entities) if they perceive the benefits to be unlikely. Furthermore, requirements for consent are also likely to impact HIEs’ technology and administrative costs (i.e., in establishing more stringent legal agreements) and participation costs for healthcare entities (i.e., costs for participants to adhere to them). For example, HIEs operating in states with consent requirements may need additional investment in technical and administrative controls to meet regulatory require- ments (e.g., clerical time by staff or technical controls to garner and track patient consent decisions). Hence, consent requirements may further reduce the propen- sity of a healthcare entity to participate in an HIE if they perceive participation to be too costly to justify their expected benefits.
On the other hand, regulations with consent requirements can reduce costs stemming from patient privacy concerns. Patients may demand the right to consent to the use of their data in the context of an HIE. Simon et al. (2009) find that patients felt that an HIE that assumed their willingness to participate without obtaining explicit consent (i.e., an opt-out system) would not be acceptable. As a consequence, healthcare entities may decide not to participate in HIEs if a lack of patient consent results in significant privacy costs and pushback from patients and advo- cacy groups. McGraw et al. (2009) argue in support of this notion and propose that a comprehensive frame- work that implements core privacy principles such as consent can bolster trust from patients and medical providers. In contrast to previously described effects of privacy regulation, a reduction in costs stemming from privacy concerns may encourage increased par- ticipation by healthcare entities, thus helping HIEs to reach the critical mass of participants to ensure that anticipated benefits are realized.
The role of privacy regulation that does not include consent requirements is also of interest because numerous states have privacy legislation that does not require patient consent before the exchange of health information between providers. For example, legislation in the state of Indiana does not include requirements for patient consent but instead, requires compliance “with the federal Health Insurance Porta- bility and Accountability Act (HIPAA)” and the pro- tection of “information privacy.”7 It is likely that the role of regulation that does not require consent is similar to consent-based regulation except that the impact on benefits and costs (and the propensity of community stakeholders to pursue HIE efforts) may be less pronounced. For example, privacy regulation that does not include consent requirements may still restrict (to some degree) the availability of patient
7 Ind. Code Ann. §5-31-6-1; Ind. Code Ann. §5-31-6-3 (West 2009).
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1048 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
information and also introduce additional costs to HIE efforts, but these effects may not be as pro- nounced when compared to regulation with consent requirements. It may also be the case that regulation without consent is not as effective in reducing costs to HIE efforts stemming from patient privacy con- cerns. In fact, we argue that this is likely the case. Recent experimental work suggests that providing consumers with choice relative to the use of their per- sonal information may be particularly vital in assuag- ing privacy concerns. Brandimarte et al. (2012) find that individuals who were provided increased choice perceived a lower privacy risk, even when the objec- tive risks were held constant, and were significantly more likely to make personal disclosures; Stutzman et al. (2013) find a strong positive correlation between the granularity of control provided to users of online social networks and the amount of disclosure by users (albeit to a narrower set of users). These mecha- nisms are also likely to be present in the context of HIEs, given the sensitivity of personal health infor- mation. Finally, policy makers have also recognized the unique role of providing choice by increasingly promoting more control for consumers with respect to online uses of their personal information (Federal Trade Commission 2012, White House 2012).
3.2. Incentives and Privacy Concerns The impact of HIE incentives on the benefits and costs of establishing an HIE seem, at first glance, com- paratively straightforward: all else equal, stakehold- ers with access to incentives that reduce the costs of pursuing an HIE effort should be more likely to start planning for exchange, and these HIEs should be more likely to become operational. For instance, stakeholders in communities with access to grant pro- grams associated with HIE incentives would have less of a challenge generating the required capital to initiate exchange efforts and be able to provide healthcare entities the opportunity to participate at a lower cost (thus increasing the likelihood of more widespread participation and the propensity of reap- ing expected benefits from exchange). Additionally, given the potential of privacy requirements to impose fixed costs on information technology efforts (e.g., Goldfarb and Tucker 2011, Miller and Tucker 2009) and the anecdotal evidence that privacy requirements have been key hurdles for HIE efforts, incentives may serve to offset some of these costs and attenuate some of the negative effects of privacy regulation on the propensity of HIE efforts to emerge.
However, there may also be a more nuanced and less obvious interplay between incentives, privacy concerns, and the impact of privacy regulation and incentives. Specifically, legislation intended to encour- age the pursuit of HIE efforts may also be associ- ated with elevated salience and awareness of privacy
concerns. We see examples of a similar phenomenon in other contexts: government subsidies for clean energy solutions have led to significant investment in these technologies but have simultaneously high- lighted the limitations and potentially adverse effects of these technologies (e.g., lack of cost effective- ness and efficacy); see Somaskanda (2013) and Cala (2013). With respect to HIE incentives, they may be seen to increase the probability that HIEs will be cre- ated and become operational and thereby increase the likelihood of patient privacy concerns being realized. Moreover, it may simply be the case that HIE incen- tives increase the attention paid to these efforts (e.g., by regulators, patient groups, and privacy advocates), including increased attention to associated privacy concerns. There is some anecdotal evidence in sup- port of this notion. For example, the American Civil Liberties Union brought suit against the legislatively created Rhode Island HIE on the grounds that it was not adequately soliciting consent from patients, and privacy advocates warned that states “will find them- selves embroiled in legal entanglements over privacy as they seek to implement HIEs” (Miliard 2010). This latter statement suggests that state-supported HIEs (such as those initiated or aided by state legislation) may receive disproportionate scrutiny from privacy advocates. It is also possible that the direction of causality is reversed: states in which the attention to health information exchange, including attention to privacy concerns, is high may be more likely to pro- vide HIE incentives.
3.3. Conceptual Model and Predictions Although we cannot directly observe the granu- lar benefits and costs to various stakeholders from HIE participation, we can observe variation in the propensity of healthcare stakeholders to start plan- ning for exchange capabilities (PlanningHIE) and whether these exchanges start actively exchanging patient health information between healthcare enti- ties (OperationalHIE). We argue that these observed variables are, in turn, a function of the unobserved expected benefit and costs of an HIE effort to poten- tial HIE stakeholders, NetRegionalBenefit. Moreover, we model the choice to pursue an exchange at the level of a state subregion j since HIEs have emerged predominately as regionally focused efforts.8 Schol- ars suggest that this regional focus is due to the sig- nificant variation between healthcare markets (even within a given state) and the nuanced challenges this variation can introduce for the pursuit of HIE efforts (Grossman et al. 2008). For example, the nec- essary collaborations, technology infrastructure, and
8 Of the 73 operational exchanges in our data set, 71 were exchang- ing data predominately in a single HRR.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1049
the priorities of participating providers are likely to differ considerably between the healthcare market in metropolitan and rural regions of a state (e.g., Manhattan versus upstate New York). Moreover, an HIE’s goal is to enable clinical data to electronically follow patients between the settings in which they receive care, which also are predominantly within a defined geographic region. Hence, we utilize HRRs as our unit of analysis because they represent regional healthcare markets.9 In effect, HRRs are defined pre- cisely to capture the geographic regions in which patients are likely to receive the bulk of their care and thus require the exchange of information. Finally, and consistent with the preceding arguments, we suggest that various forms of privacy requirements (PrivConsent/PrivNoConsent) and legislative provisions intended to encourage the pursuit of HIE efforts (Incentives) can affect the benefits and costs of HIE efforts to stakeholders within the various healthcare markets in a state, impacting the choice of stake- holders to start planning for exchange and whether these HIEs becomes operational. This is summarized in the following conceptual model (based on Miller and Tucker 2009):
PlanningHIE∗ jst 1 OperationalHIE∗
jst
= f 4NetRegionalBenefit jst
� PrivConsentjst1
PrivNoConsentjst1 Incentivesjst50
This model assumes a latent variable construct where stakeholders in HRR j in state s at time t start planning for an HIE if the (unobserved) expected net benefit (NetRegionalBenefit) is positive. Moreover, we assume that an HIE effort in the region reaches operational status if the NetRegionalBenefit remains positive such that they are able to complete key planning activities (e.g., create data sharing agree- ments, develop the underlying technical infrastruc- ture, and gather the critical mass of participation by healthcare entities to make exchange feasible). Conversely, healthcare stakeholders will not form exchanges if they perceive the net benefit to be neg- ative, and healthcare entities will cease pursuing HIE efforts (resulting in failed exchange) if they perceive the net benefit from HIE to no longer be positive.
The arguments from this conceptual model and the various dynamics described in this section are summarized in Figure 1. This figure suggests that the net effect of privacy regulation on HIE efforts is a function of (1) the costs associated with pri- vacy regulation; (2) the extent to which privacy con- cerns are, in fact, barriers to the pursuit of HIE
9 Specifically, HRRs define healthcare markets determined by where most of the residents in a given area received treatment for major cardiovascular surgical procedures and for neurosurgery (Wennberg and Cooper 1996).
efforts; and (3) the likelihood of available regulation to alleviate these concerns. With this in mind, we first consider the simplest case where privacy reg- ulation is enacted without accompanying incentives (i.e., the left-hand side of Figure 1), where we con- sider it more likely that privacy regulation will have a negative overall effect on NetRegionalBenefit, thus reducing the likelihood that HIEs form and become operational (this is similar to what has been shown in the current empirical literature). This implies that the propensity of privacy regulation to reduce the NetRegionalBenefit from HIE as a result of increased implementation costs and the restrictions on the avail- ability of patient data (�11�25 are likely to outweigh any gains from reduced patient privacy concerns (�11�25. Moreover, taking into account the propen- sity of consent requirements to have more substantial negative effects on NetRegionalBenefit (�1 > �2), this effect may be more pronounced for legislation includ- ing consent requirements.
The introduction of HIE incentives, however, intro- duces a more complex and interesting dynamic. Focusing only on the propensity of incentives to reduce HIE costs (�35, incentives alone may positively impact NetRegionalBenefit, and, if passed alongside privacy regulation, HIE incentives could offset some of the costs of privacy regulation. However, if we also consider the potential of incentives to be associated with elevated privacy concerns (�35 that then offset the positive effects of HIE incentives on NetRegional- Benefit (�45, we may observe a more nuanced effect of both incentives and privacy regulation on HIE efforts. First, we may see a limited positive effect on Net- RegionalBenefit of incentives passed alone because of the dampening effect of the simultaneously elevated privacy concerns (�35. Moreover, this suggests that privacy regulation, and in particular consent regula- tion that can better alleviate patient privacy concerns (�1 > �25, may become a more prominent force in this dynamic and could play a critical role in unlock- ing the propensity of HIE incentives to positively impact the net benefits of exchange. The implication of this is that coupling consent requirements with HIE incentives may have a stronger positive impact on NetRegionalBenefit (and thus differentially increase the propensity of regional stakeholders to start planning for exchange and these exchanges becoming opera- tional) relative to incentives with privacy regulation that did not include consent requirements or with no accompanying privacy regulation. Further, this sug- gests that privacy regulation may have considerably different (and potentially opposite) effects on HIEs depending on whether incentives are also in place.
4. Data Our analysis uses a combination of a six-year panel data set and cross-sectional HIE survey data to assess
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1050 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
Figure 1 Effects of Legislation on HIE Formation
�
�
�
�
�
�
�
�
�
the impact of the different legislative approaches on planning and operational HIEs. Consistent with the literature, we define an HIE as any entity that facili- tates electronic health information exchange between independent healthcare entities in a defined geo- graphic region to improve health (Adler-Milstein et al. 2009). As a result, the HIEs in our data set predom- inately focused on the exchange of patient health information between medical providers for patient treatment purposes. Further, we consider facilitation to be providing a technical infrastructure to support clinical data exchange. Together, these criteria exclude efforts whose entire scope is limited to administrative data exchange as well as efforts working on issues related to HIE but not directly enabling it to occur.
4.1. Panel HIE Data To identify HIEs across regions and time, we used publicly available data from the eHealth Initiative’s annual compilation of state, regional, and local HIE efforts (eHealth Initiative 2005–2010). These data are based on yearly surveys of HIEs completed by the eHealth Initiative (eHI) and provide longitudinal information about planning and operational HIEs in the 2004–2009 period. We also used various online resources provided by health organizations and indi- vidual HIEs to determine their status as of the end of 2009 and collect any additional information on char- acteristics of these exchanges (e.g., profit status). As noted earlier, at the beginning of 2004, there were
only a handful of established HIEs. As of the end of 2009, we identified 220 HIEs that were in one of two stages.
• Planning: The HIE has been initiated but is in the planning stages of development and is not actively sharing health information 4n = 1325.
• Operational: The HIE is actively enabling the exchange of health information between healthcare entities 4n = 885.
We also identified 92 HIEs that had been initiated during this time period but had subsequently ceased operations. We do not have longitudinal data on these exchanges, and they are not included in our panel data. However, using cross-sectional data on the total number of failed HIEs in our time period of analysis, we find no significant differences in failed exchanges between legislative approaches.10 To identify the date on which HIEs were initiated and became operational and their geographic area of operation, we matched HIEs in the eHealth Initiative survey data with a national survey of HIEs collected in 2010 that cap- tured detailed information on HIEs as of the end of 2009 (Adler-Milstein et al. 2011). Our sample includes the 73 planning and 75 operational exchanges com- mon to both data sets minus 5 exchanges that were
10 Normalizing by state population, we find that during our time period, states with incentives and consent requirements had 2.5 failed HIEs compared with 2.9 failed HIEs for states with incentives but no consent and 3.7 for states without any HIE incentives.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1051
dropped because they did not report detailed infor- mation on their geographic location, resulting in 143 exchanges (70 planning and 73 operational) in our panel data set.
On average, HIEs in our data set had been in exis- tence for approximately four years, and the subset of HIEs that were operational had been exchanging health information for three and a half years by the end of 2009. Most exchanges (86%) operated within a single state; nearly all exchanges (98%) were oper- ating in fewer than two states. HIE geographic cov- erage was measured at the more granular level of an HRR. HRRs are generally contained within a single state but can span multiple states and, in some cases, can also span legislative approaches (although this was not common).11 Of the operational exchanges, 70% reported covering a single HRR, and 60% of the planning exchanges anticipated covering a single HRR. The exchanges that were operational or plan- ning in multiple HRRs tended to have the major- ity of their coverage in a single HRR, and thus we considered only their primary HRR. For example, of the 22 exchanges that reported operating in multiple HRRs, 20 reported being primarily operational in a single HRR with more than 70% of their overall cov- erage in a single HRR.12 We aggregated HRR cover- age across individual HIEs to generate two primary dependent variables.13
• PlanningHIEjst: A binary measure of whether HRR j in state s at time t had one or more HIEs in the planning phase. This measure only includes HIEs that had not failed and were available to take the HIE survey in 2010.
• OperationalHIEjst: A binary measure of whether HRR j in state s at time t had one or more operational HIEs.
These variables are created semiannually over the period 2004–2009 to most accurately capture the impact of legislation on HIEs, which commonly went into effect at the beginning or the middle of the year.
To construct measures of HRR demographics, including measures of HRR population, income, and unemployment rates, we used a range of secondary sources (e.g., U.S. Census Bureau, U.S. Bureau of Eco- nomic Analysis, and the U.S. Department of Health
11 In our analysis we find that only 9% of HRRs had significant portions (more than 25%) of the populations they encompass in other states with different legislative approaches. Our results are robust to the exclusion of these HRRs. 12 On average, HIEs were operational in 9.5 hospital service areas (HSAs)—a collection of ZIP codes whose residents receive most of their hospitalizations from the hospitals in that area (Wennberg and Cooper 1996)—in their central HRRs compared with 1.5 HSAs in their secondary HRRs. 13 HRRs having multiple operational exchanges were uncommon, with only 4% of regions reporting multiple operational exchanges.
and Human Services’ Area Health Resources Files (AHRF)). Finally, we used the Health Information and Management Systems Society (HIMSS) Analytics™
Database (HADB) to create measures that enabled us to control for hospital-level health IT adoption. In addition to our semiannual panel data set, we con- structed a cross-sectional data set using HIE survey data. These data, which were only available for the final year of our data, offered a detailed snapshot of HIE activities, including a range of self-reported mea- sures that captured qualitative differences between HIEs. We used this cross-sectional data to exam- ine other dimensions of HIE progress that were not captured in our panel measures of HIE efforts. For example, these data include measures of the num- ber of patients covered by an exchange, organiza- tional structure, sources of funding, and challenges faced. We supplemented this with data from other sources to construct state-level measures of education levels, age structure, and political leaning. Table 1 includes the full list of measures and associated sum- mary statistics.
4.2. Legislation Protection of patients’ personal health information, as well as requirements for patient consent for the shar- ing of personal health information in the context of exchanges, is governed by a combination of federal and state laws.
At the federal level, patient consent is governed primarily by HIPAA14 and associated regulation. HIPAA was amended in 2009 by the HITECH Act, which added some privacy requirements, including breach notification requirements for entities covered by HIPAA.15 Although HIPAA laws impact the dis- closure of health information by HIEs, HIPAA applies to all states (our analysis relies on between-state vari- ation) and was passed before the time period of our analysis. HITECH was passed in our period of analy- sis, and its effect on HIE efforts is accounted for by the time fixed effects in our models. At the state level, two types of privacy legislation may affect HIE outcomes: (1) general privacy health laws, not HIE specific, that were largely enacted before the significant emergence of HIEs; and (2) HIE-specific laws aimed at promot- ing HIE activities and/or focusing on the disclosure of patient data and patient consent.
General health privacy laws (i.e., not HIE spe- cific) have historically been in place to deal with various aspects of health privacy, including disclo- sure of patient health information and consent. We
14 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §1320d-9 (2011). 15 Health Information Technology for Economic and Clinical Health Act of 2009, U.S.C. §3013 (2011).
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1052 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
Table 1 Data Overview and Summary Statistics
Panel Cross section
Variable Description Mean SD Mean SD Source
Dependent variables PlanningHIEjst A binary measure of whether HRR j in state s at
time t is covered by one or more planning HIEs. 0015 0035 0018 0038 HIE/eHi survey
OperationalHIEjst A binary measure of whether HRR j in state s at time t is covered by one or more operational HIEs.
0010 003 0020 004 HIE/eHi survey
PrivChallengeis Binary variable indicating whether HIE i in state s reported that privacy concerns were a major challenge to their progress.
— — 0012 0033 HIE survey
FundChallengeis Binary variable indicating whether an HIE i in state s reported the lack of funding as a major challenge to their progress.
— — 0043 0049 HIE survey
HighPatientHIEis Binary variable of whether HIE i in state s covered more than 50,000 patients.
— — 0062 0048 HIE survey
Independent variables PrivConsentst Dummy variable indicating a state s at time t has
privacy legislation that requires consent for HIE. 0009 0028 0017 0038 Goldstein and Rein (2010);
Pritts et al. (2009) PrivNoConsentst Dummy variable indicating a state s at time t has
privacy legislation that does not require patient consent for HIE.
0039 0048 0047 005 Goldstein and Rein (2010); Pritts et al. (2009)
Incentivesst Dummy variable indicating whether a state s at time t enacted any law intended to encourage HIEs.
0016 0036 0045 005 Westlaw/LexisNexis
Controls BroadbandAccesss The percentage of households in state s with
high-speed Internet access. — — 0051 0006 U.S. Census Bureau
PerCapGDPs ($1,000) The total GDP of state s divided by the population of state s.
— — 4301 1308 U.S. Bureau of Economic Analysis
Fundingst Dummy variable indicating whether HIE-specific legislation at time t explicitly provides funding opportunities for HIEs in state s.
001 003 0021 0041 Westlaw/LexisNexis
StateDesignatedst Dummy variable indicating whether HIE-specific legislation in state s at time t creates or designates a statewide HIE.
0003 0015 0008 0027 Westlaw/LexisNexis
Populationjst (1,000s) Number of inhabitants in HRR j in state s at time t. 97604 1109609 1100205 1113201 AHRF MedianIncomejst ($1,000s) The median family income for HRR j in state s at
time t. 4501 1005 4703 1008 AHRF
UnempRatejst The unemployment rate for HRR j in state s at time t.
601 2003 905 204 AHRF
CPOEADOPTIONjst Percentage of hospitals in HRR j in state s at time t adopting computerized provider order entry systems (CPOEs) normalized by staffed beds.
0019 0022 0024 0024 HADB
MonthsPursuingis Months an HIE i in state s has been in existence. — — 48 38 HIE survey FormalGovis Binary indicator of whether an HIE i in state s has a
formal governance structure. — — 0081 0039 HIE survey
Democratics Dummy variable indicating whether a democrat has carried state s in the 2000, 2004, and 2008 presidential elections.
— — 0047 005 National Archives
TopMeds Dummy variable if state s had a hospital in the U.S. News & World Report hospital honor roll in 2009–2010.
— — 0031 0046 Comarow (2009)
AdvancedDegrees The percentage of individuals in state s with a graduate degree.
— — 001 0003 U.S. Census Bureau
Over 65s The percentage of individuals in state s over 65. — — 0012 0002 AHRF
identified state health privacy laws using the recent compilation by Pritts et al. (2009) and the earlier com- pilation of general state privacy laws by Pritts et al. (2002). However, we found that most state health pri- vacy laws, similar to HIPAA, were passed before our period of analysis. Moreover, there has been consid- erable debate over the applicability of patient consent requirements provided in general health privacy laws. Specifically, most HIEs in our data set focused on
the exchange of patient health information between providers for treatment purposes. However, patient consent requirements in the majority of state health privacy laws include exceptions to garnering patient consent for data disclosures between providers for treatment purposes, thus effectively precluding the majority of exchange activities. According to Pritts et al. (2009), only two states (Minnesota and New York) appear to generally require patient permission
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1053
to disclose all types of health information and only three (New York, Minnesota, and Vermont) usually require medical providers to obtain patient permis- sion before disclosing health information to other providers. Because general health privacy laws that are not HIE specific were passed before our period of analysis, and their requirements for consent have limited applicability to HIEs, we do not use them as focal independent variables. The states with require- ments relevant to the exchange of health information were included in our analysis as interactions with time-varying HIE-specific legislation. This accounts for states that may not provide explicit requirements for consent in HIE-specific legislation because their existing legislation already has relevant requirements.
Our primary independent variables capture HIE- specific laws that, unlike general health privacy laws, were passed in the period of our analysis and have direct applicability to exchange efforts. We identi- fied HIE-specific laws primarily through various legal search services (e.g., LexisNexis Academic and West- law) and supplemented these searches with recent reports on disclosure laws and HIEs (Goldstein and Rein 2010). We find that, in the past decade, vari- ous states enacted legislation that (1) incentivized HIE efforts, (2) addressed patient privacy and consent, or, most commonly, (3) some combination of both.
As we described earlier, we considered state leg- islation as providing HIE incentives if it included, at a minimum, general provisions aimed at reducing any of the costs (financial, legal, managerial, coor- dination, or otherwise) associated with pursuing a health information exchange effort in the state. Our review of state laws fitting this criterion yields a number of state laws with provisions to incentivize HIE efforts. For instance, the North Dakota state law directs its health information technology office to “facilitate and expand electronic health informa- tion exchange in the state, directly or by awarding grants”;16 West Virginia law requires the director of the Office of Health Enhancement and Lifestyle Plan- ning to work “through the West Virginia Health Infor- mation Network, the Bureau for Medical Services and other appropriate entities, to develop a collabora- tive approach for health information exchange”;17 and Kentucky state law tasks the Kentucky eHealth net- work board with responsibility for “the operation of an electronic health network in this Commonwealth” and, among other things, for making recommenda- tions related to “models for an electronic health net- work” and “financing the central interchange for the network.”18 Moreover, we reviewed the specific provi- sions in state laws incentivizing HIE efforts to identify
16 N.D. Cent. Code, §54-59-26. 17 W. Va. Code Ann. §16-29H-6. 18 Ky. Rev. Stat. Ann. §216.267.
any trends in the nature of HIE incentives. This effort yielded two broad categories of HIE incentives. First, we found that 11 states have laws designating explicit funds authorized for use in support of HIE efforts. For instance, Minnesota state law allocated funding for the commissioner of health to award grants for the purpose of implementing “regional or community- based health information exchange organizations.”19
North Dakota state law included provisions to create an “electronic health information exchange fund” and also instituted a “health information technology loan program.” We found seven states that had HIE incen- tives focused on creating or designating a specific statewide HIE as opposed to focusing on dispersed regional efforts (such provisions do not exclude other entities from creating additional exchanges in that state). For instance, Rhode Island state law estab- lished a “statewide HIE under state authority to allow for the electronic mobilization of confidential health care information,”20 and Vermont state law tasked the Vermont Information Technology Leaders (a non- profit organization within the state) with operating the “statewide health information exchange network for this state” that included “grant agreements” with the organization.21 We account for this variation in the specific provisions included as part of state laws incentivizing HIE efforts in our empirical analysis.
Similar to general health privacy laws, HIE-specific laws varied in the extent to which they provided patients with privacy protections and, in partic- ular, the extent to which they instituted require- ments for consent. Given that most states’ general health privacy laws22 do not include consent require- ments for disclosing health information23 to other providers (which are also the majority of HIE par- ticipants), requirements for consent in HIE-specific laws are especially relevant to the disclosure of health information by exchanges. As a result, we differentiate between legislation including provisions requiring consent, only general privacy requirements without consent, and no privacy requirements at all. Leveraging variation in HIE incentives and privacy requirements between states, we categorize states that
19 Minn. Stat. Ann. §144.3345. 20 RI Gen L §5-37.7-4. 21 18 V.S.A. §9352. 22 New York, Minnesota, and Vermont have some requirements that require consent for disclosure between providers. These states were treated as having consent requirements and are Incentives and PrivConsent states because they would all subsequently pass HIE- specific legislation. 23 States have passed more stringent laws for some specific and sometimes sensitive health data (e.g., mental health or HIV data). Because this data type is generally not the focus of HIEs, we focus only on laws restricting the exchange of general health information.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1054 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
Figure 2 Overview of HIE-Specific Legislation
Incentives and PrivConsent
Incentives and PrivNoConsent
Incentives only
passed HIE-specific legislation into one of three main categories:24
• Incentives and PrivConsent: states with laws intended to encourage the pursuit of HIEs and that have requirements for patient consent (eight states).25
• Incentives and PrivNoConsent: states with laws intended to encourage the pursuit of HIEs and that make some mention of privacy protections but do not include requirements for consent (i.e., they rely on the status quo of no consent requirements for the exchange of health information between healthcare entities) (11 states).
• Incentives: states with laws intended to encour- age the pursuit of HIEs but that make no men- tion of privacy protections; these states also did not have any preexisting general health privacy laws that would require consent in the context of exchange (three states and the District of Columbia).
Figure 2 identifies the states that have enacted HIE- specific legislation. In addition, we identified three states that passed or amended health privacy laws that instituted privacy requirements for HIEs without accompanying incentives. During the time period of our analysis, Nevada and New Mexico passed health privacy legislation that explicitly mentioned exchange but did not institute consent requirements for the exchange of health information between healthcare entities for treatment purposes (similar to general health disclosure laws discussed previously). Con- versely, Maine amended existing privacy legislation to
24 See EC.1 in the electronic companion (available as supplemen- tal material at http://dx.doi.org/10.1287/mnsc.2015.2194) for addi- tional example statutes and text. 25 Specifically, under this category, we consider any law that man- dates that patients are provided with notice before the exchange of their personal health information in an HIE and, at a minimum, that patients are also provided with the choice to exclude their information from such an exchange as having consent requirements.
require patient consent prior to the exchange of patient health information. This leaves 25 states that did not pass HIE-specific legislation during our time period.
5. Methods Our empirical approach leverages time-series regres- sion using longitudinal data on planning and oper- ational HIEs across HRRs, as well ascross-sectional analysis using survey data on individual HIEs.
5.1. Model 1: Fixed Effects Model The first model we estimate is a panel linear prob- ability model that includes HRR and time fixed effects with reported standard errors clustered at the state level. This model evaluates the impact of HIE- specific legislation on HIE creation (PlanningHIEjst) and reaching operational status (OperationalHIEjst) in healthcare market j, in state s, at time t.26 This model identifies the baseline effects on these variables of
26 In our context, nonlinear models with fixed effects (e.g., logit) are not desirable because they leverage only variation across time. In our analysis, this precludes a significant portion of our data and would result in a specification with estimations using HRR fixed effects failing to converge. The central limitation to the lin- ear probability model is that the predicted probabilities are not constrained between 0 and 1, thus requiring some caution when interpreting coefficient estimates. However, prior work has shown little qualitative difference between the logit and linear probabil- ity specification (Angrist and Pischke 2008), and prior empirical work in this field has leveraged identical approaches (Miller and Tucker 2009, Goldfarb and Tucker 2011). In addition to the practical limitations associated with nonlinear fixed effects models, scholars (e.g., Neyman and Scott 1948) have demonstrated that estimates from nonlinear fixed effects models are inconsistent because the asymptotic variance of the main parameters is a function of a small and assumed fixed group size; this is also known as the inciden- tal parameter problem. Greene (2002) finds this problem to be of significant practical consequence with slope estimates from non- linear fixed effects models uniformly biased away from zero com- pounded by estimates of the standard errors biased toward zero.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1055
privacy regulation with and without consent require- ments and the effects of HIE incentives while allowing for the differential impact of HIE incentives if privacy requirements are also in place (model 1):
PlanningHIE jst 1 OperationalHIE
jst
= �0 + �1 × PrivConsentst + �2 × PrivNoConsentst
+ �3 × Incentivesst + �4 × PrivConsentst × Incentivesst
+ �5 × PrivNoConsentst × Incentivesst
+ B6 × StateDesignatedst + �7 × Fundingst + � × Xjst + �js + �t + �jst0
Here, PrivConsentst is a dummy variable indicat- ing whether a state s at time t had a privacy law that also required patient consent in the context of exchange, and PrivNoConsentst is a dummy variable indicating whether a state had a privacy law in place but did not require patient consent in the con- text of exchange. In this model, PrivConsentst and PrivNoConsentst capture the impact of privacy regu- lation that was passed without accompanying incen- tives. Moreover, Incentivesst is a dummy variable indicating whether a state s had legislation provid- ing HIE incentives at time t (where t represents semiannual intervals). We also include the interac- tions PrivConsentst × Incentivesst and PrivNoConsentst × Incentivesst to identify any differential impact of incen- tives when varying degrees of privacy protections are present. These interactions take into account other potentially relevant privacy legislation. For example, if a state had passed legislation with HIE incentives during our time period of analysis without privacy provisions but either during or prior to our period of analysis also passed privacy requirements relevant to exchange in separate legislation, this interaction would be positive.
We also created variables to differentiate between the most common provisions in state laws incentiviz- ing HIE efforts. We found that states differed in terms of whether they provided explicit funding in legisla- tion incentivizing HIEs; some states provided funds explicitly authorized for use in support of HIE efforts, whereas other states directed responsible entities to identify sources of financial support for exchange efforts or were ambiguous regarding financial sup- port from the state. Thus, our first variable captures HIE incentives with explicit funding opportunities (Fundingst5. In addition, we captured differences in states’ propensity to focus HIE incentives on creating or designating a statewide exchange versus focusing HIE incentives on HIE efforts in disparate healthcare markets. Thus, our second variable captures states with laws that designate or create a state-sponsored HIE (StateDesignatedst5. We include these variables in
our model to address the concern that the variation in state strategies toward HIE incentives may correlate with a particular legislative approach. If this were the case, the effect of a given legislative approach could be driven by the intensity or nature of HIE incentives.
Finally, we include a vector of control variables, Xjst, which accounts for other factors relevant to the emer- gence of planning and operational HIEs. For exam- ple, HIE efforts may require that regional healthcare entities have some minimum level of patient record digitization and health IT infrastructure in order to engage in electronic exchange, which could be corre- lated with privacy regulation. As a result, we control for healthcare IT adoption in the HRR by includ- ing CPOEAdoptionjst to capture hospital adoption of computerized provider order entry (CPOE).27 CPOE is often a proxy for advanced adoption of health- care IT and is highly correlated with the adoption of other healthcare IT (e.g., electronic medical records). It is also a core component of the federal defini- tion of “meaningful use” of electronic health records (Blumenthal and Tavenner 2010). Other HRR-level controls include those capturing population, median income, and unemployment rates. HRR and time fixed effects are represented by �js and �t, respec- tively; �jst is the error term. We evaluate whether multicollinearity is a concern in the estimation of this model by calculating correlation tables and the vari- ance inflation factor (VIF) for each independent vari- able in the model. We find that all variables have a VIF well below the recommended maximum of 10 (Kennedy 1992), with a mean VIF of 1.9 for the vari- ables in our panel estimation (see EC.2 in the elec- tronic companion). Similar fixed effects models have been used in the literature to examine the effect of a policy intervention (Bertrand et al. 2004). HRR fixed effects allow us to control for time-invariant unob- served factors and time dummies allow us to control for time trends. Thus, the unbiased effect of varied regulatory approaches can be identified from varia- tion across HRRs and time. In an extended specifica- tion, we include one-year lagged variables to allow for a delayed effect on HIE outcomes of legislation aimed at incentivizing HIE efforts with and without privacy regulation. This accounts for the potential for resources provided by these laws to take time to reach entities interested in pursuing HIE.28
5.2. Model 2: Cross-Sectional Model The second model we estimate also uses a linear probability model and standard errors clustered at
27 Based on data obtained from HADB. 28 For clarity of exposition, we exclude the lagged terms for the binary indicators of states having privacy regulation alone (Priv- Consent and PrivNoConsent) since the lagged effect of this legislative approach is not of central interest and was rare in our data set.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1056 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
the state level but uses cross-sectional survey data. Our survey data captured a detailed snapshot of HIEs’ status and activities as of the end of 2009. This model evaluates the association between relevant HIE characteristics (described below) and the vary- ing approaches toward incentivizing HIE efforts (i.e., those with and without consent-based regulation):
HIECharactersiticis = �0 + �1 × Incentivess
+ �2 × Incentivess × PrivConsents
+ � × Xs + � × Zis + �is0
Here, Incentivess is a binary indicator of whether an HIE is operating in a state s with HIE incentives. The interaction between Incentivess ∗ PrivConsents captures any differential impact of having consent require- ments alongside HIE incentives. Because states with privacy regulation without incentives had only two operational and three planning exchanges, we do not attempt to estimate effects for these legislative approaches. However, to avoid biased interpretation of our estimates, we exclude these HIEs from our estimation for model 2. This model does include a vector of state-level controls, Xs, which accounts for state political leaning, wealth, population, age struc- ture, and education levels, as well as a vector, Zis, of HIE-level controls including measures of the length of time an HIE has been pursuing exchange and whether they have a formal governance structure. Although we do include a number of state- and HIE-level con- trols, we cannot include HIE or regional fixed effects. As a result, the estimates from model 2 should be interpreted with some caution. However, we argue that the most problematic endogeneity concerns are unlikely in the context of our analysis.
For instance, we use this model primarily to eval- uate the association among HIE incentives, consent requirements, and HIE privacy challenges. Specifi- cally, we use a binary measure of whether an HIE i in state s reported that privacy concerns were a major challenge or impediment to their development (PrivChallengeis5 to evaluate our previous conjecture that incentives for HIEs may be associated with an increased attention to and salience of privacy con- cerns, which could materialize as barriers to the emer- gence of HIEs. In the context of this analysis, one concern may be that heterogeneity in states’ tastes for privacy would both impact their propensity to have consent requirements, as well as the pushback HIEs face from privacy concerns. However, our predictions would actually be made less likely by this effect, since we conjecture that HIEs in states with consent require- ments will, in fact, report less pushback as a result of patient privacy concerns. For a similar reason, we consider reverse causality in which low initial privacy
concerns resulted in states being more likely to pass consent requirements as also being unlikely.
Additionally, we use this model to evaluate whether relevant heterogeneity exists in key indi- vidual characteristics of HIEs across states with and without consent requirements. For example, because availability of funding (beyond that from the gov- ernment) has been shown to significantly affect the choice to pursue exchange (Adler-Milstein et al. 2009), we evaluate the correlation between consent requirements and the availability of funding to HIEs. Although our panel estimation controls for legisla- tion with explicit funding opportunities as part of their HIE incentives, this may not suffice, because HIEs may leverage a range of funding sources includ- ing those provided by the federal government and other private sources (e.g., large health systems or physician groups). As a result, we include the vari- able FundChallengeis as a binary measure indicating whether HIE i in state s reported that the lack of funding was a major challenge to their development. Finally, we evaluate whether HIEs in states with con- sent requirements varied with respect to other char- acteristics that are also indicative of HIE progress and their ability to achieve desired goals. Specifically, we evaluate differences in the number of patients covered by an exchange (HighPatientHIEis5 across states with and without consent requirements.
6. Results The results for the fixed effects model (model 1) are presented in Table 2. We find that privacy regulation without incentives had a negative effect on the pur- suit of HIE. However, this effect varied depending on the stage of HIE development. For privacy regula- tion with consent requirements (PrivConsent), we find a large negative and significant coefficient for Plan- ningHIE (column (A)). However, a similarly negative coefficient for OperationalHIE is not significant (p = 00171, column (B)). For privacy regulation without consent requirements (PrivNoConsent), we find a sig- nificant negative coefficient for OperationalHIE but a near-zero and insignificant estimate for PlanningHIE. This suggests that, although privacy regulation with- out consent had a significant effect on HIEs reaching operational status, it does not seem to dissuade enti- ties from initially pursuing HIE.
We find small and generally insignificant estimates on Incentives, suggesting that HRRs in states that pro- vided HIE incentives without accompanying privacy provisions did not see increases in HIEs. However, we do find a significant and positive coefficient on the interaction of PrivNoConsent and Incentives, but only for OperationalHIE. This suggests that incentives passed alongside regulation without consent require- ments resulted in a 9% increase in the probability
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1057
Table 2 Impact of Legislation on HIE Efforts
(A) (B) (C) (D) PlanningHIE OperationalHIE PlanningHIE OperationalHIE
PrivConsent −00360∗∗ −00116 −00342∗∗ −000773 40007235 40008315 40007415 40008465
PrivNoConsent 000282 −00104∗∗ 000302 −00100∗∗
40005905 40002435 40005885 40002285 Incentives 0000462 0000459 −0000598 −00000367
40005015 40002675 40003995 40002225 Incentives × PrivConsent 00466∗∗ 00230∗∗ 00432∗∗ 00135∗
4001125 40006915 4001005 40006685 Incentives × PrivNoConsent −000483 000908∗∗ −000410 000987∗∗
40009065 40003075 40007965 40003055 IncentivesLag 000412 000319
4001075 40002735 IncentivesLag × PrivConsentLag 000293 00117
4001195 40009885 IncentivesLag × PrivNoConsentLag −000297 −000344
4001235 40002885 StateDesignated −00162+ 00196∗∗ −00150 00218∗∗
40009015 40007205 40009065 40006965 Funding 000497 −000556∗ 000447 −000641∗
4001065 40002315 4001075 40002565 CPOEAdoption 0000659 000798 0000772 000815
40006665 40008055 40006585 40007985 OperationalHIE −00520∗∗ −00525∗∗
40005695 40005575
Observations 3,672 3,672 3,672 3,672 R-squared 00195 00113 00196 00120 Control variables Yes Yes Yes Yes Time fixed effects Yes Yes Yes Yes HRR fixed effects Yes Yes Yes Yes
Note. Robust standard errors are shown in parentheses. +p < 001; ∗p < 0005; ∗∗p < 0001.
of an HRR having an operational exchange but no measurable effect on the propensity of initiating an exchange. Finally, we find consistent and significant gains from HIE incentives when they were coupled with privacy regulation providing patient consent requirements. Specifically, we find a large and signif- icant coefficient on the interaction of PrivConsent and Incentives for both PlanningHIE (p < 0001) and Opera- tionalHIE (p < 0001), suggesting that incentives passed alongside privacy regulation with consent require- ments resulted in a 47% increase in the probability of HRRs having a planning exchange and a 23% increase in the probability of HRRs having an operational exchange. Moreover, the difference in the effective- ness of incentives coupled with consent requirements was statistically significant when compared with the incentives alone (Incentives) or incentives with reg- ulation without consent (Incentives × PrivNoConsent) for both PlanningHIE (p < 0001) and OperationalHIE (p < 0005).
Given that we find evidence of negative baseline effects of privacy regulation, we also consider the net
effect for states with legislative approaches that com- bined incentives and privacy regulation. For instance, although HIE incentives coupled with privacy regu- lation without consent requirements resulted in a 9% increase in the probability of HRRs having an opera- tional exchange, this effect was offset by the negative (10%) baseline effect of the privacy regulation, result- ing in a zero net effect on the propensity of HRRs in these states to have operational HIEs. By contrast, we find evidence of a net gain in operational HIEs for HRRs in states with both HIE incentives and privacy regulation with consent requirements. Specifically, we identify an 11% (p < 0005) net increase for Operational- HIE and also a 10% net increase (although insignifi- cant, p = 0022) for PlanningHIE. Within our data set, HIE incentives coupled with consent requirements was the only legislative approach with evidence of a net gain in OperationalHIE.
Estimates of our main model with lagged variables are presented in Table 2, columns (C) and (D). We find that estimates on our baseline interaction of Incentives and PrivConsent for PlanningHIE are of similar mag- nitude to our primary estimation and are significant
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1058 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
(p < 0005), whereas our lagged term has a small and insignificant coefficient. This suggests that new HIEs were planned within a short period of the passage of these laws and may reflect the relatively low costs of initiating an exchange and that parties interested in pursuing HIE closely tracked the progression of these laws. However, we may reasonably expect that the effect of legislation on the propensity of an exchange actually becoming operational may be less immediate, because the resources afforded by these laws may be critical in exchanges advancing their capabilities. We find some support for this notion, with the coefficient on our baseline interaction of Incentives and PrivCon- sent for OperationalHIE roughly half the magnitude of our primary estimation (13.5% versus 23.0%). Our lagged term, however, is larger (11.7%) but less pre- cisely estimated (p = 0024), suggesting some variabil- ity in the lagged effect of relevant legislation. We should note that we are not able to observe lagged effects for states that passed laws within the last year of our panel (Oregon and Alaska), which may also be contributing to higher standard errors for estimation of our lagged term.
The results from our cross-sectional model (see Table 3) offer some explanation for the differen- tial HIE gains from incentives coupled with consent requirements and also address alternative interpre- tations of our results. First, we evaluate the valid- ity of our earlier conjecture that the effectiveness of incentives with consent requirements is driven by the propensity of consent requirements to address ele- vated consumer privacy concerns associated with HIE incentives. We find evidence in support of this con- jecture with HIE incentives not coupled with consent requirements positively associated with increased scrutiny and privacy concerns. Specifically, we find that HIEs in states with HIE incentives but without consent requirements were 30% more likely to report that privacy was a major challenge compared with HIEs in states with incentives and consent require- ments (p < 0001) and 14% more likely to report that privacy was a major challenge in their develop- ment compared with states without any legislation (p < 0005). HIEs in states with incentives and consent requirements were least likely to report major pri- vacy challenges compared with all other legislative approaches (p < 0001).
Results from our cross-sectional model also help to rule out what we considered the most promi- nent confounding factors to the interpretations of our results. First, we consider whether our results merely reflect heterogeneity in the propensity of incentives coupled with consent requirements to pro- vide funding opportunities for HIE efforts (the lack of sufficient financial support has been a prominent barrier to HIE development). Although we account
Table 3 Consent Requirements and Key HIE Characteristics
(A) (B) (C) PrivChallenge FundChallenge HighPatientHIE
Incentives 00144∗ −00240∗ −00102 4000665 4001185 4001145
Incentives × PrivConsent −00302∗∗ −00102 00160 4000685 4001415 4001075
Population 00007∗ −00005 −00005 4000035 4000035 4000035
PerCapGDP −00007∗∗ −00007 00010+
4000025 4000055 4000065 BroadbandAccess −00001 00006 00008
4000035 4000075 4000095 Democratic −00015 −00019 00070
4000645 4001125 4001035 TopMed 00135∗ 00218+ 00087
4000535 4001175 4001275 AdvancedDegree 00030∗ 00019 −00078∗
4000145 4000295 4000345 Over65 00032∗∗ −00011 −00030
4000115 4000225 4000205 MonthsPursuing −00001+ −00002 00003∗∗
40000015 4000015 4000015 FormalGov −00087 −00104 00437∗
4000735 4001555 4001595
Observations 133 136 70 R-squared 0013 0011 0019
Notes. Robust standard errors are shown in parentheses. The number of observations varies because of some nonresponses in the survey; col- umn (C) only uses responses from operational exchanges.
+p < 001; ∗p < 0005; ∗∗p < 0001.
for this in our panel estimation by controlling for HIE incentives with funding opportunities (Funding), we address this concern further by evaluating any asso- ciation between HIE self-reported funding challenges and incentives that included consent requirements. We do not find support for the notion that HIEs in states with consent requirements significantly differed with respect to their access to sources of funding: col- umn (B) in Table 3 shows that, although HIEs in states with HIE incentives were 24% less likely to report that funding was a major challenge (p < 0005), there is no significant correlation between consent requirements and funding being a major challenge for HIEs with an insignificant estimate on Incentivess × PrivConsents.
In addition, we evaluate whether legislative ap- proaches coupling incentives with consent require- ments actually resulted in a positive effect on exchange capabilities in a healthcare market. Specif- ically, it may be the case that, although legislative approaches coupling incentives with consent result in a higher likelihood of an exchange being opera- tional, these exchanges may have less extensive or comprehensive exchange capabilities. We do not find evidence of this, however, with an insignificant esti- mate on Incentivess × PrivConsents for HighPatientHIE
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1059
(column (C)). In fact, the positive estimate on this coefficient suggests that HIEs in states with both incentives and consent requirements trended toward covering more patients, not fewer.
7. Robustness We evaluated the robustness of our primary results (model 1) by examining concerns regarding (1) the endogenous passing of legislation providing incen- tives and consent, (2) our assumption that HRRs are subject to only one legislative approach, and (3) incen- tive heterogeneity and high-impact states.
7.1. Endogeneity of Incentives and Consent The results presented in §6 highlighted the unique role of consent requirements combined with HIE incentives in spurring the emergence of planning and operational HIEs. The model we estimate was iden- tified using HRR and time fixed effects to isolate within-HRR variation over time and controls that could be correlated with the legislative initiatives of interest and the pursuit of HIE. However, a state’s choice of a particular legislative approach is certainly not random, exposing our estimates to potential bias if there exists time-varying heterogeneity between states with certain legislative approaches that also contributes to the success of HIEs. Although the direc- tion of this bias is ambiguous (i.e., it is possible that the potential bias in our results makes our results more conservative), we focus on the potential bias, which could result in the overestimation of our cen- tral result.
First, rather than HIE laws driving HIE activity, these laws could instead be passed as a result of increased HIE activity. To assess this possibility, we plotted the total number of attempted HIEs (plan- ning plus operational) for the main HIE legislative approaches we identified. Figure 3 reveals that states that ultimately passed consent requirements did not have elevated levels of HIE activity before the pas- sage of the law. In fact, they had the lowest level of HIE activity when compared with other legisla- tive approaches. More generally, before the period in which most HIE laws were passed (pre-2007), there were minor differences in the number of attempted HIEs. However, as we move into 2007, states with no legislation or incentives without consent main- tain a roughly constant rate of growth, whereas states that coupled incentives with consent requirements see a significant increase in attempted HIEs. We further evaluate possible reverse causality by estimating our main model with one-time-period lead variables for the legal requirements (see columns (A) and (B) in Table 4). This allows us to evaluate whether the trends of increased planning and operational HIEs were, in fact, in existence prior to the enactment of relevant
Figure 3 (Color online) Number of HIEs in States with Key Legislative Approaches
0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
2004 2005 2006 2007 2008 2009 2010
T o ta
l H IE
s
Attempted HIEs
Incentives and PrivConsent
Incentives and PrivNoConsent
No HIE law
HIE laws. We find that our initial result is robust to the inclusion of lead variables and that the estimates on our lead variables, including the interaction of incentives and consent requirements, are insignificant.
In addition, our main estimation evaluates the impact on HIE efforts of legislation with HIE incen- tives compared with states without any such legisla- tion. However, HIE incentives may be correlated with time-varying state unobservables that also impact HIE outcomes. For example, HIE incentives may be cor- related with changes in political attitudes or public opinion toward the importance of health IT, which is likely to also have an impact on the emergence of HIE efforts. As a result, we evaluate whether our results are being driven by differences between states with and without HIE incentives. Specifically, we estimate our model using only the subset of states that have legislation with HIE incentives (columns (C) and (D) in Table 4). The results are consistent with those in our original estimation with a sizable and significant (p < 0005) impact of Incentives × PrivConsent on both Plan- ningHIE and OperationalHIE. In addition, we argue that the heterogeneous effects on HIE efforts of incen- tives (e.g., incentives without consent had a marginal or no effect on HIE efforts) make it less likely that unobserved factors, correlated over time with HIE incentives, are systematically driving HIE efforts.
With respect to the endogeneity of privacy regu- lation, prior work (e.g., Miller and Tucker 2011) has used privacy regulation limiting the disclosure of health information as an instrumental variable in the estimation of the effect of EMR adoption on health- care outcomes, arguing and presenting evidence that such regulations are likely exogenous to shifts in states’ focus on healthcare issues and political motiva- tions. Similar to such analysis, we find that states with consent requirements varied considerably in terms of geographic location, size, and state political affiliation. Moreover, we propose, similar to the case against the
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1060 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
Table 4 Robustness Checks
Lead variable analysis Only states with incentives Excluding overlapping HRR
(A) (B) (C) (D) (E) (F) PlanningHIE OperationalHIE PlanningHIE OperationalHIE PlanningHIE OperationalHIE
PrivConsent −00354∗∗ −00123∗ −00372∗∗ −00109 40006145 40005755 40008535 40008195
PrivNoConsent −000246 −000845∗∗ −00106∗∗ −00114∗∗
40004075 40002305 40003685 40003745 Incentives −0000114 000266 000172 000150
40003945 40002825 40005855 40002765 Incentives × PrivConsent 00389∗∗ 00164∗∗ 00248∗ 00160∗∗ 00445∗∗ 00221∗∗
4001045 40005695 40009235 40004915 4001225 40006735 Incentives × PrivNoConsent 000430 000630+ 000779 000904∗
40007175 40003465 40008265 40004115 IncentivesLead 000230 −000319
40003545 40003115 IncentivesLead × PrivConsentLead 00116 000798
40007005 40004815 IncentivesLead × PrivNoConsentLead −000601 000447
40004375 40003325 StateDesignated −00161+ 00245∗∗ −00246+ 00152+ −00156+ 00187∗
40009545 40004825 4001255 40007965 40008945 40007115 Funding 000433 −000662∗∗ 000568 −000656∗ 000503 −000590∗
4001195 40002105 40009635 40002905 4001175 40002395 CPOEAdoption 000128 000894 −000408 −000393 000160 000924
40006825 40007935 40009925 40009735 40007245 40008805 OperationalHIE −00530∗∗ −00526∗∗ −00523∗∗
40006385 40008855 40005775
Observations 3,366 3,366 1,584 1,584 3,384 3,384 R-squared 00197 00114 00219 00143 00198 00119 Control variables Yes Yes Yes Yes Yes Yes Time fixed effects Yes Yes Yes Yes Yes Yes HRR fixed effects Yes Yes Yes Yes Yes Yes
Note. Robust standard errors are shown in parentheses. +p < 001; ∗p < 0005; ∗∗p < 0001.
endogeneity of HIE incentives, that our results par- tially shield us from these concerns. If unobserved factors are powerfully driving HIE efforts and these factors are correlated, over time, with privacy reg- ulation, the divergent effects of privacy regulation (e.g., privacy regulation without incentives actually inhibited HIE efforts) would be considerably more difficult to identify. Since we focus on the interac- tion of privacy regulation with incentives, we are still concerned that specific legislative approaches, partic- ularly legislative approaches that couple incentives with consent requirements, could be differentially cor- related with other unobserved factors over time that could also drive the emergence of planning and oper- ational HIEs. For instance, it is possible that legisla- tive approaches coupling consent requirements with incentives are also associated with changes in atti- tudes toward health IT and the value of technol- ogy in healthcare settings. However, we consider this unlikely, because HIEs have expressed significant con- cerns over consent-based regulation. For instance, in
a recent report (National eHealth Collaborative 2011), HIE administrators suggested that requiring patients to opt in to an HIE was a barrier to achieving the critical mass of patient records needed to generate theorized benefits. As a result, we suggest that it is more likely that states that adopt consent require- ments signal a shift toward a more tempered atti- tude toward the trade-offs associated with health IT relative to states with HIE incentives alongside less stringent regulation, likely making our results more conservative.
Finally, the combination of incentives and con- sent requirements could reflect the sophistication of state legislative bodies in anticipating and proac- tively addressing the central concerns associated with increased HIE activity in the state. This sophistica- tion could also be correlated with better administered, managed, and otherwise executed incentive programs that yield improved HIE outcomes. To evaluate this concern, we leverage work by Squire (2007) that ranks state legislatures based on their professionalism. We
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1061
first find that measures of state legislative profession- alism do not vary considerably over time: all but one of the states ranking below the median in 1996 con- tinued to rank below the median in 2003 (the most recent ranking). Moreover, the states that passed con- sent requirements and incentives varied considerably in their legislative professionalism, with four of the eight states ranking below the median in 2003.
Although we take a number of steps to con- sider and evaluate potential endogeneity of legislative efforts, we acknowledge that these concerns may per- sist to some degree, as they often do with empirical work of this nature.
7.2. HRR Boundaries Measuring HIE activity at the level of an HRR allows us to identify the impact of legislation on the propen- sity of an HIE to be operational or in the plan- ning stage within relatively self-contained healthcare markets; it also allows for meaningful comparison across states with regions subject to varying legisla- tive approaches. This approach requires us to assume that each HRR is contained within a single state and thus a single legislative approach. However, HRR boundaries can sometimes span multiple states that may have different legislative approaches. We find that this is fairly uncommon, with 80% of HRRs either being fully contained in a single state or overlapping with states that had the same legislative approach. An additional 11% of HRRs had minor overlap (less than 25% of their population) in states with different leg- islative approaches. When we exclude the remaining 9% of HRRs, which had significant overlap in states with different legislation approaches, and estimate our main model (see Table 4, columns (E) and (F)), we find consistent results with our original estimation.29
7.3. Incentive Heterogeneity and High-Impact States
Although we control for the most prominent variation in the strategies that states take toward HIE incen- tives, there may also be other HIE incentives that are less common in our analysis but may still have an impact on the nature of HIE incentives and also on HIE outcomes. Specifically, we identified four other features of HIE incentives that were less frequent but still of potential interest: whether HIE incentives were directed to an existing private organization as opposed to a government entity, whether HIE incen- tives instituted a pilot program, whether incentives addressed existing regulation viewed as an impedi- ment to HIE progress, and whether incentives had
29 Although not presented here for clarity, our results are also con- sistent when using a state-level ordinary least squares estimation approach with aggregated count measures of HIE activity, state and time fixed effects, and state-level controls.
an interstate dimension. To evaluate whether these less common features of HIE incentives impact our estimation, we estimate our main model with addi- tional controls capturing these less frequent features of HIE incentives and find consistent results with our main estimation (see EC.3 in the electronic compan- ion). Because our analysis relies on a limited num- ber of states, it is also possible that our results are not due to a correlation between consent requirements and incentives but by a single state with unique HIE incentives or with disproportionate HIE success as a result of factors not captured in our model. To address this concern, we limit our analysis to states with HIE incentives and sequentially exclude all regions in a given state that coupled incentives with consent requirements from our estimation for PlanningHIE and OperationalHIE (see EC.3 in the electronic com- panion). We find that our results for PlanningHIE and OperationalHIE are robust to sequential exclusion of states with incentives and consent requirements. Excluding New York seems to have the largest impact on estimates of the effect of incentives coupled with consent requirements, but these estimates are still sig- nificant for OperationalHIE and marginally significant for PlanningHIE.
8. Discussion and Conclusions We evaluated the impact of legislation that varied in whether it included requirements for patient con- sent and provided HIE incentives over a span of six years. We document a surprising interplay between state attempts to incentivize HIE efforts and pri- vacy regulation. Specifically, although privacy regula- tion alone—and, in particular, regulation with consent requirements—resulted in a negative effect on HIE efforts, coupling HIE incentives with consent require- ments was the only legislative approach intended to encourage HIE efforts that actually resulted in an increase in operational HIEs. We find that this result is robust to considerations of reverse causality, endo- geneity of HIE incentives and consent requirements, considerations of HRR legislative boundaries, incen- tive heterogeneity, and a single state driving the effect. We also find that HIEs in states with both incen- tives and consent requirements reported lower lev- els of concern about patient privacy issues, whereas exchanges in states with HIE incentives but with- out consent requirements reported higher levels of patient privacy concerns. We propose that this ele- vated concern may be due to an association between HIE incentives and privacy concerns that inhibit the effectiveness of such incentives when consent require- ments are not in place.
There are limitations to this research. The depen- dent variables presented in this work may not cover
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives 1062 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS
the full breadth of potential measures of success for HIEs. For instance, prior research on HIEs has noted that sharing by HIEs has been limited in breadth and scope (Adler-Milstein et al. 2009). We evaluate these measures using cross-sectional data, but future work may evaluate the impact of various legislative approaches on these measures in more substantive terms. Moreover, an increase in regional HIE efforts may not necessarily be a positive outcome. For exam- ple, a better outcome might be to have only one exchange that facilitates exchange for all providers in the state. However, the current national strategy for the exchange of health information involves spurring small regional efforts and then linking them as build- ing blocks of state and national exchange (Vest and Gamm 2010). As is true in prior work, we can thus view a higher probability of HIEs in planning and operational stages in HRRs as a positive indicator of HIE progress. Moreover, our work focuses specifically on the role of providing patients with the choice to consent in the context of HIEs, but other key con- cerns with HIEs may also be relevant. For example, it may be prudent in future work to evaluate the role of information security requirements on the develop- ment and progress of HIEs. Finally, this paper focuses on regional models of HIE and, although alternative approaches to HIE exist (e.g., national EMR vendor HIE networks), we use an inclusive and widely held definition of clinical data exchange between unaffil- iated entities (i.e., those with no shared ownership or governance). Moreover, regional efforts are more likely to capture the full benefits of HIE because the other approaches (e.g., vendor driven) restrict data exchange in some way. It is therefore critical to under- stand the conditions under which the HIE efforts included in our study can succeed and, in particular, the policy conditions that foster their success.
Our results help to inform the large national effort underway to achieve the broad-based exchange of health information. Given that HIEs offer innova- tive healthcare technology solutions with the poten- tial to alleviate two of the most pressing concerns of the current healthcare system—rising costs and inconsistent quality—this study proposes a comple- mentarity of technology incentives and substantive consumer privacy protections, highlighting the poten- tial for future efforts to incentivize HIE growth while balancing patient privacy concerns. Such results may help to inform the broader debate on the role of privacy regulation in information technology efforts. First, the findings highlight the potential for the neg- ative effects of privacy regulation on information technology efforts to be counteracted by technology incentives. Additionally, the focus on both the impact of technology incentives and privacy requirements extends the growing body of empirical work in this
space and bolsters the notion that privacy regulation can have heterogeneous and complex effects on infor- mation technology efforts. Specifically, we suggest that a symbiotic relationship may exist between tech- nology incentives and substantive privacy regulation with simultaneous benefit to both consumers and pro- ponents of information technology efforts. This yields a possible lesson for regulators and policy makers: legislative approaches that both incentivize technol- ogy efforts and provide consumer privacy protections may be one approach for enabling the growth of valu- able information technology efforts while addressing consumer privacy concerns.
Supplemental Material Supplemental material to this paper is available at http://dx .doi.org/10.1287/mnsc.2015.2194.
Acknowledgments The authors thank their reviewers for helpful comments and suggestions and their associate editor for exceptional effort and guidance throughout the review process. They thank HIMSS Analytics for providing some of the data used in this study and multiple discussants and seminar par- ticipants for their insights. In particular, the authors are grateful for the useful feedback from participants at the 2013 National Bureau of Economic Research Workshop on the Economics of IT and Digitization, with distinct grati- tude for the insightful feedback of Avi Goldfarb, Catherine Tucker, and Amalia Miller. The authors also thank Sasha Romanosky, Zia Hydari, and Corey Angst for their review of early drafts of the manuscript. In addition, the authors thank their research assistants Megan McGovern, Danning Chen, and Kara Cronin for their diligent work in support of this manuscript. Finally, Alessandro Acquisti gratefully acknowledges support from the Carnegie Corporation of New York via an Andrew Carnegie Fellowship. The state- ments made and views expressed in this paper are solely the responsibility of the authors. All errors are the authors’ own.
References Adler-Milstein J, Bates DW, Jha AK (2009) U.S. regional health
information organizations: Progress but challenges remain. Health Affairs 28(2):483–492.
Adler-Milstein J, Bates DW, Jha AK (2011) A survey of health infor- mation exchange organizations in the United States: Impli- cations for meaningful use. Ann. Internal Medicine 154(10): 666–671.
Anderson CL, Agarwal R (2011) The digitization of healthcare: Boundary risks, emotion, and consumer willingness to disclose personal health information. Inform. Systems Res. 22(3):469–490.
Angrist JD, Pischke JS (2008) Mostly Harmless Econometrics: An Empiricist’s Companion (Princeton University Press, Prince- ton, NJ).
Angst CM, Agarwal R (2009) Adoption of electronic health records in the presence of privacy concerns: The elaboration likelihood model and individual persuasion. MIS Quart. 33(2):339–370.
Angst CM, Agarwal R, Sambamurthy V, Kelley K (2010) Social con- tagion and information technology diffusion: The adoption of electronic medical records in U.S. hospitals. Management Sci. 56(8):1219–1241.
Bamberger K, Mulligan D (2011) Privacy on the books and on the ground. Stanford Law Rev. 63(274):274–315.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1063
Bertrand M, Duflo E, Mullainathan S (2004) How much should we trust differences-in-differences estimates? Quart. J. Econom. 119(1):249–275.
Blumenthal D (2010) Launching HITECH. New Engl. J. Med. 362(5):382–385.
Blumenthal D, Tavenner M (2010) The “meaningful use” regulation for electronic health records. New Engl. J. Med. 363(6):501–504.
Brandimarte L, Acquisti A, Loewenstein G (2012) Misplaced confi- dences: Privacy and the control paradox. Soc. Psych. Personality Sci. 4(3):340–347.
Cala A (2013) Renewable energy in Spain is taking a beating. New York Times (October 8), http://www.nytimes.com/2013/ 10/09/business/energy-environment/renewable-energy-in-spain -is-taking-a-beating.html.
Comarow A America’s best hospitals: The 2009–2010 honor roll. U.S. News & World Report (July 15), http://health.usnews.com/ health-news/best-hospitals/articles/2009/07/15/americas-best -hospitals-the-2009-2010-honor-roll.
eHealth Initiative (2005–2010) Annual survey of Health Informa- tion Exchange at the state and local levels. Report, eHealth Initiative, Washington, DC. https://www.ehidc.org/articles/ reports.
Federal Trade Commission (2012) Protecting consumer privacy in an era of rapid change: Recommendations for businesses and policy makers. Report, Federal Trade Commission, Wash- ington, DC. https://www.ftc.go/reports/protecting-consumer -privacy-era-rapid-change-recommendations-businesses-policy makers.
Goldfarb A, Tucker CE (2011) Privacy regulation and online adver- tising. Management Sci. 57(1):57–71.
Goldstein M, Rein A (2010) Consumer consent options for elec- tronic health information exchange: Policy considerations and analysis. Report, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Washington, DC.
Greenberg MD, Ridgely MS, Hillestad RJ (2009) Crossed wires: How yesterday’s privacy rules might undercut tomorrow’s nationwide health information network. Health Affairs 28(2): 450–452.
Greene W (2002) The behavior of the fixed effects estimator in non- linear models. Working Paper EC-02-05, New York University, New York.
Grossman JM, Kushner KL, November EA (2008) Creating sus- tainable local health information exchanges: Can barriers to stakeholder participation be overcome? Res. Brief February(2): 1–12.
Jha AK, Chan DC, Ridgway AB, Franz C, Bates DW (2009) Improv- ing safety and eliminating redundant tests: Cutting costs in U.S. hospitals. Health Affairs 28(5):1475–1484.
Kennedy P (1992) A Guide to Econometrics (Blackwell, Oxford, UK). Lai Y, Hui K (2006) Internet opt-in and opt-out: Investigating the
roles of frames, defaults and privacy concerns. Proc. 2006 ACM SIGMIS CPR, (ACM, New York), 253–263.
Lenard TM, Rubin PH (2005) Slow down on data secu- rity legislation. Progress Snapshot (Release 1.9), https://www .techpolicyinstitute.org/files/ps1.9.pdf.
McDonald C (2009) Protecting patients in health information exchange: A defense of the HIPAA privacy rule. Health Affairs 28(2):447–449.
McGraw D, Dempsey JX, Harris L, Goldman J (2009) Privacy as an enabler, not an impediment: Building trust into health infor- mation exchange. Health Affairs 28(2):416–427.
Miliard M (2010) ACLU brings suit against Rhode Island HIE. it Healthcare IT News (December 1), http://www.healthcareit news.com/news/aclu-brings-suit-against-rhode-island-hie-0.
Miller AR, Tucker C (2009) Privacy protection and technology dif- fusion: The case of electronic medical records. Management Sci. 55(7):1077–1093.
Miller AR, Tucker CE (2011) Can health care information technol- ogy save babies? J. Political Econom. 119(2):289–324.
National eHealth Collaborative (2011) Secrets of HIE success revealed: Lessons from the leaders. Report, HIE Networks, Tallahassee, FL. http://www.nationalehealth.org/ckfinder/ userfiles/files/REPORT%20-SecretsofHIESuccessRevealed.pdf.
National Rural Health Resource Center (2015) Health informa- tion exchange—First considerations. Report, National Rural Health Resource Center, Duluth, MN. Accessed September 1, 2015, https://www.ruralcenter.org/sites/default/files/rhitnd/ HIE-First%20Considerations-National%20Rural%20Health%20 Resource%20Center.pdf.
Neyman J, Scott EL (1948) Consistent estimates based on partially consistent observations. Econometrica 16(1):1–32.
Office of the National Coordinator for Health Information Technol- ogy (2012) Electronic health record adoption and utilization: 2012 highlights and accomplishments. Report, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Washington, DC.
Posner R (1981) The economics of privacy. Amer. Econom. Rev. 71(2):405–409.
Pritts J, Choy A, Emmart L, Hustead J (2002) The State of Health Privacy: A Survey of State Health Privacy Statutes (Georgetown University, Washington, DC).
Pritts J, Lewis S, Jacobson R, Lucia K, Kayne K (2009) Privacy and security solutions for interoperable health information exchange: Report on state law requirements for patient per- mission to disclose health information. Report, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services, Washington, DC.
Sheng H, Nah FH, Siau K (2008) An experimental study on ubiq- uitous commerce adoption: Impact of personalization and pri- vacy concerns. J. Assoc. Inform. Systems 9(6):Article 15.
Simon S, Evans JS, Benjamin A, Delano D, Bates DW (2009) Patients’ attitudes toward electronic health information exchange: Qualitative study. J. Medical Internet Res. 11(3):e30.
Solove DJ (2004) The Digital Person: Technology and Privacy in the Information Age (New York University Press, New York).
Somaskanda S (2013) Renewable energy losing its shine in Europe. USA Today (March 23), http://www.usatoday.com/story/ money/business/2013/03/21/europe-renewable-energy/ 2006245/.
Squire P (2007) Measuring state legislative professionalism: The Squire index revisited. State Politics Policy Quart. 7(2):211–227.
Stigler G (1980) An introduction to privacy in economics and poli- tics. J. Legal Stud. 9(4):628–633.
Stutzman F, Gross R, Acquisti A (2013) Silent listeners: The evolu- tion of privacy and disclosure on Facebook. J. Privacy Confiden- tiality 4(2):7–41.
Vest JR, Gamm LD (2010) Health information exchange: Persis- tent challenges and new strategies. J. Amer. Medical Informatics Assoc. 17(3):288–294.
Walker J, Pan E, Johnston D, Adler-Milstein J, Bates DW, Middleton B (2005) The value of health care information exchange and interoperability. Health Affairs 24(2):10–18.
Wennberg JE, Cooper MM (1996) The diagnosis and surgical treat- ment of common medical conditions. The Dartmouth Atlas of Healthcare (American Hospital Publishing, Chicago), 113–144.
White House (2012) Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy. Report, U.S. Government Print- ing Office, Washington, DC.
D ow
nl oa
de d
fr om
i nf
or m
s. or
g by
[ 14
0. 23
4. 25
5. 9]
o n
19 A
pr il
2 01
6, a
t 12
:2 3
. F or
p er
so na
l us
e on
ly , a
ll r
ig ht
s re
se rv
ed .
Copyright 2016, by INFORMS, all rights reserved. Copyright of Management Science is the property of INFORMS: Institute for Operations Research and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Chapter 11 Health Care Information System Standards
Throughout this text we have examined a variety of different types of standards that affect, directly or indirectly, the management of health information systems. In Chapter Ten we examined health care performance standards; Chapter Two looked at data quality standards, Chapter Nine at security standards, and so on. In this chapter we will examine yet another category of standards that affect healthcare data and information systems: health care information system (HCIS) standards. In all cases the standards examined represent the measuring stick or set of rules against which an entity, such as an organization or system, will compare its structures, processes, or functions to determine compliance. In the case of the HCIS standards discussed in this chapter the aim is to provide a common set of rules by which health care information systems can communicate. Systems that conform to different standards cannot possibly communicate with one another. Portability, data exchange, and interoperability among different health information systems can be achieved only if they can “communicate.” For a simple analogy, think about traveling to a country where you do not speak the language. You would not be able to communicate with that country's citizens without a common language or translator. Think of the common language you adopt as the standard set of rules to which all parties agree to adhere. Once you and others agree on a common language, you and they can communicate. You may still have some problems, but generally these can be overcome.
By nature HCIS standards include technical specifications, which make it less easy for the typical health care administrator to fully understand them. In addition, a complex web of public and private organizations create, manage, and implement HCIS standards, resulting in standards that are not always aligned, making the standards even more difficult to fully grasp. In fact, some may actually compete with one another. In addition to the complex web of standards specifically designed for HCIS, there are many general IT standards that affect healthcare information systems. Networking standards, such as Ethernet and Wi-Fi, employed by health care organizations are not specific to healthcare. Extensible markup language (XML) is widely accepted as a standard for sharing data using web-based technologies in healthcare and other industries. There are many other examples that are beyond the scope of this text. Our focus will be on the standards that are specific to HCIS.
With HIPAA came the push for adoption of administrative transaction and data exchange standards. This effort has been largely successful; claims are routinely submitted via standard electronic transaction protocols. However, although real progress has been made in recent years, complete interoperability among health care information systems remains elusive. Chapter Three examined the need for interoperability among health care information systems to promote better health of our citizens; Chapter Two discussed the lack of standardization in EHRs as an issue with using EHR data in research; and Chapter Nine outlined problems associated with misalignment of quality and performance measures, in part because of a lack of interoperability and standardization in EHRs and other health care information systems. Interoperability, as defined by the ONC (2015) in its publication Connecting Health Care for the Nation: A Shared Nationwide Interoperability Roadmap, results from multiple initiatives, including
payment, regulatory, and other policy changes to support a collaborative and connected health care system. The best political and social infrastructures, however, will not succeed in achieving interoperability without supportive technologies.
This chapter is divided into three main sections. The first section is an overview of HCIS standards, providing general information about the types of standards and their purposes. The second section examines a few of the major initiatives, public and private, responsible for creating, requiring, or implementing HCIS standards. Finally, the last section of the chapter examines some of the most commonly adopted HCIS standards, including examples of the standards when possible. HCIS Standards Overview Keith Boone, a prolific blogger and writer on all topics related to HIT standards, once wrote, “Standards are like potato chips. You always need more than one to get the job done” (Boone, 2012b). In general, the health care IT community discusses HCIS standards in terms of their specific function, such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab reporting, and so on, but the reality is that achieving one of these or other functions requires multiple standards directed at different levels within the HCIS. For example, there is a need for standards at the level of basic communication across the Internet or other network (Transporting), standards for structuring the content of messages communicated across the network (Data Interchange and Messaging), standards that describe required data elements for a particular function, such as the EHR or clinical summary (Content), and standards for naming or classifying the actual data, such as units of measure, lab tests, diagnoses, and so on (Vocabulary/Terminology). Unfortunately, there is no universal model for categorizing the plethora of HCIS standards. In this chapter we will look at standards described as Data Interchange and Messaging, Content, and Vocabulary/Terminology standards.
Standards, as we have seen, are the sets of rules for what should be included for the needed function and system level. This is only a portion of the challenge in implementing standards. The other challenge is how are the standards used for a particular function or use case? Much of the work today toward achieving interoperability of healthcare information systems is concerned with the how. Organizations that develop standards may also create specific implementation guides for using the standard in a particular use case. (To further complicate the already complicated standards environment, these implementation guides are sometimes referred to as standards.) Other organizations, such as the ONC, develop frameworks for implementing standards, and several government initiatives, such as HIPAA and HITECH, have set requirements for implementing specific standards or sets of standards. Standards Development Process When seeking to understand why so many different IT and health care information standards exist, it is helpful to look first at the standards development process that exists in the United States (and internationally). In general the methods used to establish healthcare IT standards can be divided into four categories (Hammond & Cimino, 2006):
Ad hoc. A standard is established by the ad hoc method when a group of interested people or organizations agrees on a certain specification without any formal adoption process. The Digital
Imaging and Communications in Medicine (DICOM) standard for health care imaging came about in this way. De facto. A de facto standard arises when a vendor or other commercial enterprise controls such a large segment of the market that its product becomes the recognized norm. The SQL database language and the Windows operating system are examples of de facto standards. XML is becoming a de facto standard for health care and other types of industry messaging. Government mandate. Standards are also established when the government mandates that the healthcare industry adopt them. Examples are the transaction and code sets mandated by the Health Insurance Portability and Accountability Act (HIPAA) regulations. Consensus. Consensus-based standards come about when representatives from various interested groups come together to reach a formal agreement on specifications. The process is generally open and involves considerable comment and feedback from the industry. This method is employed by the standards developing organizations (SDOs) accredited by the American National Standards Institute (ANSI). Many health care information standards are developed by this method, including Health Level Seven (HL7) standards and the health-related Accredited Standards Committee (ASC) standards. The relationships among standard-setting organizations can be confusing, to say the least. Not only do many of the acronyms sound similar but also the organizations themselves, as voluntary, member-based organizations, can set their own missions and goals. Therefore, although there is a formally recognized relationship among the International Organization for Standardization (ISO), ANSI, and the SDOs, there is also some overlap in activities. Table 11.1 outlines the relationships among the formal standard-setting organizations and for each one gives a brief overview of important facts and a current website.
Table 11.1 Relationships among standards-setting organizations
Source: ANSI (n.d.a, n.d.b, n.d.c); ISO (n.d.).
Organizations Facts Website International Organization for Standardization (ISO) Members are national standards bodies from many different countries around the world. Oversees the flow of documentation and international approval of standards development under the auspices of the its member bodies www.iso.org American National Standards Institute (ANSI) US member of ISO Accredits standards development organizations (SDOs) from a wide range of industries, including health care Does not develop standards but accredits the organizations that develop standards Publishes more than ten thousand standards developed by accredited SDOs www.ansi.org Standards Developing Organizations (SDOs) Must be accredited by ANSI Develop standards in accordance with ANSI criteria
Can use the label “Approved American National Standard” Approximately two hundred SDOs are accredited; twenty of these produce 90 percent of the standards. www.standardsportal.org All the ANSI-accredited SDOs must adhere to the guidelines established for accreditation; therefore, they have similar standard-setting processes. According to ANSI, this process includes the following:
Consensus on a proposed standard by a group or “consensus body” that includes representatives from materially affected or interested parties Broad-based public review and comment on draft standards Consideration of and response to comments submitted by voting members of the relevant consensus body and by public review commenters Incorporation of approved changes into a draft standard Right to appeal by any participant that believes that due process principles were not sufficiently respected during the standards development in accordance with the ANSI-accredited procedures of the standards developer (ANSI, n.d.c) The IT industry in general has experienced a movement away from the process of establishing standards via the accredited SDOs. The Internet and World Wide Web standards, for example, were developed by groups with much less formal structures. However, the accredited SDOs continue to have a significant impact on the IT standards for the healthcare industry.
Boone (2012a) lists the following organizations as major developers of HIT standards in the United States, which includes a mix of accredited SDOs and other developers. Each organization's specific areas for standard development are indicated in parentheses. ANSI-accredited SDOs are indicated with an “*.”
International Standards Organization (ISO) [various] ASTM International (ASTM) [various]* Accredited Standards Committee (ASC) X12 [Insurance Transactions]* Health Level Seven International (HL7) [various]* Digital Imaging and Communication in Medicine (DICOM) [Imaging] National Council for Prescription Drug Programs (NCPDP) [ePrescribing] Regienstrief (LOINC) [Laboratory Vocabulary]
international Health Terminology SDO (IHTSDO) [Clinical Terminology] In addition, Boone (2012a) identifies the following “other” organizations as having a major impact on HIT:
World Wide Web Consortium (W3C) [XML, HTML] Internet Engineering Task Force (IETF) [Internet] Organization for the Advancement of Structured Information Standards (OASIS) [Business use of XML]
He further identifies key groups known as “profiling bodies” (Boone, 2012a) that use existing standards to create comprehensive implementation guides. Two examples of profiling bodies are Integrating the Healthcare Enterprise (IHE) and the ONC, which focus on guidance for implementing clinical interoperability standards. Perspective European Committee for Standardization (CEN) Although the focus of this chapter is standards developed within the United States, it is important to recognize there are other standards organizations worldwide. For example, the European Committee for Standardization (CEN) was created in Brussels in 1975. In 2010 CEN partnered with another European standards developing organization, the European Committee for Electrotechnical Standardization (CENELEC), to form the CEN-CENELEC Management Centre (CCMC) in Brussels, Belgium. The CCMC current membership includes national standards bodies from thirty-three European countries (CEN-CENELEC, n.d.).
The Technical Committee within CEN that oversees healthcare informatics standards is CEN TC 251, which consists of two working groups:
WG1: Enterprise and Information WG2: Technology and Applications Source: CEN (n.d.). Federal Initiatives Affecting Healthcare IT Standards There are many federal initiatives that affect healthcare IT standards. In this section we look at federal initiatives for healthcare IT standards as a part of HIPAA, CMS e-prescribing, CMS EHR Incentive Program, and the Office of the National Coordinator for Health Information Technology (ONC), including the Interoperability Roadmap.
HIPAA In August 2000, the US Department of Health and Human Services published the final rule outlining the standards to be adopted by health care organizations for electronic transactions and announced the designated standard maintenance organizations (DSMOs). In publishing this rule, which has been modified as needed, the federal government mandated that health care organizations adopt certain standards for electronic transactions and standard code sets for these transactions and identified the standards organizations that would oversee the adoption of standards for HIPAA compliance. The DSMOs have the responsibility for the development, maintenance, and modification of relevant electronic data interchange standards. HIPAA transaction standards apply to all covered entities' electronic data interchange (EDI) related to claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits, and premiums payment. The current HIPAA transaction standards are ASC X12N version 5010 (which accommodates ICD-10) along with NCPDP D.0 for pharmacy transactions (CMS, 2016b). In addition to these transaction standards, several standard code sets were established for use in electronic transactions, including ICD-10-CM, ICD-10-PCS, HCPCS, CPT, and Code on Dental Procedures and Nomenclature (CDT) (CMS, 2016a). Centers for Medicare and Medicaid E-prescribing
The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) established a Voluntary Prescription Drug Benefit program. There is no requirement in this act that providers write prescriptions electronically, but those who choose to do so must comply with specific e-prescribing standards. The current published CMS e-prescribing standards consist of three sets of existing healthcare IT standards as “foundation” standards, which include NCPDP's SCRIPT Standard for e-Prescribing, ASC X12N standard for Health Care Eligibility Benefit and Response, and NCPDP's telecommunications standard. In addition, the final rule identifies three additional electronic tools to be used in implementing e-prescribing:
NCPDP Formulary and Benefit Standard Implementation Guide, which provides information about drugs covered under the beneficiary's benefit plan NCPDP SCRIPT Medication History Transactions, which provides information about medications a beneficiary has been taking Fill Status Notification (RxFill), which allows prescribers to receive an electronic notice from the pharmacy regarding the beneficiary's prescription status (CMS, 2013) Centers for Medicare and Medicaid EHR Incentive Programs As discussed previously, the Medicare and Medicaid EHR Incentive Programs were established as a part of the HITECH Act to encourage eligible providers (EPs) and eligible hospitals (EHs) to demonstrate Meaningful Use of certified EHR technology. EHR certification for Stage 1 and Stage 2 Meaningful Use requires EPs and EHs to meet specific criteria. Certification requirements are organized according to objectives, measures, specific criteria, and standards. Not all criteria include specific standards, but many do. Examples of standards required by 2014 certification rules include using the HL7 Implementation Guide for CDA in meeting the criteria for providing patients the ability to view online, download, and transmit information about a hospital. Other standards include SNOMED CT, which is required for coding a patient's smoking status, RxNorm, which is required for medications, and LOINC, which is required for laboratory tests, among others (HealthIT.gov, 2014). Office of the National Coordinator for Health Information Technology As discussed in previous chapters the Office of the National Coordinator for Health Information Technology (ONC) was established in 2004 and charged with providing “leadership for the development and nationwide implementation of an interoperable health information technology infrastructure to improve the quality and efficiency of health care” (HHS, 2008). In 2009, the role of the ONC was strengthened when the HITECH Act legislatively mandated ONC to provide this leadership and oversight (HHS, 2012). Today, the ONC is “the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information” (HealthIT.gov, n.d.).
Current ONC initiatives, in addition to implementing HITECH, include implementation of healthcare IT standards for interoperability. In Chapter Three, the ONC Interoperability Roadmap was introduced and key milestones related to payment reform and outcomes were outlined. The Roadmap also outlines key milestones for the development and implementation of technologies to support interoperability (ONC, 2015). Beginning in 2015, the ONC published its first Interoperability Standards Advisory, which has been subsequently updated annually. This Advisory document outlines the ONC-identified “best available” standards and implementation
specifications for clinical IT interoperability. The identified standards and specifications in the 2016 Advisory are grouped into three sections:
Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications, which address the “semantics,” or standard meanings of codes and terms needed for interoperability Best Available Content/Structure Standards and Implementation Specifications, which address the “syntax,” or rules by which the common data elements can be shared to achieve interoperability Best Available Standards and Implementation Specification for Services, which address infrastructure components needed to achieve interoperability (ONC, 2016) Each specific standard is identified and defined by six characteristics: process maturity, implementation maturity, adoption level, federal requirement status, cost, and whether a testing tool is available. The Advisory also includes hyperlinks to the standards and implementation guides cited. Exhibit 11.1 is an excerpt from the 2016 Advisory. Exhibit 11.1 Excerpt from ONC 2016 Interoperability Standards Advisory Section I: Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications I-A: Allergies
Interoperability Need: Representing patient allergic reactions Type Standard/Implementation Specification Standards Process Maturity Implementation Maturity Adoption Level Federally Required Cost Test Tool Availability Standard SNOMED CT Final Production No Free N/A Limitations, Dependencies, and Preconditions for Consideration: Applicable Value Set(s): SNOMED CT may not be sufficient to differentiate between an allergy or adverse reaction, or the level of severity Value Set Problem urn:oid:2.16.840.1.113883.3.88.12.3221.7.4 Interoperability Need: Representing patient allergens: medications Type Standard/Implementation Specification Standards Process Maturity Implementation Maturity Adoption Level Federally Required Cost Test Tool Availability Standard RxNorm Final Production Yes Free N/A Standard NDF-RT Final Production Unknown No Free N/A Source: ONC (2016).
Other Organizations Influencing Health Care IT Standards The following organizations certainly do not represent the full list of bodies that are involved with healthcare IT standards development and implementation. However, they do represent a few of the most significant non government contributors. ASTM International and HL7 International are accredited SDOs with standards specifically addressing health care information. IHE is a recognized profiling body influencing the implementation of interoperability standards.
ASTM International ASTM International was formerly known as the American Society for Testing and Materials. ASTM International has more than thirty thousand members from across the globe, and they are responsible for publishing more than twelve thousand standards. ASTM standards range from those that dictate traffic paint to cell phone casings (ASTM, n.d.a, n.d.b). The ASTM Standards for Healthcare Services, Products and Technology include medical device standards and health information standards. The health information standards are managed by the ASTM Committee E31, which focuses on “the development of standards that help doctors and health care practitioners preserve and transfer patient information using EHR technologies” (ASTM, 2014). Of particular note, the E31 standards include the continuity of care record (CCR) discussed further on in this chapter.
HL7 International HL7 International was founded in 1987. It is an ANSI-accredited SDO “dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services” (HL7, n.d.). The HL7 standards related to interoperability and listed on its website as “Primary Standards,” or most used, include the following:
Version 2 and 3 HL7 messaging standards, interoperability specifications for health and medical transactions; these are the standards commonly referred to as HL7 Clinical Document Architecture (CDA), a document markup standard for clinical information exchange among providers based on version 3 of HL7 Continuity of Care Document (CCD), a joint effort with ASTM providing complete guidance for implementation of CDA in the United States Clinical Context Object Workgroup (CCOW), interoperability standards for visually integrating applications “at the point of use” These primary standards are not the only ones developed by HL7 International. The organization also publishes Functional EHR and PHR specifications; Arden Syntax, a markup language for sharing medical information; and GELLO, a query language for medical records. One of the most promising of the HL7 International standards is Fast Healthcare Interoperability Resources (FHIR). FHIR is built on HL7 but is considered easier to implement because it uses web-based technologies (Ahier, 2015). Several of the HL7 standards, including FHIR, will be explained in greater detail further on in this chapter.
IHE Integrating the Healthcare Enterprise (IHE) has developed a series of profiles to guide health care documentation sharing. These profiles are not standards but rather include very specific guidance for how existing standards can be implemented to meet clinical needs (IHE, n.d.b). The current IHE profiles are organized as follows:
Anatomic Pathology Cardiology
Eye Care IT Infrastructure Laboratory Pathology and Laboratory Medicine Patient Care Coordination Patient Care Device Pharmacy Quality, Research, and Public Health Radiation Oncology Radiology As an example, the IHE Patient Care Coordination Profile group includes twenty individual profiles, and each profile is further identified by its current implementation stage (IHE, n.d.a).
Health IT Standards The development and implementation of healthcare IT standards is complex and constantly evolving. The preceding sections of this chapter are intended to provide some insight into the processes of the organizations involved in standards development. The following sections examine examples of the actual standards. This is by no means an exhaustive list of healthcare IT standards but rather samplings of a few that are commonly used or significant in other ways.
Vocabulary and Terminology Standards One of the most difficult problems in exchanging health care information and creating interoperable EHRs is coordinating the vast amount of health information that is generated in diverse locations for patients and populations. The vocabulary and terminology standards discussed in this section serve similar purposes—to create a common language that enables different information systems or vendor products to communicate unambiguously with one another. In a very simplified example, a standard vocabulary would ensure that the medical term myocardial infarction, for example, is mapped to the term heart attack and that both terms share exactly the same attributes. An effective standard vocabulary must also standardize the very complex hierarchy and syntax of the language used in the health industry. This is a complicated and detailed endeavor to say the least. So it is not surprising that, to date, no single vocabulary has emerged to meet all the information exchange needs of the health care sector.
The most widely recognized coding and classification systems—ICD, Current Procedural Terminology (CPT), and diagnosis related groups (DRGs)—were discussed in Chapter Two. Although these systems and the other coding systems discussed in this section do not meet the criteria for full clinical vocabularies, they are used to code diagnoses and procedures and are the basis for information retrieval in healthcare information systems. Most were originally developed to facilitate disease and procedure information retrieval, but they have been adopted to code for billing services as well. Several of the most commonly used classification systems are actually incorporated across more robust standard vocabularies such as SNOMED CT and UMLS.
The code sets required by HIPAA include the following:
HCPCS (ancillary services or procedures) (see Chapter Two) CPT-4 (physicians procedures) (see Chapter Two) CDT (dental terminology) ICD-10 (see Chapter Two) NDC (national drug codes) The HITECH Meaningful Use final rule also includes ICD-10 as its classification standard.
The National Committee on Vital and Health Statistics (NCVHS) has the responsibility, under a HIPAA mandate, to recommend uniform data standards for patient medical record information (PMRI). Although no single vocabulary has been recognized by NCVHS as the standard, they have recommended the following as a core set of PMRI terminology standards:
Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT) Logical Observation Identifiers Names and Codes (LOINC) laboratory subset Several federal drug terminologies, including RxNorm (NCVHS, 2003) The HITECH Meaningful Use final rule and the ONC Advisory include these standards and the standard for clinical vaccines administered (CVX).
In this section we will describe SNOMED CT, LOINC, CVX, and RxNorm, along with the National Library of Medicine's Unified Medical Language (UMLS) (of which RxNorm is one component), which has become the standard for bibliographic searches in health care and has the potential for other uses as well.
Code on Dental Procedures and Nomenclature The American Dental Association (ADA) publishes the CDT, Code on Dental Procedures and Nomenclature. This set of codes is designed to support accurate recording and reporting of dental treatments. The ADA strives to maintain an up-to-date set of codes that reflect actual practice (ADA, n.d.). The code set is divided into twelve sections, as follows (Washington Dental Service, 2012):
Diagnostic (D0000–D0999) Preventative (D1000–D1999) Restorative (D2000–D2999) Endodontics (D3000–D3999) Periodontics (D4000–D4999) Prosthodontics (D5000–D5899) Maxillofacial prosthetics (D5900–D5999) Implant services (D6000–D6199) Prosthodontics (D6200–D6999) Oral and maxillofacial surgery (D7000–7999)
Orthodontics (D8000–8999) General Services (D9000–D9999)
National Drug Codes The National Drug Code (NDC) is the universal product identifier for all human drugs. The Drug Listing Act of 1972 requires registered drug companies to provide the Food and Drug Administration (FDA) a current listing of all drugs “manufactured, prepared, propagated, compounded, or processed by it for commercial distribution” (FDA, 2016). The FDA, in turn, assigns the unique, three-segment NDC (listed as package code in the following example) and maintains the information in the National Drug Code Directory. The NDC Directory is updated twice each month. Data maintained for each drug include up to sixteen fields. The information for the common over-the-counter drug Tylenol PM (Extra Strength), for example, is as follows:
Product NDC: 50580–176 Product Type Name: Human OTC Drug Proprietary Name: Tylenol PM (Extra Strength) Non-proprietary Name: Acetaminophen and Diphenhydramine Hydrochloride Dosage Formulation: Tablet, Coated Route Name: Oral Start Marketing Date: 12–01–1991 End Marketing Date: <blank field> Marketing Category Name: OTC Monograph Final Application Number: part338 Labeler Name: McNeil Consumer Healthcare Div. McNeil-PPC, Inc Substance Name: Acetaminophen; Diphenhydramine Hydrochloride Strength Number/Unit: 500 mg/1, 25 mg/1 Pharm Class: Histamine H1 Receptor Antagonists [MoA], Histamine-1 Receptor Antagonist [EPC] Package Code: 50580–176–10 Package Description: 1 Bottle, Plastic in 1 Carton (50580–176–10) > 100 tablet, coated in 1 Bottle, Plastic DEA classification: <blank> (US FDA, 2016) Systematized Nomenclature of Medicine—Clinical Terms Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT) is a comprehensive clinical terminology developed specifically to facilitate the electronic storage and retrieval of detailed clinical information. It is the result of collaboration between the College of American Pathologists (CAP) and the United Kingdom's National Health Service (NHS). SNOMED CT merges CAP's SNOMED Reference Terminology, an older classification system used to group diseases, and the NHS's Clinical Terms Version 3 (also known as Read Codes), an established clinical terminology used in Great Britain and elsewhere. As a result, SNOMED CT is based on decades of research. As of April 2007 SNOMED is owned, maintained, and distributed by the International Health Terminology Standards Development Organization (IHTSDO), a nonprofit association based in Denmark. The National Library of Medicine is the US member of the IHTSDO and distributes SNOMED CT at no cost within the United States (IHTSDO, n.d.; NLM, 2016b).
Logical Observation Identifiers Names and Codes The Logical Observation Identifiers Names and Codes (LOINC) system was developed to facilitate the electronic transmission of laboratory results to hospitals, physicians, third-party payers, and other users of laboratory data. Initiated in 1994 by the Regenstrief Institute at Indiana University, LOINC provides a standard set of universal names and codes for identifying
individual laboratory and clinical results. These standard codes enable users to merge clinical results from disparate sources (Regenstrief Institute, n.d.). LOINC codes have a fixed length field of seven characters. Current codes range from three to seven characters long. There are six parts in the LOINC name structure: component/analyte, property, time aspect, system, scale type, and method. The syntax for a name follows this pattern (Case, 2011):
LOINC Code: Component: Property Measured: Timing: System: Scale: Method Example 5193–8:Hepatitis B virus surface Ab: ACnc:Pt:Ser:Qn:EIA Clinical Vaccines Administered The Centers for Disease Control and Prevention (CDC) National Center of Immunization and Respiratory Diseases (NCIRD) developed the Clinical Vaccines Administered (CVX) as standard codes and terminology for use with HL7 messaging standards. Table 11.2 is an excerpt from the full CVX table.
Table 11.2 Excerpt from CVX (clinical vaccines administered)
Short Description Full Vaccine Name CVX Code Status Last Date Updated Notes adenovirus types 4 and 7 adenovirus, type 4 and type 7, live, oral 143 Active 3/20/2011 This vaccine is administered as two tablets. anthrax anthrax vaccine 24 Active 5/28/2010 BCG Bacillus Calmette-Guerin vaccine 19 Active 5/28/2010 DTaP, IPV, Hib, HepB Diphtheria and Tetanus Toxoids and Acellular Pertussis Absorbed, Inactivated Poliovirus, Haemophilus b Conjugate (Meningococcal Outer Membrane Protein Complex), and Hepatitis B (Recombinant) Vaccine 146 Pending 9/21/2015 Note that this vaccine is different from CVX 132. influenza, seasonal, injectable influenza, seasonal, injectable 141 Active 7/17/2013 This is one of two codes replacing CVX 15, which is being retired. influenza, live, intranasal influenza virus vaccine, live, attenuated, for intranasal use 111 Inactive 5/28/2010 RxNorm The National Library of Medicine (NLM) produces RxNorm, which serves two purposes: as “a normalized naming system for generic and brand name drugs and as a tool for supporting semantic interoperation between drug terminologies and pharmacy knowledge–based systems” (NLM, 2016a). The goal of RxNorm is to enable disparate health information systems to communicate with one another in an unambiguous manner.
There are twelve separate RxNorm data files that are released on a monthly basis. The files show this information:
Drug names and unique identifiers Relationships
Attributes Semantic types Data history (three files) Obsolete data (three files) Metadata (two files) The following example from the first RxNorm data file represents the “concept,” Azithromycin 250 MG Oral Capsule, with the unique identifier 141962 (NLM, 2016a):
141962|ENG||||||944489|944489|141962||RXNORM|SCD|141962| Azithromycin 250 MG Oral Capsule||N|| Unified Medical Language System The NLM began the Unified Medical Language System (UMLS) project in 1986, and it is ongoing today. The purpose of the UMLS project is “to facilitate the development of computer systems that behave as if they ‘understand’ the meaning of the language of biomedicine and health. The UMLS provides data for system developers as well as search and report functions for less technical users” (NLM, 2016b).
The UMLS has three basic components, called knowledge sources:
UMLS Metathesaurus, which contains concepts from more than one hundred source vocabularies. All the common health information vocabularies, including SNOMED CT, ICD, and CPT, along with approximately one hundred other vocabularies, including RxNorm, are incorporated into the metathesaurus. The metathesaurus project's goal is to incorporate and map existing vocabularies into a single system. UMLS Semantic Network, which defines 133 broad categories and dozens of relationships between categories for labeling the biomedical domain. The semantic network contains information about the categories (such as “Disease or Syndrome” and “Virus”) to which metathesaurus concepts are assigned. The semantic network also outlines the relationships among the categories (for example, “Virus” causes “Disease or Syndrome”). SPECIALIST Lexicon and Lexical Tools. The SPECIALIST lexicon is a dictionary of English words, common and biomedical, which exist to support natural language processing. The UMLS products are widely used in NLM's own applications, such as PubMed, and they are available to other organizations free of charge, provided the users submit a license agreement (NLM, 2016b). Currently, components of UMLS are incorporated into other standards and profiles for health care IT interoperability. Data Exchange and Messaging Standards The ability to exchange and integrate data among health care applications is critical to the success of any overall health care information system, whether an organizational, regional, or national level of integration is desired. Although there is some overlap, these standards differ from the vocabulary standards because their major purpose is to standardize the actual “messaging” between health care information systems. Messaging standards are key to interoperability. In this section we will look at a few of the standards that have been developed for this purpose. There are others, and new needs are continually being identified. However, the following groups of standards are recognized as important to the health care sector, and
together they provide examples of broad standards addressing all types of applications and specific standards addressing one type of application:
Health Level Seven Messaging standards (HL7) Digital Imaging and Communications in Medicine (DICOM) National Council for Prescription Drug Programs (NCPDP) ANSI ASC X12N standards Two other groups of standards discussed in this section actually combine some features of messaging standards and content standards:
Continuity of Care Document (CCD) Fast Health Interoperability Resources (FHIR) HIPAA specifically requires covered entities to comply with specific ANSI X12N and NCPCP. HITECH and the ONC Advisory also cite specific messaging standards and the CCD. FHIR is currently under development by HL7 International and is being cited by health care IT professionals as a major advancement toward true interoperability.
Health Level Seven Standards Two versions of HL7 messaging standards, Version 2 and Version 3, are listed by HL7 International as “primary,” or commonly used. HL7 v2 remains popular in spite of the development of HL7 v3. HL7 v2 was first introduced in 1987 and has become the “workhorse of electronic data exchange” (HL7, n.d.). HL7 v3 incorporates the root elements of XML and, as such, is a significant change from early versions. See the HL7 Perspective for an example of HL7 v3. Digital Imaging and Communications in Medicine Standards The growth of digital diagnostic imaging (such as CT scans and MRIs) gave rise to the need for a standard for the electronic transfer of these images between devices manufactured by different vendors. The American College of Radiology (ACR) and the National Electrical Manufacturers Association (NEMA) published the first standard, a precursor to the current Digital Imaging and Communications in Medicine (DICOM) standard, in 1985. The goals of DICOM are to “achieve compatibility and to improve workflow efficiency between imaging systems and other information systems in healthcare environments worldwide.” It is used by all of the major diagnostic medical imaging vendors, which translates to its use in nearly every medical profession that uses images (DICOM, 2016).
National Council for Prescription Drug Program Standards The National Council for Prescription Drug Programs (NCPDP), an ANSI-accredited SDO with more than 1,600 members representing the pharmacy services industry, has developed a set of standards for the electronic submission of third-party drug claims (NCPDP, 2012). These standards not only include the telecommunication standards and batch standards required by HIPAA but also the SCRIPT standard required for e-prescribing, among others. Of note, the SCRIPT standard currently incorporates the RxNorm as its standardized medication nomenclature. The NCPDP Provider Identification Number is a unique identifier of more than seventy-five thousand pharmacies. Table 11.3 presents excerpts from the NCPDP Data
Dictionary, which outlines a few of the Transmission Header Segment requirements. The entire data dictionary table is more than seventy pages long (CMS, 2002).
Table 11.3 Excerpt from NCPDP data dictionary
NCPDP Data Dictionary Name Field Number NCPDP Definition of Field Version D.0 Format Valid Values per the Standard Service Provider ID Qualifier 202-B2 Code qualifying the Service Provider ID X(02) Blank=Not Specified 01=National Provider Identifier (NPI) 02=Blue Cross 03=Blue Shield 04=Medicare 05=Medicaid 06=UPIN 07=NCPDP Provider ID 08=State License 09=Champus 10=Health Industry Number (HIN) 11=Federal Tax ID 12=Drug Enforcement Administration (DEA) 13=State Issued 14=Plan Specific 15=HCID (HC IDea) 99=Other Service Provider ID 201-B1 ID assigned to pharmacy or provider X(15) N/A Date of Service 401-D1 Identifies the date the prescription was filled or professional service rendered or subsequent payer began coverage following Part A expiration in a long-term care setting only 9(08) Format=CCYYMMDD Perspective HL7 Laboratory Results Use Case The following object identifiers (OIDs) are used within the Good Health Hospital (GHH):
GHH Placer Order IDs: 2.16.840.1.113883.19.1122.14 GHH Lab Filler Order IDs: 2.16.840.1.113883.19.1122.4 The code system for the observation within the GHH is LOINC: 2.16.840.1.113883.6.1 The HL7 Confidentiality Code system: 2.16.840.1.113883.5.25 The HL7 v3 Message: Domain Content Excerpt The “Domain Content” starts with its own root element: observationEvent. The elements within specify the type of observation, the ID, the time of the observation, statusCode, and the results. The value for the actual result is shown in the value element. The interpretationCode element shows that the value has been interpreted as high (H), while referenceRange provides the normal values for this particular observation.
<observationEvent> <id root=“2.16.840.1.113883.19.1122.4” extension=“1045813” assigningAuthorityName=“GHH LAB Filler Orders”/> <code code=“1554–5” codeSystemName=“LN” codeSystem=“2.16.840.1.113883.6.1” displayName=“GLUCOSE^POST 12H CFST:MCNC:PT:SER/PLAS:QN”/> <statusCode code=“completed”/> <effectiveTime value=“200202150730”/> <priorityCode code=“R”/> <confidentialityCode code=“N” codeSystem=“2.16.840.1.113883.5.25”/> <value xsi:type=“PQ” value=“182” unit=“mg/dL”/> <interpretationCode code=“H”/> <referenceRange> <interpretationRange> <value xsi:type=“IVL_PQ”> <low value=“70” unit=“mg/dL”/> <high value=“105” unit=“mg/dL”/> </value> <interpretationCode code=“N”/> </interpretationRange> </referenceRange> </assignedEntity> </author> Source: Spronk (2007). http://www.ringholm.de/docs/04300_en.htm. Used under CC BY-SA 3.0, https://creativecommons.org/licenses/by-sa/3.0/. Used with permission. ANSI ASC X12N Standards The ANSI Accredited Standards Committee (ASC) X12 develops standards in X12 and XML formats for the electronic exchange of business information. One ASC X12 subcommittee, X12N, has been specifically designated to deal with electronic data interchange (EDI) standards in the insurance industry, and this subcommittee has a special health care task group, known as TG2. According to the X12 TG2 website, “the purpose of the Health Care Task group shall be the development and maintenance of data standards (both national and international) which shall support the exchange of business information for healthcare administration. Health care data includes, but is not limited to, such business functions as eligibility, referrals and authorizations, claims, claim status, payment and remittance advice, and provider directories'' (ASC X12, n.d.). To this end ASC X12N has developed a set of standards that are monitored and updated through ASC X12N work groups.
Table 11.4 lists the current X12 work group areas. A portion of the X12 5010 Professional Claim standard is shown in Exhibit 11.2. The standard for Professional Claim alone is more than ninety pages in length.
Table 11.4 X12 TG2 work groups
Source: ASC X12 (n.d.).
Work Group Number Work Group Name WG1 Health Care Eligibility WG2 Health Care Claims WG3 Claim Payments WG4 Enrollments WG5 Claims Status WG9 Patient Information WG10 Health Care Services Review WG15 Provider Information WG20 Insurance—824 Implementation Guide WG21 Health Care Regulation Advisory/Collaboration Exhibit 11.2 X12 5010 Professional Claim Standard 5010 Element Identifier Description ID Min. Max. Usage Reg. Loop Loop Repeat Values 837-P 5010 ISA INTERCHANGE CONTROL HEADER 1 R ___ 1 ISA01 Authorization Information Qualifier ID 2-2 R 00, 03 ISA02 Authorization Information AN 10-10 R ISA03 Security Information Qualifier ID 2-2 R 00, 01 ISA04 Security Information AN 10-10 R ISA05 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29, 30, 33, ZZ ISA06 Interchange Sender ID AN 15-15 R ISA07 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29, 30, 33, ZZ ISA08 Interchange Receiver ID AN 15-15 R ISA09 Interchange Date DT 6-6 R YYMMDD ISA10 Interchange Time TM 4-4 R HHMM ISA11 Interchange Control Standards ID 1-1 R ISA12 Interchange Control Version Number ID 5-5 R 00501 ISA13 Interchange Control Number N0 9-9 R ISA14 Acknowledgement Requested ID 1-1 R 0, 1 ISA15 Usage Indicator ID 1-1 R P, T ISA16 Component Element Separator AN 1-1 R GS FUNCTIONAL GROUP HEADER 1 R ___ 1 GS01 Functional Identifier Code ID 2-2 R GS02 Application Sender Code AN 2-15 R GS03 Application Receiver Code AN 2-15 R GS04 Date DT 8-8 R CCYYMMDD GS05 Time TM 4-8 R HHMM GS06 Group Control Number N0 1-9 R GS07 Responsible Agency Code ID 1-2 R X
GS08 Version Identifier Code AN 1-12 R 005010X222 Continuity of Care Document (CCD) The Continuity of Care Document (CCD) is a standard for the electronic exchange of patient summary information, so-called transportable patient care information. The current CCD standard is actually a merger of two other standards: the HL7 Clinical Document Architecture (CDA) standard and the ASTM Continuity of Care Record (CCR). There has been some discussion among experts about the CCR and CCD being competing standards, but HL7 has taken the position that CCD is an implementation of CCR and simply an evolution of the CCR (Rouse, 2010). Although discussed in this section, the CCD standard is not solely a content standard; it includes elements of a data exchange standard. It has an XML-based specification for exchanging patient summary data, but it also includes a standard outline of the summary content. The content sections of the CCD include the following: Payers Advance Directives Support Functional Status Problems Family History Social History Allergies Medications Medical Equipment Immunizations Vital Signs Results Procedures Encounters Plan of Care (Dolin, 2011)
Fast Health Interoperability Resources (FHIR) Fast Health Interoperability Resources (FHIR) is currently being tested (as of this text's publication date) by a range of healthcare IT professionals. So far, the testing has led to predominantly positive results, with many citing FHIR as having the potential to truly accelerate healthcare IT interoperability. The difference between FHIR and other standards is that it goes beyond the function of a traditional messaging system and includes modern web services to exchange clinical information. FHIR builds on the HL7 Clinical Document Architecture (CDA) and HL7 messaging, However, unlike CDA, FHIR enables granular pieces of information rather than an entire summary document to be shared (Ahier, 2015). According to Ahier (2015), FHIR offers easy-to-use tools not only to build faster and more efficient data exchange mechanisms but also to use personal health care information to create “innovative new apps'' with the potential to create a “plug and play platform . . . similar to the Apple app store.”
Health Record Content and Functional Standards
Health record content and functional standards are not the same as messaging or data exchange standards. These standards outline what should be included in an EHR or other clinical record. They do not include technical specifications but rather the EHR content requirements. As mentioned previously, the CCD and FHIR have content standards within them, along with messaging standards. HL7 EHR-S (Electronic Health Record-System) Functional Model is an example of a comprehensive EHR content and functional standard that does not include technical specifications. HL7 EHR-S Functional Model The HL7 Health Record-System (EHR-S) Functional Model, Release 2 was published by Health Level Seven International in 2014. The purpose of this functional model is to outline important features and functions that should be contained in an EHR. Targeted users of the functional model include vendors and care providers, and it has been recognized by the ISO as an international standard (ISO 10781). The stated benefits of the functional model are as follows:
Provide an international standard for global use. Enable a consistent framework for the development of profiles that are conformant to the base model. Support the goal of interoperability. Provide a standard that is easily readable and understandable to an “everyday person,” which enables a user to articulate his or her business requirements (HL7, 2014). The EHR-S Functional Model is divided into seven sections:
Overarching (OV) Care Provision (CP) Care Provision Support (CPS) Population Health Support (POP) Administrative Support (AS) Record Infrastructure (RI) Trust Infrastructure (TI) Each function within the model is identified by section and described by specific elements. Table 11.5 is an example of the function list for managing a problem list. Note: The list type indicates Header (H), Function (F), or Conformance Criteria (C).
Table 11.5 Excerpt from the HL7 EHR-S Functional Model
ID Type Name Statement Description Conformance Criteria CP.1 H Manage Clinical History Manage the patient's clinical history lists used to present summary or detailed information on patient health history. Patient Clinical History lists are used to present succinct snapshots of critical health information including patient history, allergy intolerance and adverse reactions, medications, problems, strengths, immunizations, medical equipment/devices, and patient and family preferences. CP.1.4 F Manage Problem List Create and maintain patient-specific problem lists. A problem list may include but is not limited to chronic conditions, diagnoses, or symptoms,
injury/poisoning (both intentional and unintentional), adverse effects of medical care (e.g., drugs, surgical), functional limitations, visit or stay-specific conditions, diagnoses, or symptoms . . . CP.1.4 C 1. The system SHALL provide the ability to manage, as discrete data, all active problems associated with a patient. CP.1.4 C 2. The system SHALL capture and render a history of all problems associated with a patient. CP.1.4 C 3. The system SHALL provide the ability to manage relevant dates including the onset date and resolution date of the problem. Summary Multiple standard-setting organizations have roles in standards development, leading to a somewhat confusing array of current healthcare IT standards that address code sets, vocabularies and terminology, data exchange and messaging, and content and function. The standards developing organizations and standards discussed in this chapter, along with other general IT standards, enable health care information systems to be interoperable, portable, and to exchange data. The future of our healthcare system relies on having interoperable EHRs and other health care information systems. Clearly, this will not be realized without standards. The government, as well as the private sector, is actively engaged in promoting the development of best practices for implementing health care IT standards. HIPAA and CMS, for example, have had a significant impact on the adoption of specific health care information standards that focus on code set, terminology, and transactions. The ONC is charged with coordinating the national efforts for achieving interoperability among health care information systems, which has led to their publication of the Interoperability Roadmap and annual Interoperability Standards Advisories. Both of these tools will likely have a significant impact on the direction of national standards development and cooperation among the many standards developing organizations.
References Accredited Standards Committee X12 (ASC X12). (n.d.). X12N/TG2: Health care purpose and scope. Retrieved September 6, 2016, from http://www.wpc-edi.com/onlyconnect/TG2.htm Ahier, B. (2015, Jan. 6). FHIR and the future of interoperability. Retrieved November 10, 2016, from http://www.healthcareitnews.com/news/fhir-and-future-interoperability American Dental Association (ADA). (n.d.). Code on dental procedures and nomenclature (CDT code). Retrieved September 7, 2016, from http://www.ada.org/en/publications/cdt/ American National Standards Institute (ANSI). (n.d.a). About ANSI. Retrieved September 7, 2016, from https://www.ansi.org/about_ansi/overview/overview.aspx?menuid=1 American National Standards Institute (ANSI). (n.d.b). Resources: Standards developing organizations (SDOs). Retrieved September 7, 2016, from https://www.standardsportal.org/usa_en/resources/sdo.aspx American National Standards Institute (ANSI). (n.d.c). Standards activities overview. Retrieved September 7, 2016, from https://www.ansi.org/standards_activities/overview/overview.aspx?menuid=3 ASTM International. (2014, Nov.). ASTM standards for healthcare services, products and technology. Retrieved September 5, 2016, from http://www.astm.org/ABOUT/images/Medical_sector.pdf
ASTM International. (n.d.a). ASTM video. Retrieved September 5, 2016, from https://www.astm.org/about-astm-corporate.html ASTM International. (n.d.b). Standards & publications. Retrieved September 6, 2016, from https://www.astm.org/Standard/standards-and-publications.html Boone, K. W. (2012a, April 9). Health IT standards 101. Retrieved September 7, 2016, from http://www.healthcareitnews.com/blog/health-it-standards-101 Boone, K. W. (2012b, March 26). An informatics model for HealthIT standards [Web log post]. Retrieved September 22, 2016, from http://motorcycleguy.blogspot.com/2012/03/informatics-model-for-healthit.html Case, J. (2011). Using RELMA or . . . In search of the missing LOINC [PowerPoint]. Retrieved March 2012 from http://loinc.org/slideshows/lab-loinc-tutorial CEN CENELEC. (n.d.). About us. Retrieved September 7, 2016, from http://www.cencenelec.eu/aboutus/Pages/default.aspx Centers for Disease Control and Prevention (CDC). (2016, June 21). IIS: HL7 standard code set CVX—Vaccines administered. Vaccines and Immunizations. Retrieved September 6, 2016, from http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx Centers for Medicare and Medicaid (CMS). (2002). NCPDP flat file format. NCPDP reference manual. Retrieved September 6, 2016, from http://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/downloads/NCPDPflatfile.pdf Centers for Medicare and Medicaid (CMS). (2013, April 2). Adopted standard and transactions, adopted part D: E-prescribing standards. Retrieved September 5, 2016, from https://www.cms.gov/Medicare/E-Health/Eprescribing/Adopted-Standard-and-Transactions.html Centers for Medicare and Medicaid (CMS). (2016a, June 23). Adopted standards and operating rules. Retrieved September 5, 2016, from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Ado ptedStandardsandOperatingRules.html Centers for Medicare and Medicaid (CMS). (2016b, June 21). Standards-setting and related organizations. Retrieved September 5, 2016, from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Stan dardsSettingandRelatedOrganizations.html Department of Health and Human Services (HHS). (2008). The ONC-coordinated federal health information technology strategic plan: 2008–2012. Retrieved August 2008 from http://www.hhs.gov/healthit/resources/HITStrategicPlanSummary.pdf Department of Health and Human Services (HHS). (2012). About ONC. The Office of the National Coordinator for Health Information Technology. Retrieved March 2012 from http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_onc/1200 DICOM. (2016). Strategic document. DICOM: Digital Imaging and Communications in Medicine. Retrieved September 6, 2016, from http://dicom.nema.org/dicom/geninfo/Strategy.pdf Dolin, B. (2011). CDA and CCD for patient summaries. Retrieved November 10, 2016, from https://www.hl7.org/documentcenter/public_temp_143D9F91-1C23-BA17-0C15A882DDE6815D /calendarofevents/himss/2012/CDA%20and%20CCD%20for%20Patient%20Summaries.pdf European Committee for Standardization (CEN). (n.d.). CEN/TC 251: Health informatics. Retrieved September 7, 2016, from
https://standards.cen.eu/dyn/www/f?p=204:29:0::::FSP_ORG_ID,FSP_LANG_ID:6232,25&cs= 1FFF281A84075B985DD039F95A2CAB820#1 Food and Drug Administration (FDA). (2016, April 22). National drug code directory. Retrieved September 7, 2016, from http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm Hammond, W., & Cimino, J. (2006). Standards in biomedical informatics. In E. Shortliff & J. Cimino (Eds.), Biomedical informatics (pp. 265–311). New York, NY: Springer-Verlag. HealthIT.gov (2014). Meaningful use table series. Retrieved September 22, 2016, from https://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf HealthIT.gov. (n.d.). About ONC. Retrieved September 5, 2016, from https://www.healthit.gov/newsroom/about-onc Health Level Seven International (HL7). (2014). HL7 EHR-System Functional Model, release 2. Retrieved September 6, 2016, from http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269 Health Level Seven International (HL7). (n.d.). HL7 version 2 product suite. Retrieved September 6, 2016, from http://www.hl7.org/implement/standards/product_brief.cfm?product_id=185 Integrating the Healthcare Enterprise (IHE). (n.d.a.). IHE patient care coordination profiles. Retrieved November 10, 2016, from http://wiki.ihe.net/index.php/Profiles#IHE_Patient_Care_Coordination_Profiles Integrating the Healthcare Enterprise (IHE). (n.d.b.). Profiles. Retrieved November 10, 2016, from https://www.ihe.net/Profiles/ International Health Terminology Standards Development Organization (IHTSDO). (n.d.). History of SNOMED CT. Retrieved September 7, 2016, from http://www.ihtsdo.org/snomed-ct/what-is-snomed-ct/history-of-snomed-ct International Organization for Standardization (ISO). (n.d.). About ISO. Retrieved September 7, 2016, from http://www.iso.org/iso/home/about.htm National Committee on Vital and Health Statistics (NCVHS). (2003, Nov. 5). Letter to the secretary: Recommendations for PMRI terminology standards. Retrieved March 2012 from http://www.ncvhs.hhs.gov/031105lt3.pdf National Council for Prescription Drug Programs (NCPDP). (2012). About. Retrieved March 2012 from http://www.ncpdp.org/about.aspx National Library of Medicine (NLM). (2016a, Jan. 4). RxNorm overview. Unified Medical Language System (UMLS). Retrieved September 6, 2016, from https://www.nlm.nih.gov/research/umls/rxnorm/overview.html National Library of Medicine (NLM). (2016b, July 13). SNOMED CT. Retrieved September 7, 2016, from https://www.nlm.nih.gov/healthit/snomedct/
Office of the National Coordinator for Health Information Technology (ONC). (2015). Connecting health and care for the nation: A shared nationwide interoperability roadmap. Retrieved August 3, 2016, from https://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0. pdf Office of the National Coordinator for Health Information Technology (ONC). (2016). 2016 interoperability standards advisory: Best available standards and implementation specifications.
Retrieved September 5, 2016, from https://www.healthit.gov/sites/default/files/2016-interoperability-standards-advisory-final-508.pdf Regenstrief Institute, Inc. (n.d.). About LOINC. Retrieved September 7, 2016, from https://loinc.org/background Rouse, M. (2010, May). Continuity of care document. SearchHealthIT. Retrieved March 2012 from http://searchhealthit.techtarget.com/definition/Continuity-of-Care-Document-CCD Spronk, R. (2007). HL7 message examples: Version 2 and version 3. Retrieved from http://www.ringholm.de/docs/04300_en.htm United States Food & Drug Administration (US FDA). (2016). National drug code directory. Retrieved November 10, 2016, from http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm Washington Dental Service. (2012). CDT procedure code information. Retrieved March 2012 from http://wwwldeltadentalwa.com/Dentist/Public/ResourceCenter/CDT%20Procedure%20Codes.as px
Chapter 10 Performance Standards and Measures
This chapter examines public and private organizations and processes that establish standards for ensuring that health records are maintained accurately and completely and that they contain the data and information needed to define and report a wide range of measures to determine the quality and efficiency of health care. These activities are very important and have a significant influence on providers and HIT capabilities, significant enough for us to devote an entire chapter to them.
Health care organizations and health plans use data and information to measure performance against internal and external standards; to compare performance to other like organizations; to demonstrate performance to licensing, certifying, and accrediting bodies; and to demonstrate performance for reimbursement purposes. This chapter begins with an examination of the licensure, certification, and accreditation of health care facilities and health plans, followed by an overview of key comparative data sets often used by health care organizations in benchmarking performance. The chapter concludes with a description of the national initiatives using performance measures to improve the quality and safety of health care, including those affecting provider reimbursement.
In the section titled “Licensure, Certification, and Accreditation,” we define these processes, list the accrediting organizations recognized by CMS, and examine the missions and general functions of the Joint Commission and the National Committee for Quality Assurance (NCQA). These discussions focus on how the licensure, certification, and accreditation processes not only use health information to measure performance but also how they influence the health care information that is collected.
“Measuring the Quality of Care” begins with a historical perspective of major milestones in the national agenda for health care quality improvement, followed by a discussion of the current efforts to improve health care quality and patient safety, focusing on the efforts that involve using health care data and information to measure performance. Quality measures are created and validated by a range of organizations, private and public. However, in the recent years significant progress has been made in aligning these measures across organizations. Another significant movement related to quality measurement in the United States is implementation of value-based reimbursement programs, which are based on established performance criteria. The government plans for significant growth in these programs over the next decade.
Licensure, Certification, and Accreditation Health care organizations, such as hospitals, nursing homes, home health agencies, and the like, must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must also be certified, and if they wish to demonstrate quality performance, they will undergo an accreditation process. What are these processes, and how are they related? If a health care organization is licensed, certified, and accredited, how will this affect the health care information
that it creates, uses, and maintains? In this section we will examine each of these processes, their impact on the health care organizations, and their relationships with one another.
Licensure Licensure is the process that gives a facility legal approval to operate. As a rule, state governments oversee the licensure of health care facilities, and each state sets its own licensure laws and regulations. All facilities must have a license to operate, and it is generally the state department of health or a similar agency that carries out the licensure function. Licensure regulations tend to emphasize areas such as physical plant standards, fire safety, space allocations, and sanitation. They may also contain minimum standards for equipment and personnel. A few states tie licensure to professional standards and quality of care, but not all. In their licensure regulations, states generally set minimum standards for the content, retention, and authentication of patient medical records. Exhibit 10.1 is an excerpt from the South Carolina licensure regulations for hospitals. This excerpt governs patient medical record content (with the exception of newborn patient records, which are addressed in a separate section of the regulations). Although each state has its own set of medical record content standards, these are fairly typical in scope and content.
Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards for Licensing Hospitals and Institutional General Infirmaries 601.5 Contents:
A. Adequate and complete medical records shall be written for all patients admitted to the hospital and newborns delivered in the hospital. All notes shall be legibly written or typed and signed. Although use of initials in lieu of licensed nurses' signatures is not encouraged, initials will be accepted provided such initials can be readily identified within the medical record. A minimum medical record shall include the following information:
Admission Record: An admission record must be prepared for each patient and must contain the following information, when obtainable: Name; address, including county; occupation; age; date of birth; sex; marital status; religion; county of birth; father's name; mother's maiden name; husband's or wife's name; dates of military service; health insurance number; provisional diagnosis; case number; days of care; social security number; the name of the person providing information; name, address and telephone number of person or persons to be notified in the event of emergency; name and address of referring physician; name, address and telephone number of attending physician; date and hour of admission; History and physical within 48 hours after admission; Provisional or working diagnosis; Pre-operative diagnosis; Medical treatment; Complete surgical record, if any, including technique of operation and findings, statement of tissue and organs removed and post-operative diagnosis; Report of anesthesia; Nurses' notes;
Progress notes; Gross pathological findings and microscopic; Temperature chart, including pulse and respiration; Medication Administration Record or similar document for recording of medications, treatments and other pertinent data. Nurses shall sign this record after each medication administered or treatment rendered; Final diagnosis and discharge summary; Date and hour of discharge summary; In case of death, cause and autopsy findings, if autopsy is performed; Special examinations, if any, e.g., consultations, clinical laboratory, x-ray and other examinations. Source: South Carolina Department of Health and Environmental Control, Standards for Licensing Hospitals and Institutional General Infirmaries, Regulation 61–16 § 601.5 (2010). An initial license is required before a facility opens its doors, and this license to operate must generally be renewed annually. Some states allow organizations with the Joint Commission or other accreditation to forgo a formal licensure survey conducted by the state; others require the state survey regardless of accreditation status. As we will see in the section on accreditation, the accrediting bodies' standards are more detailed and more stringent than the typical state licensure regulations. Also, most accreditation standards are updated annually; most licensure standards are not.
Certification Certification gives a health care organization the authority to participate in the federal Medicare and Medicaid programs. Legislation passed in 1972 mandated that hospitals had to be reviewed and certified to receive reimbursement from Medicare and Medicaid programs (CMS, n.d.a). At that time the Health Care Financing Administration, now the Centers for Medicare and Medicaid Services (CMS), developed a set of minimum standards known as the conditions of participation (CoPs). CMS contracts with state agencies to inspect facilities to make sure they meet these minimum standards, organized by facility functions and services. See Exhibit 10.2 for the CoP standards section governing medical record content.
Exhibit 10.2 Medical Record Content: Excerpt from the Conditions of Participation for Hospitals Sec. 482.24 Condition of participation: Medical record services.
(c) Standard: Content of record. The medical record must contain information to justify admission and continued hospitalization, support the diagnosis, and describe the patient's progress and response to medications and services. (1) All entries must be legible and complete, and must be authenticated and dated promptly by the person (identified by name and discipline) who is responsible for ordering, providing, or evaluating the service furnished. (i) The author of each entry must be identified and must authenticate his or her entry. (ii) Authentication may include signatures, written initials or computer entry. (2) All records must document the following, as appropriate:
(i) Evidence of a physical examination, including a health history, performed no more than 7 days prior to admission or within 48 hours after admission. (ii) Admitting diagnosis. (iii) Results of all consultative evaluations of the patient and appropriate findings by clinical and other staff involved in the care of the patient. (iv) Documentation of complications, hospital acquired infections, and unfavorable reactions to drugs and anesthesia. (v) Properly executed informed consent forms for procedures and treatments specified by the medical staff, or by Federal or State law if applicable, to require written patient consent. (vi) All practitioners' orders, nursing notes, reports of treatment, medication records, radiology, and laboratory reports, and vital signs and other information necessary to monitor the patient's condition. (vii) Discharge summary with outcome of hospitalization, disposition of case, and provisions for follow-up care. (viii) Final diagnosis with completion of medical records within 30 days following discharge. Source: Conditions of Participation: Medical Record Services, 42 C.F.R. §§ 482.24c et seq. (2007).
Accreditation Accreditation is an external review process that an organization elects to undergo; it is voluntary and has fees associated with it. The accrediting agency grants recognition to organizations that meet its predetermined performance standards. The review process and standards are devised and regulated by the accrediting agency. By far the best-known health care accrediting agency in the United States is the Joint Commission, but there are others. The National Committee for Quality Assurance (NCQA) is a leading accrediting agency for health plans.
Although accreditation is voluntary, there are financial and legal incentives for health care organizations to seek accreditation. In order to eliminate duplicative processes, Section 1865 of the Social Security Act “permits providers and suppliers ‘accredited’ by an approved national accreditation organization (AO) to be exempt from routine surveys by State survey agencies to determine compliance with Medicare conditions” (CMS, 2015). This is often referred to as deemed status. Table 10.1 lists the 2015 approved AOs with corresponding program types and websites. Table 10.1 2015 approved CMS accrediting organizations
Accrediting Organization Program Types Website Accreditation Association for Ambulatory Health Care (AAAHC) ASC (ambulatory surgery center) www.aaahc.org Accreditation Commission for Health Care, Inc. (ACHC) HHA (home health agency) Hospice www.achc.org American Association for Accreditation of Ambulatory Surgery Facilities (AAAASF) ASC OPT (outpatient physical therapy) RHC (rural health clinics) www.aaaasf.org American Osteopathic Association/Healthcare Facilities Accreditation Program (HFAP) ASC
CAH (critical access hospital) Hospital www.hfap.org Center for Improvement in Healthcare Quality (CIHQ) Hospital www.cihq.org Community Health Accreditation Program (CHAP) HHA Hospice www.chapinc.org DNV GL—Healthcare (DNV GL) CAH Hospital www.dnvglhealthcare.com The Compliance Team (TCT) RHC www.thecomplianceteam.org The Joint Commission (TJC) ASC CAH HHA Hospice Hospital Psychiatric hospital www.jointcommission.org Similar to CMS, many states also recognize accreditation in lieu of their own licensure surveys. Other benefits for an organization are that accreditation
May be required for reimbursement from payers (including CMS) Validates the quality of care within the organization May favorably influence liability insurance premiums May enhance access to managed care contracts Gives the organization a competitive edge over nonaccredited organizations The Joint Commission The Joint Commission's stated mission is “to continuously improve health care for the public, in collaboration with other stakeholders, by evaluating health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value” (The Joint Commission, n.d.). The Joint Commission on Accreditation of Hospitals (as the Joint Commission was first called) was formed as an independent, not-for-profit organization in 1951, as a joint effort of the American College of Surgeons, American College of Physicians, American Medical Association, and American Hospital Association. The Joint Commission has grown and evolved to set standards for and accredit nearly twenty-one thousand health care organizations and programs in the United States. In addition to hospitals, the Joint Commission has accreditation programs for health care organizations that offer ambulatory care, behavioral health care, home care, long-term care, and office-based surgery. They also provide an accreditation program for organizations that offer laboratory services (The Joint Commission, 2016, n.d.).
In order to maintain accreditation, a health care organization must undergo an on-site survey by a Joint Commission survey team every three years. Laboratories must be surveyed every two years. This survey is conducted to ensure that the organization continues to meet the established standards. The standards themselves are the result of an ongoing, dynamic process that incorporates the experience and perspectives of health care professionals and others throughout the country. New standards manuals are published annually and health care organizations are responsible for knowing and incorporating any changes as they occur.
Categories of accreditation (The Joint Commission, 2016) that an organization can achieve are the following:
Preliminary accreditation: for organizations that demonstrate compliance with selected standards under the Early Survey Policy, which allows organizations to undergo a survey prior to having the ability to demonstrate full compliance. Organizations that receive preliminary accreditation will be required to undergo a second on-site survey. Accreditation: for organizations that demonstrate compliance with all standards. Accreditation with follow-up survey: for organizations that are not in compliance with specific standards and require a follow-up survey within thirty days to six months. Contingent accreditation: for organizations that fail to address all requirements in an accreditation with follow-up survey decision or for organizations that do not have the proper license or other similar issue at the time of the initial survey. A follow-up survey is generally required within thirty days. Preliminary denial of accreditation: for organizations for which there is justification for denying accreditation. This decision is subject to appeal. Denial of accreditation: for organizations that fail to meet standards and that have exhausted all appeals. The Joint Commission focus on quality of care provided in health care facilities dates back to the early 1900s, when the American College of Surgeons began surveying hospitals and established a hospital standardization program. With the program came the question, how is quality of care measured? One of the early concerns of the standardization program was the lack of documentation in patient records. The early surveyors found that documentation was so poor that they had no way to judge the quality of care provided. The Joint Commission's emphasis on health care information and the documentation of care has continued to the present. Not only do the Joint Commission reporting requirements rely heavily on patient information but also the current survey process uses “tracer methodology,” through which the surveyors analyze the organization's systems by tracing the care provided to individual patients. Patient records provide the road maps for the tracer methodology. The absence of quality health records would have a direct impact on the accreditation process. The following sections discuss Joint Commission standards that directly influence the creation, maintenance, and use of health care information. These sections further illustrate how the overall accreditation process relies on the availability of high-quality health care information (The Joint Commission, 2016).
The Joint Commission Record of Care (RC), Treatment, and Services Standards The Joint Commission Record of Care (RC), Treatment, and Services standards provide information about the requirements for the content of a complete health record, regardless of its format. The RC standards for an ambulatory care program dictate that the organization will do the following:
Maintain complete and accurate clinical record. Ensure clinical record entries are authenticated appropriately by authorized persons. Ensure documentation in clinical records is timely.
Audit their clinical records. Retain their clinical records according to relevant laws and regulations. Ensure clinical records contain specific information that reflects the patient's care, treatment, or services. Ensure clinical records accurately reflect operative and high-risk procedures and use of sedation and anesthesia. Ensure documentation of proper use of restraints and seclusion. Ensure ambulatory care records contain a summary list. Ensure qualified staff members receive and record verbal orders. (The Joint Commission, 2014b) Each RC standard has specific elements that must be addressed. For more information, refer to the most recent edition of the appropriate Comprehensive Accreditation Manual. All Joint Commission–accredited organizations have access to the complete manual.
The Joint Commission Information Management Standards The Joint Commission Information Management (IM) standards reflect the Joint Commission's belief that quality information management influences quality care. In the overview of the IM standards, the Joint Commission states, “Every episode of care generates health information that must be managed systematically” (emphasis is the authors'). Information is a resource that must be managed similar to any other resource within the organization. Whether the information management systems employed by the organization are basic or sophisticated, the functions should include features that allow for the following:
Categorizing, filing, and maintaining all data and information used by the organization Accurately capturing health information generated by delivery of care, treatment, and services Accessing information by those authorized users who need the information to provide safe, quality care (The Joint Commission, 2014a) The IM standards apply to noncomputerized systems and systems employing the latest technologies. The first standard within the IM chapter focuses on information planning. The organization's plan for IM should consider the full spectrum of data generated and used by the organization as well as the flow of information within and to and from external organizations. Identifying and understanding the flow of information is critical to meeting the organization's needs for data collection and distribution while maintaining the appropriate level of security (The Joint Commission, 2014a). The remaining IM standards address the requirements for health care organizations:
Provide continuity of the information management process, including managing system interruptions and maintaining backup systems. Ensure the privacy, security, and integrity of health information. Manage data collection, including use of standardized data sets and terminology and limiting the use of abbreviations. Manage health information retrieval, dissemination, and transmission. Provide knowledge-based information resources twenty-four hours a day, seven days a week. Ensure the accuracy of the health information. (The Joint Commission, 2011, 2014a)
National Committee for Quality Assurance The National Committee for Quality Assurance (NCQA) is the leading accrediting body for health plans, including health maintenance organizations (HMOs), Preferred Provider Organizations (PPOs), and Point of Service (POS) plans in the United States. In addition, the NCQA also accredits the following programs:
Disease management Case management Wellness and health promotion Accountable care organizations Wellness and health promotion Managed behavioral health care organizations (NCQA, n.d.a) The full list of NCQA accreditation requirements are published on its website at www.ncqa.org. The 2015 Health Plan Accreditation Program requirements include specific criteria divided into the following sections:
Quality management and improvement (QI) Utilization management (UM) Credentialing and recredentialing (CR) Members' rights and responsibilities (RR) Member connections (MEM) Medicaid benefits and services (MED) Health Effectiveness Data and Information Set (HEDIS) performance measures (see the “Measuring the Quality of Care” section for more information about HEDIS) (NCQA, 2015). Measuring the Quality of Care Two landmark Institute of Medicine (IOM) reports, To Err Is Human: Building a Safer Health System, published in 2000 (Kohn, Corrigan, & Donaldson), and Crossing the Quality Chasm: A New Health System for the 21st Century, published in 2001, are often cited as marking the beginning of the modern era of national health care quality and patient safety initiatives. The two reports led to increased awareness of the severity of patient safety and quality issues and helped frame the national landscape of improvement efforts. To Err Is Human estimated that as many as ninety-eight thousand people died in hospitals each year as a result of preventable medical errors. The report found that most errors could be traced to poor processes and systems and recommended development and implementation of improved performance standards, including those associated with licensure, certification, and accreditation. Crossing the Quality Chasm specifically outlined six aims for establishing quality health care, stating that health care in the United States should be (CMSS, 2014; Kohn, Corrigan, & Donaldson, 2000; IOM, 2001):
Safe Effective Patient-centered Timely Efficient
Equitable One of the challenges to meeting these aims was determining how to measure success in each area. What are the standards and performance measures associated with these important aims?
Types of Measures Whether at the local organizational level or at a national level, quality improvement requires the identification of standards that define quality care and measurement of performance to determine whether or not the identified standards are met. Quality measures are used across the full continuum of care, from individual physicians to health plans. As we will examine in this chapter, there are literally hundreds of different health care quality measures in use today. These existing quality measures can generally be categorized into four types: structure, process, outcome, and patient experience. Table 10.2 summarizes the types of measures, descriptions, and examples of each.
Table 10.2 Major types of quality measures
Source: Morris (2014).
Type Description Example Structure Assesses the characteristics of a care setting, including facilities, personnel, and policies related to care delivery Does an intensive care unit (ICU) have a critical care specialist on staff at all times? Process Determines if the services provided to patients are consistent with routine clinical care Does a doctor ensure that his or her patients receive recommended cancer screenings? Outcome Evaluates patient health as a result of the care received What is the survival rate for patients who experience a heart attack? Patient Experience Provides feedback on patients' experiences of care Do patients report that their provider explains their treatment options in ways that are easy to understand? Data Sources for Measures Whether quality measures are applied by an individual physician or by a federal agency, they rely on valid and reliable data. A few of the common sources of health care data used in performance measurement are listed in the following sections.
Administrative Data Administrative data submitted to private and government payers have the advantage of being easy to obtain. Private and public payers have very large claims databases.
Disease Registries Public health agencies, including state and federal agencies collect data on patients with specific conditions. These disease registries often go beyond administrative claims data. Health Records The EHR is recognized as a rich source of detailed patient information. However, the full potential of the EHR as an easy-to-use source of reliable data has not been reached. More work
on standardization and tools for data extraction is needed. Data extraction from paper records is labor intensive and, therefore, expensive to implement. As you have seen in previous chapters, Meaningful Use criteria address the need for EHR data extraction and sharing.
Qualitative Data Qualitative data from patient surveys or interviews are often used for patient experience measures (Morris, 2014).
Measurement Development Regardless of the data source, the resulting measures must not only be reliable and valid but also feasible to collect (CMSS, 2015). There are dozens of public and private organizations that develop health care–related performance measures. The following paragraphs identify a few of the key players and their respective role in the development of recognized measures.
The NCQA is responsible for the HEDIS measures, one of the oldest and most widely used sets of health care performance measures in the United States. More than 90 percent of health plans in the United States collect and report HEDIS data. HEDIS data is not only used for accreditation of health plans but also for the basis of health plan comparison and quality improvement.
The Joint Commission also has a long history of developing and using performance measures as a component of accreditation. In 1987, the Joint Commission revamped its accreditation process with the goal of incorporating standardized performance measures. This initiative led to the development of ORYX program. The current ORYX program is closely aligned with CMS quality initiatives, using many of the same measures. Hospitals seeking Joint Commission Accreditation in 2016 were required to report on six of nine sets of chart (paper)-abstracted clinical quality measures (CQMs) or six of eight electronic clinical quality measures (eCQMs) (The Joint Commission, 2015b).
CQMs are identified and updated by CMS each year. Selected CQMs are used in the EHR Incentive Programs for eligible professionals and other CMS quality initiatives (discussed following in this chapter). The CMS does not develop all of the CQMs but rather relies on private organizations, such as NCQA, the Joint Commission, the American Medical Association Physician Consortium for Performance Improvement (AMA-PCPI), and a host of other health care societies, collaboratives, and alliances, as well as government agencies, such as AHRQ, Centers for Disease Control and Prevention (CDC), and Health Resources and Services Administration (HRSA) for most of them. Table 10.3 is an excerpt from the CQMs for the 2014 EHR Incentive Programs. Note that each measure is defined by a unique identifier, National Quality Forum (NQF) number, a measure description, numerator and denominator statements, measure steward, and Physicians Quality Reporting System (PQRS) number. Note: The PQRS role in quality improvement and performance measurement is discussed in more detail following in this chapter.
Table 10.3 Excerpt of CQMs for 2014 EHR Incentive Programs
Source: CMS (n.d.f).
CMS eMeasure ID NQF No. Measure Title and NQS Domain Measure Description Numerator Statement Denominator Statement Measure Steward PQRS No. CMS69v5 0421 Preventive Care and Screening: Body Mass Index (BMI) Screening and Follow-Up Plan Domain: Population/Public Health Percentage of patients aged eighteen years and older with a BMI documented during the current encounter or during the previous six months AND with a BMI outside of normal parameters, a follow-up plan is documented during the encounter or during the previous six months of the current encounter Normal Parameters: Age eighteen years and older BMI = > 18.5 and < 25 kg/m2 Patients with a documented BMI during the encounter or during the previous six months, AND when the BMI is outside of normal parameters, a follow-up plan is documented during the encounter or during the previous six months of the current encounter All patients eighteen and older on the date of the encounter with at least one eligible encounter during the measurement period Centers for Medicare & Medicaid Services 128 GPRO PREV-9 CMS132v5 0564 Cataracts: Complications within Thirty Days Following Cataract Surgery Requiring Additional Surgical Procedures Domain: Patient Safety Percentage of patients aged eighteen years and older with a diagnosis of uncomplicated cataract who had cataract surgery and had any of a specified list of surgical procedures in the thirty days following cataract surgery which would indicate the occurrence of any of the following major complications: retained nuclear fragments, endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence Patients who had one or more specified operative procedures for any of the following major complications within thirty days following cataract surgery: retained nuclear fragments, endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence All patients aged eighteen years and older who had cataract surgery and no significant ocular conditions impacting the surgical complication rate PCPI(R) Foundation (PCPI[R]) 192 CMS133v5 0565 Cataracts: 20/40 or Better Visual Acuity within Ninety Days Following Cataract Surgery Domain: Clinical Process/Effectiveness Percentage of patients aged eighteen years and older with a diagnosis of uncomplicated cataract who had cataract surgery and no significant ocular conditions impacting the visual outcome of surgery and had best-corrected visual acuity of 20/40 or better (distance or near) achieved within 90 days following the cataract surgery Patients who had best-corrected visual acuity of 20/40 or better (distance or near) achieved within ninety days following cataract surgery All patients aged eighteen years and older who had cataract surgery PCPI(R)
Foundation (PCPI[R]) 191 CMS158v5 N/A Pregnant Women That Had HBsAg Testing Domain: Clinical Process/Effectiveness This measure identifies pregnant women who had a HBsAg (hepatitis B) test during their pregnancy Patients who were tested for hepatitis B surface antigen (HBsAg) during pregnancy within 280 days prior to delivery All female patients aged twelve and older who had a live birth or delivery during the measurement period Optum 369 CMS159v5 0710 Depression Remission at Twelve Months Domain: Clinical Process/Effectiveness Patients age eighteen and older with major depression or dysthymia and an initial Patient Health Questionnaire (PHQ-9) score greater than nine who demonstrate remission at twelve months (+/- 30 days after an index visit) defined as a PHQ-9 score less than five. This measure applies to both patients with newly diagnoses and existing depression whose current PHQ-9 score indicates a need for treatment. Patients who achieved remission at twelve months as demonstrated by a twelve month (+/- 30 days grace period) PHQ-9 score of less than five Patients age eighteen and older with a diagnosis of major depression or dysthymia and an initial PHQ-9 score greater than nine during the index visit MN Community Measurement The NQF is a nonprofit, member organization whose mission is “to lead national collaboration to improve health and healthcare quality through measurement” (NQF, n.d.). It was created in 1999 and includes board members from private and public sectors, including providers, purchasers, and representatives from AHRQ, CDC, CMS, and HRSA. The NQF maintains a large, searchable database of performance measures. Measures can be searched on the NQF website (www.qualityforum.org) by any combination of the following dimensions:
Endorsement Status (e.g. Endorsed, Not Endorsed) Measure Status (Time Limited, Reserved) Measure Format (eMeasure, Measure) Measure Steward (e.g., NCQA, CMS, The Joint Commission) Use in Federal Program (e.g., Meaningful Use, Medicare Shared Savings Program) Clinical Condition/Topic Area (e.g., Cancer, Infectious Disease) Cross-Cutting Area (e.g., Overuse, Safety, Disparities) Care Setting (e.g., Ambulatory Care, Home Health, Hospital) National Quality Strategy Priorities (e.g., Affordable Care, Patient Safety) Actual/Planned Use (e.g., Public Reporting, Payment Program) Data Source (e.g., Administrative Data, Electronic Clinical Data, Healthcare Provider Survey) Level of Analysis (e.g., Clinician, Facility, Health Plan) Target Population (Children's Health) Comparative Health Care Data Sets Comparative health care data sets and information are often aligned with organizations' quality improvement efforts. An organization might collect data on one or more of the specific performance measures, such as those previously identified, and then use this information to compare its performance to other similar organizations or state average results, for example. The process of comparing one or more performance measures against a standard is called
benchmarking. Benchmarking may be limited to internally set standards; however, frequently it employs one or more externally generated benchmark or standard.
Providers may select from many publicly and privately available health care data sets for benchmarking purposes. Many of the organizations identified in the previous section not only develop standards but also provide searchable websites that enable consumers and providers to compare results of their measures across multiple organizations. Although each comparative data set is unique, they can be loosely categorized by purpose: patient satisfaction, practice patterns, or clinical data. The following paragraphs identify some of the more well-known and frequently used comparative data sets and list their associated searchable website when applicable.
Patient Satisfaction Data Sets Patient satisfaction data generally come from survey data. Several private organizations, such as NRC+Picker, Press Ganey, and the health care division of Gallup, provide extensive consulting services to health care organizations across the country. One of these services is to conduct patient satisfaction surveys. Some health care organizations undertake patient satisfaction surveys on their own. The advantage of using a national organization is the comparative database it offers, which organizations can use for benchmarking purposes.
Some of the most widely used groups of patient experience surveys in the public arena were developed under the Agency for Healthcare Research and Quality (AHRQ) Consumer Assessment of Healthcare Providers and Systems (CAHPS) program. CAHPS originated in 1995 to assess participants' perspectives on their health plans. Since that time the program has evolved to include the following surveys:
Health Plan Clinician & Group Hospital Home Health Care In-Center Hemodialysis Nursing Home Surgical Care American Indian Dental Plan Experience of Care and Health Outcomes (for mental health and substance abuse services) CAHPS surveys are available to any organization. Federal agencies, such as CMS, use the CAHPS survey results, but the results are also used by health systems, physician practices, hospitals, and other health care providers in their quality improvement efforts (AHRQ, 2016). The Hospital CAHPS (HCAHPS) results are available to consumers as a part of CMS Hospital Compare (discussed under “Clinical Data Sets”) and from the AHRQ website. Information about the CAHPS comparative data and access to the database and chart books is located at http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html (AHRQ, 2016).
Practice Patterns Data Set The Dartmouth Atlas is a widely used, interactive, online tool that enables health care organizations to compare data across a wide variety of parameters. The project is a privately funded program through the Dartmouth Institute for Health Policy and Clinical Practice, which primarily uses Medicare data to document variations in the use of medical resources across the United States. To access the Dartmouth Atlas, go to http://www.dartmouthatlas.org (The Dartmouth Institute, n.d.). Clinical Data Sets The Joint Commission and CMS are committed to the improvement of clinical outcomes, and as a part of that commitment they provide consumers with comparative data that encompasses clinical measures. The Joint Commission's Quality Check has evolved since its introduction in 1994 to become a comprehensive guide to health care organizations in the United States. Visitors to www.Qualitycheck.org can search for health care organizations by a variety of parameters, identify accreditation status, and compare hospital performance measures in terms of the Joint Commission's (2015a) National Patient Safety Goals. The 2016 National Patient Safety Goals for Hospitals describes sixteen specific goals, including these:
Identifying patients correctly Improving staff member communication Using medicines safely Using alarms safely Preventing infection Identifying patient safety risks Preventing mistakes in surgery (The Joint Commission, 2016) Hospital Compare is the CMS-sponsored interactive, online comparative data set. Located at www.medicare.gov/hospitalcompare, this data set contains information about the quality of care at over four thousand Medicare-certified hospitals. The interactive tool enables consumers to compare clinical and patient satisfaction data. The purpose of the tool is to promote informed decision making by consumers of hospital care and to encourage hospitals to improve the quality of care they provide (CMS, n.d.b). In addition to Hospital Compare, CMS sponsors public reporting of other health care organizations, such as nursing homes, home health agencies, and kidney dialysis facilities (CMS, n.d.d).
Comparative Data for Health Plans In addition to data sets used by providers, the NCQA website enables consumers to have access to comparative data for health plans through a variety of report cards. The majority of the comparative data is derived from HEDIS and CAHPS. NCQA health care report cards are found at http://reportcard.ncqa.org. NCQA also offers a subscription service for a more detailed interactive tool, Quality Compass (NCQA, n.d.b, n.d.c).
Federal Quality Improvement Initiatives As stated at the beginning of the chapter, the publication of the IOM reports addressing serious quality concerns marked a new era of government initiatives to improve the quality of patient care. Multiple new programs were established and new efforts to link Medicare and Medicaid
reimbursement to quality care were undertaken. In this section we will examine the Patient Safety Act, the National Quality Strategy, and a selection of related government programs aimed at improving the quality of health care through performance measurement including the related aspects of the Medicare Access & CHIP Reauthorization Act of 2015 (MACRA).
The Patient Safety Act The IOM To Err Is Human: Building a Safer Health System (Kohn, Corrigan, & Donaldson, 2000) outlined serious concerns about and the need to improve the safety and quality of health care in the United States. Despite the ongoing efforts by voluntary accrediting bodies to ensure high-quality care, this report identified a critical need for reporting and analyzing individual facility and aggregate data related to adverse events. To address the need to capture information to improve health care quality and prevent harm to patients, the Patient Safety and Quality Improvement Act of 2005 (Patient Safety Act) was passed by Congress “to promote shared learning to enhance quality and safety nationally.” To implement the act, the Department of Health and Human Services issued the Patient Safety Rule (effective January 2009), which authorized the identification of Patient Safety Organizations (PSOs). As of August 2016, there were eighty-two PSOs in twenty-eight states. PSOs are responsible for the collection and analysis of health information that is referred to in the Final Rule as patient safety work product (PSWP). The PSWP contains identifiable patient information that is covered by specific privilege and confidentiality protections (AHRQ, n.d.a). The types of patient safety events that are reported under these protections include the following:
Incidents: patient safety events that reached the patient, whether or not there was harm involved Near misses (or close calls): patient safety events that did not reach the patient Unsafe conditions: circumstances that increase the probability of a patient safety event occurring To facilitate these activities, AHRQ has created Common Formats, which are “common definitions and reporting formats to help providers uniformly report patient safety events” (AHRQ, n.d.b).
National Quality Strategy The requirement for a National Strategy for Quality Improvement in Health Care (National Quality Strategy) was established by the Affordable Care Act and subsequently published in 2011. More than three hundred groups and individuals representing all aspects of the health care industry and public provided input. It has subsequently been updated on an annual basis, but the three broad aims and six priorities have remained consistent. The three broad aims used to “guide and assess national efforts to improve health and the quality of health care” (AHRQ, 2011) are as follows:
Better care: Improve the overall quality by making health care more patient-centered, reliable, accessible, and safe.
Healthy people/healthy communities: Improve the health of the US population by supporting proven interventions to address behavioral, social, and environmental determinants of health in addition to delivering higher-quality care. Affordable care: Reduce the cost of quality health care for individuals, families, employers, and government To achieve these aims, the National Quality Strategy identifies the following six priorities:
Making care safer by reducing harm caused in the delivery of care Ensuring that each person and family are engaged as partners in their care Promoting effective communication and coordination of care Promoting the most effective prevention and treatment practices for the leading causes of mortality, starting with cardiovascular disease Working with communities to promote wide use of best practices to enable healthy living Making quality care more affordable for individuals, families, employers, and governments by developing and spreading new health care delivery models The strategy goes further by recommending that all sectors of the health care system (individuals, families, payers, providers, employers, and communities) employ one or more of the following “levers” to “align” with the National Quality Strategy (NQS)(AHRQ, 2011): Measurement and feedback: Provide performance feedback to plans and providers to improve care. Public reporting: Compare treatment results, costs, and patient experience for consumers. Learning and technical assistance: Foster learning environments that offer training, resources, tools, and guidance to help organizations achieve quality improvement goals. Certification, accreditation, and regulation: Adopt or adhere to approaches to meet safety and quality standards. Consumer incentives and benefit designs: Help consumers adopt healthy behaviors and make informed decisions. Payment: Reward and incentivize providers to deliver high-quality, patient-centered care. Health information technology: Improve communication, transparency, and efficiency for better coordinated health and health care. Innovation and diffusion: Foster innovation in health care quality improvement, and facilitate rapid adoption within and across organizations and communities. Workforce development: Invest in people to prepare the next generation of health care professionals and support lifelong learning for providers. CMS Quality Programs The Centers for Medicare and Medicaid (CMS) released its specific Quality Strategy in 2016, which is based on the NQS. Adhering to the same broad aims in the NQS, CMS developed a strategy to improve health care delivery by the following means:
Using incentives to improve care Tying payment to value through new payment models Changing how care is given through Better teamwork Better coordination across health care settings
More attention to population health Putting the power of health care information to work (CMS, 2016) Since 2001, CMS has engaged in a variety of Quality Initiatives, including initiatives that result in public reporting of performance measures as previously discussed. The Physician Quality Reporting System (PQRS) encourages individual “eligible professionals” (EPs) (e.g., physicians) and group practices to assess and report the quality of care provided to their patients. EPs and group practices that do not report on quality measures as outlined for Medicare Part B covered services risk a negative payment adjustment. There are several mechanisms for reporting PQRS data, including EHRs (CMS, n.d.g).
Using PQRS reporting to determine reimbursement for Medicare Part B is one of many mechanisms through which CMS incentivizes improved quality of care. CMS has multiple value-based or pay-for-performance programs aimed at tying reimbursements to demonstration of quality. CMS's original value-based programs were an attempt to link performance on endorsed quality measures to reimbursement. These programs included the following:
Hospital Value-Based Purchasing (HVBP) program rewards acute care hospitals for quality care using incentives. Hospital Readmissions Reduction (HRR) program rewards acute care hospitals that reduce unnecessary hospital readmissions for certain conditions, such as acute myocardial infarction, health failure, pneumonia, chronic obstructive pulmonary disease, elective hip or knee replacement, and coronary artery bypass surgery. Hospital-Acquired Conditions (HAC) program determines whether or not an acute care hospital should be paid a reduced amount based on performance across health-acquired infections and unacceptable adverse events. Value Modifier (VM) program (also known as Physician Value-Based Modifier or PVBM) rewards physicians (and, beginning in 2018, other primary care professionals, for example, physician assistants and nurse practitioners) for high-quality, lower-cost performance using an adjustment (modifier) for each claim. Three other value-based programs are applied to end-stage renal disease programs, skilled nursing facilities, and home health programs.
Beyond these traditional value-based programs, CMS encourages innovative, alternative models of care through the CMS Innovation Center. These models are designed to promote lower-cost, higher-quality care. All depend on appropriate reporting of performance measures (CMS, n.d.h). The Medicare Access and CHIP Reauthorization Act (MACRA) The Medicare Access and CHIP Reauthorization Act (MACRA) was enacted in 2015. MACRA is one aspect of CMS's push toward improving quality and value. In January 2015, the Department of Health and Human Services announced two goals for value-based payments and alternative payment models (APMs):
Goal 1: 30 percent of Medicare payments are tied to quality or value through APMs by the end of 2016; 50 percent by the end of 2018.
Goal 2: 85 percent of Medicare fee-for-service payments are tied to quality or value by the end of 2016; 90 percent by the end of 2018. They also invited private sector payers to match or exceed these same goals.
MACRA affects physician providers, moving HHS closer to meeting these goals. Key elements to MACRA are the following:
Changes the way Medicare rewards physicians and practitioners for value over volume Streamlines multiple quality programs directed at physicians and practitioners under the new Merit-based Incentive Payment System (MIPS) Provides bonus payments for physician and practitioners participation in eligible APMs (see Chapter One for examples of APMs) MIPS will incorporate aspects of three existing quality and value programs: PQRS, Value-based Modifier, and the Medicare EHR Incentive Program. The resulting set of performance measures will be divided into the following categories to calculate a score (between 0 and 100) for eligible professionals. Each category of performance will be weighted as shown in Table 10.4. Table 10.4 MIPS performance categories
Category Weight (%) Quality 50 Advancing care information 25 Clinical practice improvement activities 15 Resource use 10 Health care providers meeting the established threshold score will receive no adjustment to payment; those scoring below will receive a negative adjustment and those above, a positive adjustment. Exceptional performers may receive bonus payments (CMS, n.d.c, n.d.e).
The exact implementation dates for MACRA were not set by the publication date for this textbook; however, the projected timetable for implementation of the various aspects of the law is shown in Figure 10.2 (CMS, n.d.c).
Figure 10.2 Projected timetable for implementation of MACRA
Source: CMS (n.d.e).
Summary In this chapter we examined how health care organizations and health plans use data and information to demonstrate performance to licensing, certifying, and accrediting bodies; to measure performance against internal and external standards; to compare performance to other similar organizations; and to demonstrate performance for reimbursement purposes. This chapter began with an examination of the licensure, certification, and accreditation of health care facilities and health plans, followed by an overview of key comparative data sets often used by health care organizations in benchmarking performance. The chapter further explored major
milestones in the national agenda for health care quality improvement, followed by a discussion of the current efforts to improve health care quality and patient safety, focusing on the efforts that involve using health care data and information to measure performance. The private and public organizations responsible for developing and endorsing national quality measures were introduced, and the progress that has been made in aligning these measures across these organizations was discussed. The chapter concluded with an overview of the significant movement toward value-based reimbursement programs and plans for significant growth in these programs over the next decade.
Clearly, there is a bewildering and complex set of measures with many organizations involved. Consequently, many measures being collected are inconsistent across the organizations requiring them. There are differences of opinion about which measures to be collected and the specific definitions of these measures. Efforts are under way, largely driven by CMS, to align measures to ease the collection burden for health care providers. However, today's reality remains an overwhelmingly complex web of standards and measurement requirements.
EHRs have been cited as the solution for easing the collection burden for health care organizations and providers. However, the most current EHR systems are limited in their ability to collect the required measures. The result is that organizations and providers must resort to manual data collection. In other chapters in this text we have explored reasons for the current limitations of EHRs in this area, including provider resistance because of the time burden. There is a largely unresolved tension in the health care community and HIT industry between the desire to collect accurate and timely measures and the provider resistance to entering the data into the EHR in a standard, retrievable format.
References Agency for Healthcare Research and Quality (AHRQ). (2011). National quality strategy (NQS). Retrieved August 31, 2016, from http://www.ahrq.gov/workingforquality/nqs/nqs2011annlrpt.pdf Agency for Healthcare Research and Quality (AHRQ). (2016, July). Comparative data. Retrieved August 31, 2016, from http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html Agency for Healthcare Research and Quality (AHRQ). (n.d.a). About the PSO program. Retrieved August 31, 2016, from https://pso.ahrq.gov/about Agency for Healthcare Research and Quality (AHRQ). (n.d.b). Common formats. Retrieved August 31, 2016, from https://pso.ahrq.gov/common Centers for Medicare and Medicaid (CMS). (2015, Sept.). CMS-approved accrediting organizations contacts for prospective clients. Retrieved August 30, 2016, from https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInf o/Downloads/Accrediting-Organization-Contacts-for-Prospective-Clients-.pdf Centers for Medicare and Medicaid (CMS). (2016). CMS quality strategy 2016. Retrieved August 31, 2016, from https://www.cms.gov/medicare/quality-initiatives-patient-assessment-instruments/qualityinitiativ esgeninfo/downloads/cms-quality-strategy.pdf
Centers for Medicare and Medicaid (CMS). (n.d.a). Accreditation of Medicare-certified providers & suppliers. Retrieved August 21, 2016, from https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInf o/Accreditation-of-Medicare-Certified-Providers-and-Suppliers.html Centers for Medicare and Medicaid (CMS). (n.d.b). Hospital compare. Retrieved August 31, 2016, from https://www.medicare.gov/hospitalcompare Centers for Medicare and Medicaid (CMS). (n.d.c). MACRA. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base d-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html Centers for Medicare and Medicaid (CMS). (n.d.d). Medicare. Retrieved August 31, 2016, from https://www.cms.gov/Medicare Centers for Medicare and Medicaid (CMS). (n.d.e). The Medicare Access & CHIP Reauthorization Act of 2015: Path to value. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base d-Programs/MACRA-MIPS-and-APMs/MACRA-LAN-PPT.pdf Centers for Medicare & Medicaid Services (n.d.f). The merit-based incentive payment system: MIPS scoring methodology overview. Retrieved August 4, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base d-Programs/MACRA-MIPS-and-APMs/MIPS-Scoring-Methodology-slide-deck.pdf Centers for Medicare and Medicaid (CMS). (n.d.g). Physician quality reporting system. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/PQRS/inde x.html?redirect=/pqri Centers for Medicare and Medicaid (CMS). (n.d.h). Value-based programs. Retrieved August 31, 2016, from https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base d-Programs/Value-Based-Programs.html Council of Medical Specialty Societies (CMSS). (2014, Nov.). The measurement of health care performance (3rd ed.). Retrieved August 21, 2016, from http://cmss.org/wp-content/uploads/2015/07/CMSS-Quality-Primer-layout.final.pdf The Dartmouth Institute (n.d.) Understanding of the efficiency and effectiveness of the health care system. Retrieved August 31, 2016, from http://www.dartmouthatlas.org/ Institute of Medicine Committee (IOM) on Quality in America. (2001). Crossing the quality chasm: A new health system for the 21st century. Washington, DC: National Academy Press. The Joint Commission. (2011). Comprehensive accreditation manual for hospitals. Oakbrook Terrace, IL: Author. The Joint Commission. (2014a, Aug.). Program: Ambulatory. Chapter: information management (e-dition). Retrieved August 21, 2016, from http://foh.hhs.gov/tjc/im/standards.pdf The Joint Commission. (2014b, Aug.). Program: Ambulatory. Chapter: Record of care, treatment and services (e-dition). Retrieved August 21, 2016, from http://foh.hhs.gov/tjc/roc/standards.pdf The Joint Commission. (2015a, Nov. 5). Hospital: 2016 national patient safety goals. Retrieved August 31, 2016, from https://www.jointcommission.org/hap_2016_npsgs/
The Joint Commission. (2015b, Sept. 2). Joint Commission measure sets effective January 1, 2016. Retrieved August 21, 2016, from https://www.jointcommission.org/joint_commission_measure_sets_effective_january_1_2016/ The Joint Commission. (2016, April 27). Accreditation process overview. Retrieved August 21, 2016, from https://www.jointcommission.org/accreditation_process_overview/ The Joint Commission. (n.d.). About the Joint Commission. Retrieved August 21, 2016, from https://www.jointcommission.org/about_us/about_the_joint_commission_main.aspx Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a safer health system. Washington, DC: National Academy Press. Morris, C. (2014, May). Measuring health care quality: An overview of quality measures (Issue brief). FamiliesUSA. Retrieved August 21, 2016, from http://familiesusa.org/sites/default/files/product_documents/HIS_QualityMeasurement_Brief_fina l_web.pdf National Committee for Quality Assurance (NCQA). (2015). 2015 NCQA health plan accreditation standards. Retrieved August 21, 2016 from http://www.ncqa.org/programs/accreditation/health-plan-hp National Committee for Quality Assurance (NCQA). (n.d.a). About NCQA. Retrieved August 21, 2016, from http://www.ncqa.org/about-ncqa National Committee for Quality Assurance (NCQA). (n.d.b). Quality compass. Retrieved August 21, 2016, from http://www.ncqa.org/tabid/177/Default.aspx National Committee for Quality Assurance (NCQA). (n.d.c). Report cards. Retrieved August 21, 2016, from http://www.ncqa.org/report-cards National Quality Forum (NQF). (n.d.). About us. Retrieved August 31, 2016, from http://www.qualityforum.org/About_NQF/
Chapter 9 Privacy and Security
Privacy is an individual's constitutional right to be left alone, to be free from unwarranted publicity, and to conduct his or her life without its being made public. In the healthcare environment, privacy is an individual's right to limit access to his or her health care information. In spite of this constitutional protection and other legislated protections discussed in this chapter, approximately 112 million Americans (a third of the United States population) were affected by breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large insurance-related corporations accounted for nearly one hundred million records being exposed (Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained entrance through food and beverage computers, approximately 3.7 million individuals' information was accessed, much of it health information (Goedert, 2016).
Health information privacy and security are key topics for healthcare administrators. In today's ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every health care organization employee and visitor has a smart mobile device that is connected to at least one network, new and more virulent threats are an everyday concern. In this chapter we will examine and define the concepts of privacy, confidentiality, and security as they apply to health information. Major legislative efforts, historic and current, to protect health care information are outlined, with a focus on the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional and unintentional, to health information will be discussed. Basic requirements for a strong health care organization security program will be outlined, and the chapter will conclude with the cybersecurity challenges in today's environment of mobile and cloud-based devices, wearable fitness trackers, social media, and remote access to health information. Privacy, Confidentiality, and Security Defined As stated, privacy is an individual's right to be left alone and to limit access to his or her health care information. Confidentiality is related to privacy but specifically addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security refers to the systems that are in place to protect health information and the systems within which it resides. Health care organizations must protect their health information and health information systems from a range of potential threats. Certainly, security systems must protect against unauthorized access and disclosure of patient information, but they must also be designed to protect the organization's IT assets—such as the networks,hardware, software, and applications that make up the organization's health care information systems—from harm.
Legal Protection of Health Information There are many sources for the legal and ethical requirements that healthcare professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, address professional conduct and the need to hold patient information in confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and
the government through Centers for Medicare and Medicaid, dictate that health care organizations follow standard practice and state and federal laws to ensure the confidentiality and security of patient information.
Today, legal protection specially addressing the unauthorized disclosure of an individual's health information generally comes from one of three sources (Koch, 2016):
Federal HIPAA Privacy, Security, and Breach Notification rules State privacy laws. These laws typically apply more stringent protections for information related to specific health conditions (HIV/AIDS, mental or reproductive health, for example). Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or third-party providers for PHR vendors or PHR-related entities to notify individuals of a security breach. However, there are two other major federal laws governing patient privacy that, although they have been essentially superseded by HIPAA, remain important, particularly from a historical perspective.
The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975]) Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2) The Privacy Act of 1974 In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the American public with the right to obtain information from federal agencies. The act covers all records created by the federal government, with nine exceptions. The sixth exception is for personnel and medical information, “the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” There was, however, concern that this exception to the FOIA was not strong enough to protect federally created patient records and other health information. Consequently, Congress enacted the Privacy Act of 1974. This act was written specifically to protect patient confidentiality only in federally operated health care facilities, such as Veterans Administration hospitals, Indian Health Service facilities, and military health care organizations. Because the protection was limited to those facilities operated by the federal government, most general hospitals and other non government health care organizations did not have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not only because it addressed the FOIA exemption for patient information but also because it explicitly stated that patients had a right to access and amend their medical records. It also required facilities to maintain documentation of all disclosures. Neither of these things was standard practice at the time.
Confidentiality of Substance Abuse Patient Records During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These regulations have been amended twice, with the latest version published in 1999. They offer
specific guidance to federally assisted health care organizations that provide referral, diagnosis, and treatment services to patients with alcohol or drug problems. Not surprisingly, they set stringent release of information standards, designed to protect the confidentiality of patients seeking alcohol or drug treatment.
HIPAA HIPAA is the first comprehensive federal regulation to offer specific protection to private health information. Prior to the enactment of HIPAA there was no single federal regulation governing the privacy and security of patient-specific information, only the limited legislative protections previously discussed. These laws were not comprehensive and protected only specific groups of individuals.
The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:
Title I addresses health care access, portability, and renewability, offering protection for individuals who change jobs or health insurance policies. (Although Title I is an important piece of legislation, it does not address health care information specifically and will therefore not be addressed in this chapter.) Title II includes a section titled, “Administrative Simplification.” The requirements establishing privacy and security regulations for protecting individually identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules were subsequently amended and the Breach Notification Rule was added as a part of the HITECH Act in 2009.
The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is information that
Relates to a person's physical or mental health, the provision of health care, or the payment for health care Identifies the person who is the subject of the information Is created or received by a covered entity Is transmitted or maintained in any form (paper, electronic, or oral) Unlike the Privacy Rule, the Security Rule addresses only PHI transmitted or maintained in electronic form. Within the Security Rule this information is identified as ePHI.
The HIPAA rules also define covered entities (CEs), those organizations to which the rules apply:
Health plans, which pay or provide for the cost of medical care Health care clearinghouses, which process health information (for example, billing services) Health care providers who conduct certain financial and administrative transactions electronically (These transactions are defined broadly so that the reality of HIPAA is that it governs nearly all health care providers who receive any type of third-party reimbursement.)
If any CE shares information with others, it must establish contracts to protect the shared information. The HITECH Act amended HIPAA and added “Business Associates” as a category of CE. It further clarified that certain entities, such as health information exchange organizations, regional health information organizations, e-prescribing gateways, or a vendor that contracts with a CE to allow the CE to offer a personal health record as a part of its EHR, are business associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012). HIPAA Privacy Rule Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the enforcement of existing state laws that are more protective of individual privacy, and states are also free to pass more stringent laws. Therefore, health care organizations must still be familiar with their own state laws and regulations related to privacy and confidentiality.
The major components to the HIPAA Privacy Rule in its original form include the following:
Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions. Security. PHI should not be distributed without patient authorization unless there is a clear basis for doing so, and the individuals who receive the information must safeguard it. Consumer control. Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used. Accountability. Entities that improperly handle PHI can be charged under criminal law and punished and are subject to civil recourse as well. Public responsibility. Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general. With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements for HIPAA-covered entities and business associates. In addition, the rights of individuals to request and obtain their PHI are strengthened, as is the right of the individual to prevent a healthcare organization from disclosing PHI to a health plan, if the individual paid in full out of pocket for the related services. There were also some new provisions for accounting of disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al., 2012).
The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health information by distinguishing between patient consent to use PHI and patient authorization to release PHI. Health care providers and others must obtain a patient's written consent prior to disclosure of health information for routine uses of treatment, payment, and health care operations. This consent is fairly general in nature and is obtained prior to patient treatment. There are some exceptions to this in emergency situations, and the patient has a right to request restrictions on the disclosure. However, health care providers can deny treatment if they feel that limiting the disclosure would be detrimental. Health care providers and others must obtain the patient's specific written authorization for all nonroutine uses or disclosures of PHI, such as releasing health records to a school or a relative.
Exhibit 9.1 is a sample release of information form used by a hospital, showing the following elements that should be present on a valid release form:
Patient identification (name and date of birth) Name of the person or entity to whom the information is being released Description of the specific health information authorized for disclosure Statement of the reason for or purpose of the disclosure Date, event, or condition on which the authorization will expire, unless it is revoked earlier Statement that the authorization is subject to revocation by the patient or the patient's legal representative Patient's or legal representative's signature Signature date, which must be after the date of the encounter that produced the information to be released Health care organizations need clear policies and procedures for releasing PHI. A central point of control should exist through which all nonroutine requests for information pass, and all disclosures should be well documented.
In some instances, PHI can be released without the patient's authorization. For example, some state laws require disclosing certain health information. It is always good practice to obtain a patient authorization prior to releasing information when feasible, but in state-mandated cases it is not required. Some examples of situations in which information might need to be disclosed to authorized recipients without the patient's consent are the presence of a communicable disease, such as AIDS and sexually transmitted diseases, which must be reported to the state or county department of health; suspected child abuse or adult abuse that must be reported to designated authorities; situations in which there is a legal duty to warn another person of a clear and imminent danger from a patient; bona fide medical emergencies; and the existence of a valid court order.
The HIPAA Security Rule The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule governs only ePHI, which is defined as protected health information maintained or transmitted in electronic form. It is important to note that the Security Rule does not distinguish between electronic forms of information or between transmission mechanisms. ePHI may be stored in any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and personal computers. Transmission may take place over the Internet or on local area networks (LANs), for example.
The standards in the final rule are defined in general terms, focusing on what should be done rather than on how it should be done. According to the Centers for Medicare and Medicaid Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information (ePHI). The standards are delineated into either required or addressable implementation specifications.” A required specification must be implemented by a
CE for that organization to be in compliance. However, the CE is in compliance with an addressable specification if it does any one of the following:
Implements the specification as stated Implements an alternative security measure to accomplish the purposes of the standard or specification Chooses not to implement anything, provided it can demonstrate that the standard or specification is not reasonable and appropriate and that the purpose of the standard can still be met; because the Security Rule is designed to be technology neutral, this flexibility was granted for organizations that employ nonstandard technologies or have legitimate reasons not to need the stated specification (AHIMA, 2003) The standards contained in the HIPAA Security Rule are divided into sections, or categories, the specifics of which we outline here. You will notice overlap among the sections. For example, contingency plans are covered under both administrative and physical safeguards, and access controls are addressed in several standards and specifications.
The HIPAA Security Rule The HIPAA Security Administrative Safeguards section of the Final Rule contains nine standards:
1. Security management functions. This standard requires the CE to implement policies and procedures to prevent, detect, contain, and correct security violations. There are four implementation specifications for this standard: Risk analysis (required). The CE must conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI. Risk management (required). The CE must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction policy (required). The CE must apply appropriate sanctions against workforce members who fail to comply with the CE's security policies and procedures. Information system activity review (required). The CE must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Assigned security responsibility. This standard does not have any implementation specifications. It requires the CE to identify the individual responsible for overseeing development of the organization's security policies and procedures. Workforce security. This standard requires the CE to implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access. There are three implementation specifications for this standard: Authorization and/or supervision (addressable). The CE must have a process for ensuring that the workforce working with ePHI has adequate authorization and supervision. Workforce clearance procedure (addressable). There must be a process to determine what access is appropriate for each workforce member.
Termination procedures (addressable). There must be a process for terminating access to ePHI when a workforce member is no longer employed or his or her responsibilities change.
Information access management. This standard requires the CE to implement policies and procedures for authorizing access to ePHI. There are three implementation specifications within this standard. The first (not shown here) applies to health care clearinghouses, and the other two apply to healthcare organizations: Access authorization (addressable). The CE must have a process for granting access to ePHI through a workstation, transaction, program, or other process. Access establishment and modification (addressable). The CE must have a process (based on the access authorization) to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process. Security awareness and training. This standard requires the CE to implement awareness and training programs for all members of its workforce. This training should include periodic security reminders and address protection from malicious software, log-in monitoring, and password management. (These items to be addressed in training are all listed as addressable implementation specifications.) Security incident reporting. This standard requires the CE to implement policies and procedures to address security incidents. Contingency plan. This standard has five implementation specifications: Data backup plan (required) Disaster recovery plan (required) Emergency mode operation plan (required) Testing and revision procedures (addressable); the CE should periodically test and modify all contingency plans Applications and data criticality analysis (addressable); the CE should assess the relative criticality of specific applications and data in support of its contingency plan Evaluation. This standard requires the CE to periodically perform technical and nontechnical evaluations in response to changes that may affect the security of ePHI. Business associate contracts and other arrangements. This standard outlines the conditions under which a CE must have a formal agreement with business associates in order to exchange ePHI. The HIPAA Security Physical Safeguards section contains four standards:
Facility access controls. This standard requires the CE to implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed to authorized users. There are four implementation specifications with this standard: Contingency operations (addressable). The CE should have a process for allowing facility access to support the restoration of lost data under the disaster recovery plan and emergency mode operation plan. Facility security plan (addressable). The CE must have a process to safeguard the facility and its equipment from unauthorized access, tampering, and theft. Access control and validation (addressable). The CE should have a process to control and validate access to facilities based on users' roles or functions.
Maintenance records (addressable). The CE should have a process to document repairs and modifications to the physical components of a facility as they relate to security. 2. Workstation use. This standard requires the CE to implement policies and procedures that specify the proper functions to be performed and the manner in which those functions are to be performed on a specific workstation or class of workstation that can be used to access ePHI and that also specify the physical attributes of the surroundings of such workstations. Workstation security. This standard requires the CE to implement physical safeguards for all workstations that are used to access ePHI and to restrict access to authorized users. Device and media controls. This standard requires the CE to implement policies and procedures for the movement of hardware and electronic media that contain ePHI into and out of a facility and within a facility. There are four implementation specifications with this standard: Disposal (required). The CE must have a process for the final disposition of ePHI and of the hardware and electronic media on which it is stored. Media reuse (required). The CE must have a process for removal of ePHI from electronic media before the media can be reused. Accountability (addressable). The CE must maintain a record of movements of hardware and electronic media and any person responsible for these items. Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI, when needed, before movement of equipment. The HIPAA Security Technical Safeguards section has five standards:
Access control. This standard requires the CE to implement technical policies and procedures for electronic information systems that maintain ePHI in order to allow access only to those persons or software programs that have been granted access rights as specified in the administrative safeguards. There are four implementation specifications within this standard: Unique user identification (required). The CE must assign a unique name or number for identifying and tracking each user's identity. Emergency access procedure (required). The CE must establish procedures for obtaining necessary ePHI in an emergency. Automatic log-off (addressable). The CE must implement electronic processes that terminate an electronic session after a predetermined time of inactivity. Encryption and decryption (addressable). The CE should implement a mechanism to encrypt and decrypt ePHI as needed. Audit controls. This standard requires the CE to implement hardware, software, and procedures that record and examine activity in the information systems that contain ePHI. Integrity. This standard requires the CE to implement policies and procedures to protect ePHI from improper alteration or destruction. Person or entity authentication. This standard requires the CE to implement procedures to verify that a person or entity seeking access to ePHI is in fact the person or entity claimed. Transmission security. This standard requires the CE to implement technical measures to guard against unauthorized access to ePHIbeing transmitted across a network. There are two implementation specifications with this standard: Integrity controls (addressable). The CE must implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate. The Policies, Procedures, and Documentation section has two standards:
Policies and procedures. This standard requires the CE to establish and implement policies and procedures to comply with the standards, implementation specifications, and other requirements. Documentation. This standard requires the CE to maintain the policies and procedures implemented to comply with the Security Rule in written form. There are three implementation specifications: Time limit (required). The CE must retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later. Availability (required). The CE must make the documentation available to those persons responsible for implementing the policies and procedures. Updates (required). The CE must review the documentation periodically and update it as needed. HIPAA Breach Notification Rule The HIPAA Breach Notification Rule requires CEs and their business associates to provide notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance” (US Department of Health and Human Services, n.d.c). To meet the requirement of “secured” PHI, it must have been encrypted using a valid encryption process, or the media on which the PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US Department of Health and Human Services, n.d.c).
The notification requirements include, depending on the circumstances, notification to these sources:
Individuals affected The Health and Human Services Secretary (via the Office for Civil Rights [OCR]) Major media outlets All individuals affected by breaches of unsecured PHI must be notified within a reasonable length of time—less than sixty days—after the breach is discovered. If the CE does not have sufficient information to contact ten or more individuals directly, the notification must be made on the home page of its website for at least ninety days or by a major media outlet. A CE that experiences a breach involving five hundred or more individuals must, in addition to sending individual notices, provide notice to a major media outlet serving the area. This notification must also be made within sixty days. All breaches must also be reported to the secretary of HHS; the breaches involving more than five hundred individuals must be reported within sixty days; all others may be reported on an annual basis (US Department of Health and Human Services, n.d.b).
HIPAA Enforcement and Violation Penalties The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state attorneys general the authority to bring civil actions on behalf of the residents of their states for HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA complaints and has initiated 879 compliance reviews. The resolution of the complaints and reviews is as follows (US Department of Health and Human Services, 2016):
Settled thirty-five cases resulting in $36,639,200 in penalties Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or providing technical assistance to, CEs or business associates Identified 11,018 cases as no violation and 79,865 cases as non-eligible HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that ranges from $100 for a single violation, when the individual did not know he or she was not in compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note that civil penalties cannot be levied in situations when the violation is corrected within a specified period of time.
The structure for HIPAA violations reflects four categories of violations and associated penalties. Table 9.1 outlines the categories and penalties. Table 9.1 HIPAA violation categories
Source: What are the penalties for HIPAA violations? (2015).
Violation Category Category Fine* Category 1: A violation that the CE was unaware of, and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA rules Minimum fine of $100 per violation up to $50,000 Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules) Minimum fine of $1,000 per violation up to $50,000 Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in which an attempt has been made to correct the violation Minimum fine of $10,000 per violation up to $50,000 Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been made to correct the violation Minimum fine of $50,000 per violation *The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000. In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal penalties are divided into the following three tiers (What are the penalties for HIPAA violations, 2015):
Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail Tier 2: Obtaining PHI under false pretenses—Up to five years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial penalties were issued. However, a serious violation can cost a healthcare organization a significant amount of money. One such case resulting in a substantial financial settlement is outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August 2016 are listed in Table 9.2.
Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016
Source: Bazzoli (2016).
Organization Individuals Affected Fine Awarded ($ million) Data Awarded Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left in a vehicle overnight 4 million 5.55 August 2016 New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other search engines 6,800 4.8 May 2014 Cignet Health: Did not allow patients access to medical records and refused to cooperate with OCR 41 4.3 February 2011 Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft Unknown 3.9 March 2016 Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate user IDs and passwords, allowing previous employees to access PHI 398,000 3.5 November 2015 University of Mississippi Medical Center: Did not manage risks appropriately, although aware of risks and vulnerabilities 10,000 2.75 July 2016 Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used cloud storage without a business associate agreement in place 7,000 2.7 July 2016 CVS Pharmacy: Improperly disposed of PHI such as prescription labels Unknown 2.25 January 2009 New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.) Unknown 2.2 April 2016 Concentra Health Services: Failed to remediate an identified lack of encryption after an unencrypted laptop was stolen 870 1.73 April 2014 Perspective $750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine. Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are
part of the affiliated group. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization's compliance efforts.
The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two different groups of patients: (1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and (2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, Social Security numbers, insurance identification or Medicare numbers.
OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
Source: HHS.gov (2015). Used with permission.
Threats to Health Care Information What are the threats to health care information systems? In general, threats to health care information systems fall into one of these three categories:
Human tampering threats Natural and environmental threats, such as floods and fire Environmental factors and technology malfunctions, such as a drive that fails and has no backup or a power outage Threats to health care information systems from human beings can be intentional or unintentional. They can be internal, caused by employees, or external, caused by individuals outside the organization.
Intentional threats include knowingly disclosing patient information without authorization, theft, intentional alteration of data, and intentional destruction of data. The culprit could be a computer hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information systems has increased significantly in recent years. In the 2014–2015 two-year period, more than 90 percent of health care organizations reported a health information security breach, and of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional destruction or disruption of health care information is generally caused by some form of malware, a general term for software that is written to “infect” and subsequently harm a host computer system. The best-known form of malware is the computer virus, but there are others, including the particularly virulent ransomware, attacks from which are on the rise in health care.
The following list includes common forms of malware with a brief description of each (Comodo, 2014):
Viruses are generally spread when software is shared among computers. It is a “contagious” piece of software code that infects the host system and spreads itself. Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program. They can be programmed to steal personal information or to take over the resources of the host computer making it unavailable for its intended use. Spyware tracks Internet activities assisting the hacker in gathering information without consent. Spyware is generally hidden and can be difficult to detect. Worms are software code that replicates itself and destroys files that are on the host computer, including the operating system. Ransomware is an advanced form of malware that hackers use to cripple the organization's computer systems through malicious code, generally launched via an e-mail that is opened unwittingly by an employee, a method known as phishing. The malicious code then encrypts and locks folders and operating systems. The hacker demands money, generally in the form of bitcoins, a type of digital currency, to provide the decryption key to unlock the organization's systems (Conn, 2016). Some of the causes of unintentional health information breaches are lack of training in proper use of the health information system or human error. Users may unintentionally share patient information without proper authorization. Other examples include users sharing passwords or downloading information from nonsecure Internet sites, creating the potential for a breach in security. Some of the more common forms of internal breaches of security across all industries are the installation or use of unauthorized software, use of the organization's computing resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and so forth), and the use of the organization's computing resources for personal profit. Losing or improperly disposing of electronic devices, including computers and portable electronic devices, also constitute serious forms of unintentional health information exposure. In 2015, the OCR portal, which lists breach incidents potentially affecting five hundred or more individuals, reported more than seventy-five thousand individuals' data were breached either because of loss or improper disposal of a device containing PHI (OCR, n.d.).
Threats from natural causes, such as fire or flood, are less common than human threats, but they must also be addressed in any comprehensive health care information security program. Loss of information because of environmental factors and technical malfunctions must be secured against by using appropriate safeguards.
The Health Care Organization's Security Program The realization of any of the threats discussed in the previous section can cause significant damage to the organization. Resorting to manual operations if the computers are down for days, for example, can lead to organizational chaos. Theft or loss of organizational data can lead to litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware can corrupt databases, corruption from which there may be no recovery. The function of the
health care organization's security program is to identify potential threats and implement processes to remove these threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organization is balancing the need for security with the cost of security. An organization does not know how to calculate the likelihood that a hacker will cause serious damage or a backhoe will cut through network cables under the street. The organization may not fully understand the consequences of being without its network for four hours or four days. Hence, it may not be sure how much to spend to remove or reduce the risk.
Another challenge is maintaining a satisfactory balance between health care information system security and health care data and information availability. As we saw in Chapter Two, the major purpose of maintaining health information and health records is to facilitate high-quality care for patients. On the one hand, if an organization's security measures are so stringent that they prevent appropriate access to the health information needed to care for patients, this important purpose is undermined. On the other hand, if the organization allows unrestricted access to all patient-identifiable information to all its employees, the patients' rights to privacy and confidentiality would certainly be violated and the organization's IT assets would be at considerable risk.
The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for health care providers includes a chapter describing a seven-step approach for implementing a security management process. The guidance is directed at physician practices or other small health care organizations, and it does not include specific technical solutions. Specific solutions for security protection will be driven by the organization's overall plan and will be managed by the organization's IT team. Larger organizations must also develop comprehensive security programs and will follow the same basic steps, but it will likely have more internal resources for security than smaller practices.
Each step in the ONC security management process for health care providers is listed in the following section.
Step 1: Lead Your Culture, Select Your Team, and Learn This step includes six actions:
Designate a security officer, who will be responsible for developing and implementing the security practices to meet HIPAA requirements and ensure the security of PHI. Discuss HIPAA security requirements with your EHR developer to ensure that your system can be implemented to meet the security requirements of HIPAA and Meaningful Use. Consider using a qualified professional to assist with your security risk analysis. The security risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to health information within the organization. Use tools to preview your security risk analysis. Examples of available tools are listed within Step 3. Refresh your knowledge base of the HIPAA rules.
Promote a culture of protecting patient privacy and securing patient information. Make sure to communicate that all members of the organization are responsible for protecting patient information. Step 2: Document Your Process, Findings, and Actions Documenting the processes for risk analysis and implementation of safeguards is very important, not to mention a requirement of HIPAA. The following are some examples cited by the ONC of records to retain:
Policies and procedures Completed security checklists (ESET, n.d.) Training materials presented to staff members and volunteers and any associated certificates of completion Updated business associate (BA) agreements Security risk analysis report EHR audit logs that show utilization of security features and efforts to monitor users' actions Risk management action plan or other documentation that shows appropriate safeguards are in place throughout your organization, implementation timetables, and implementation notes Security incident and breach information Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent government-sponsored guides and toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a corresponding web address.
Table 9.3 Resources for conducting a comprehensive risk analysis
OCR's Guidance on Risk Analysis Requirements under the HIPAA Rule http://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index. html OCR Security Rule Frequently Asked Questions (FAQs) http://www.hhs.gov/hipaa/for-professionals/faq ONC SRA (Security Risk Assessment) Tool for small practices https://www.healthit.gov/providers-professionals/security-risk-assessment National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit https://scap.nist.gov/hipaa/ The three basic actions recommended for the organization's first comprehensive security risk analysis are as follows:
Identify where ePHI exists. Identify potential threats and vulnerabilities to ePHI. Identify risks and their associated levels. Step 4: Develop an Action Plan As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which allows an organization to take into account its specific needs. The action plan should include five
components. Once in place, the plan should be reviewed regularly by the security team, led by the security officer.
Administrative safeguards Physical safeguards Technical safeguards Organizational standards Policies and procedures Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be employed.
Table 7.4 Common examples of vulnerabilities and mitigation strategies
Source: ONC (2015).
Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies Administrative safeguards No security officer is designated. Workforce is not trained or is unaware of privacy and security issues. Security officer is designated and publicized. Workforce training begins at hire and is conducted on a regular and frequent basis. Security risk analysis is performed periodically and when a change occurs in the practice or the technology. Physical safeguards Facility has insufficient locks and other barriers to patient data access. Computer equipment is easily accessible by the public. Portable devices are not tracked or not locked up when not in use. Building alarm systems are installed. Offices are locked. Screens are shielded from secondary viewers. Technical safeguards Poor controls enable inappropriate access to EHR. Audit logs are not used enough to monitor users and other HER activities. No measures are in place to keep electronic patient data from improper changes. No contingency plan exists. Electronic exchanges of patient information are not encrypted or otherwise secured. Secure user IDs, passwords, and appropriate role-based access are used. Routine audits of access and changes to EHR are conducted. Anti-hacking and anti-malware software is installed. Contingency plans and data backup plans are in place. Data is encrypted. Organizational standards No breach notification and associated policies exist. BA agreements have not been updated in several years. Regular reviews of agreements are conducted and updates made accordingly. Policies and procedures Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed.
The manager performs ad hoc security measures. Written policies and procedures are implemented and staff members are trained. Security team conducts a monthly review of user activities. Routine updates are made to document security measures. Step 5: Manage and Mitigate Risks The security plan will reduce risk only if it is followed by all employees in the organization. This step has four actions associated with it.
Implement your plan. Prevent breaches by educating and training your workforce. Communicate with patients. Update your BA contracts. Step 6: Attest for Meaningful Use Security Related Objective Organizations can attest to the EHR Incentive Program security-related objective after the security risk analysis and correction of any identified deficiencies.
Step 7: Monitor, Audit, and Update Security on an Ongoing Basis The security officer, IT administrator, and EHR developer should work together to ensure that the organization's monitoring and auditing functions are active and configured appropriately. Auditing and monitoring are necessary to determine the adequacy and effectiveness of the security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015, p. 54) patients' ePHI is accessed.
Beyond HIPAA: Cybersecurity for Today's Wired Environment Clearly, HIPAA is an important legislative act aimed at protecting health data and information. However, in today's increasingly wired environment, health care organizations face threats that were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were because of cybercrime—hacking. In July of the same year a single hacker was responsible for 30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care organizations are easy targets for cybercriminals because they are inadequately prepared. The average health care provider spends less than 6 percent of its total IT budget on security, compared to the government, which spends 16 percent, and the banking industry, which spends between 12 and 15 percent. By one estimate the increase in cybercrime against health care organizations is because of, at least in part, PHI's value on the black market, estimating that PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).
The reality of today's environment is that there are more entry points into health care information networks and computers than ever before. Mobile devices, cloud use, the use of smart consumer products, health care devices with Internet connectivity, along with more employees connecting to health care networks from remote locations create an increased need for cybersecurity in health care organizations. One recent survey found that among medical students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents
believed using the devices increased risk of breaching patient information (Buchholz, Perry, Weiss, & Cooley, 2016).
So-called mHealth technologies, which include entities that support personal health records and cloud-based or mobile applications that collect patient information directly from patients or allow uploading of health-related data from wearable devices, are also on the rise, as is the use of health-related social media sites. These technologies were not addressed in HIPAA and, therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).
To provide assistance to healthcare organizations to combat cyber attacks and improve cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The first tip reminds health care organizations to establish a security culture, the same initial tip in their guidance for developing a security plan, clearly emphasizing the importance of this aspect of any security program. The other tips in the publication contain some more specific ways to mitigate the threat from cyber attacks. These tips are listed with specific checkpoints to ensure security (ONC, n.d.). The full version of the top-ten document is available at HealthIT.gov.
Protect Mobile Devices Ensure your mobile devices are equipped with strong authentication and access controls. Ensure laptops have password protection. Enable password protection on handheld devices (if available). Take extra physical control precautions over the device if password protection is not provided. Protect wireless transmissions from intrusion. Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi). When it is absolutely necessary to commit PHI to a mobile device or remove a device from a secure area, encrypt the data. Do not use mobile devices that cannot support encryption. Develop and enforce policies specifying the circumstances under which devices may be removed from the facility. Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device. Maintain Good Computer Habits Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools). Do not simply accept defaults or “standard” configurations when installing software. Find out whether the EHR developer maintains an open connection to the installed software (a “back door”) in order to provide updates and support. Disable remote file sharing and remote printing within the operating system (e.g., Windows Operating System). Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update). Monitor for critical and urgent patches and updates that require immediate attention and act on them as soon as possible. Disable user accounts for former employees quickly and appropriately. If an employee is to be involuntarily terminated, close access to the account before the notice of termination is served.
Prior to disposal, sanitize computers and any other devices that have had data stored on them. Archive old data files for storage if needed or clean them off the system if not needed, subject to applicable data retention requirements. Fully uninstall software that is no longer needed (including trial software and old versions of current software). Work with your IT team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis. Use a Firewall Unless your electronic health record (EHR) and other systems are totally disconnected from the Internet, you must install a firewall to protect against intrusions and threats from outside sources. Larger health care organizations that use a local area network (LAN) should consider a hardware firewall. Install and Maintain Antivirus Software Use an antivirus product that provides continuously updated protection against viruses, malware, and other code that can attack your computers through web downloads, CDs, e-mail, and flash drives. Keep antivirus software up-to-date. Most antivirus software automatically generates reminders about these updates, and many are configurable to allow for automated updating. Plan for the Unexpected Create data backups regularly and reliably. Begin backing up data from day one of a new system. Ensure the data are being captured correctly. Ensure the data can be quickly and accurately restored. Use an automated backup system, if possible. Consider storing the backup far away from the main system. Protect backup media with the same type of access controls described in the next section. Test backup media regularly for their ability to restore data properly, especially as the backups age. Have a sound recovery plan. Know the following: What data was backed up (e.g., databases, pdfs, tiffs, docs) When the backups were done (time frame and frequency) Where the backups are stored What types of equipment are needed to restore them Keep the recovery plan securely at a remote location where someone has responsibility for producing it in the event of an emergency. Control Access to PHI Configure your EHR system to grant PHI access only to people with a “need to know.” This access control system might be part of an operating system (e.g., Windows), built into a particular application (e.g., an e-prescribing module), or both. Manually set file access permissions using an access control list. This can only be done by someone with authorized rights to the system.
Prior to setting these permissions, identify which files should be accessible to which staff members. Configure role-based access control as needed. In role-based access, a staff member's role within the organization (e.g., physician, nurse, billing specialist, etc.) determines what information may be accessed. Assign staff members to the correct roles and then set the access permissions for each role correctly on a need-to-know basis. The following case on access control provides additional examples of access control.
Case Study Access Control Mary Smith is the director of the health information management department in a hospital. Under a user-based access control scheme, Mary would be allowed read-only access to the hospital's laboratory information system because of her personal identity—that is, because she is Mary Smith and uses the proper log-in and password(s) to get into the system. Under a role-based control scheme, Mary would be allowed read-only access to the hospital's lab system because she is part of the health information management department and all department employees have been granted read-only privileges for this system. If the hospital were to adopt a context-based control scheme, Mary might be allowed access to the lab system only from her own workstation or another workstation in the health information services department, provided she used her proper log-in and password. If she attempted to log in from the emergency department or another administrative office, she might be denied access. The context control could also involve time of day. Because Mary is a daytime employee, she might be denied access if she attempted to log in at night.
Use Strong Passwords Choose a password that is not easily guessed. Following are some examples of strong password characteristics: At least eight characters in length (the longer the better) A combination of uppercase and lowercase letters, one number, and at least one special character, such as a punctuation mark Strong passwords should not include personal information: Birth date Names of self, family members, or pets Social Security number Anything that is on your social networking sites or could otherwise be discovered easily by others Use multifactor authentication for more security. Multi Factor authentication combines multiple authentication methods, such as a password plus a fingerprint scan; this results in stronger security protections. If you e-prescribe controlled substances, you must use multifactor authentication for your accounts. Configure your systems so that passwords must be changed on a regular basis. To discourage staff members from writing down their passwords, develop a password reset process to provide quick assistance in case of forgotten passwords.
Limit Network Access Prohibit staff members from installing software without prior approval. When a wireless router is used, set it up to operate only in encrypted mode. Prohibit casual network access by visitors. Check to make sure file sharing, instant messaging, and other peer-to-peer applications have not been installed without explicit review and approval.
Control Physical Access Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs, backup tapes) may be tampered with, lost, or stolen. Document and enforce policies limiting physical access to devices and information: Keep machines in locked rooms. Manage keys to facilities. Restrict removal of devices from a secure area. National Institute of Standards and Technology (NIST) Cybersecurity Framework Recognizing the severity of the rise in cybercrime, President Obama issued an executive order in February 2013 to “enhance the security and resilience of the Nation's critical infrastructure” (Executive Order 13636). As a result the National Institute of Standards and Technology (NIST) was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity framework to reduce cyber-attack risks. The resulting NIST cybersecurity framework consists of three components (NIST, n.d.):
The Framework Core consists of “five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an organization's management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided into categories and subcategories as shown in Exhibit 9.2. The Framework Implementation Tiers characterize an organization's actual cybersecurity practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier 4). The Framework Profile documents outcomes obtained by reviewing all of the categories and subcategories and comparing them to the organization's business needs. Profiles can be identified as “current,” documenting where the organization is now, or as “target,” where the organization would like to be in the future. Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as an important tool for health care organizations to consider when developing a comprehensive security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to the NIST framework, which can be found at HHS.gov/hipaa (US Department of Health and Human Services, n.d.a).
Summary In this chapter we gained insight into why health information privacy and security are key topics for healthcare administrators. In today's ever-increasing electronic world with new and more virulent threats, the security of health information is an ongoing concern. In this chapter we examined and defined the concepts of privacy, confidentiality, and security and explored major
legislative efforts, historical and current, to protect health care information, with a focus on the HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human, natural and environmental, intentional and unintentional, were identified, with a focus on the increase in cybercrime. Basic requirements for a strong health care organization security program were outlined and the chapter ended with a discussion of the cybersecurity challenges within the current healthcare environment.
References American Health Information Management Association (AHIMA). (2003). Final Rule for HIPAA security standards. Chicago, IL: Author. Bazzoli, F. (2016, Aug. 9). 12 largest fines levied for HIPAA violations. Health Data Management. Retrieved August 9, 2016, from http://www.healthdatamanagement.com/list/12-largest-fines-levied-for-hipaa-violations Buchholz, A., Perry, B., Weiss, L. B., & Cooley, D. (2016). Smartphone use and perceptions among medical students and practicing physicians. Journal of Mobile Technology in Medicine, 5(1), 27–32. doi:10.7309/jmtm.5.1.5 Centers for Medicare and Medicaid Services (CMS). (2004). HIPAA administrative simplification: Security—Final Rule. Retrieved November 2004 from http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security Comodo. (2014, Aug. 4). Malware versus viruses: What's the difference? Retrieved August 10, 2016, from https://antivirus.comodo.com/blog/computer-safety/malware-vs-viruses-whats-difference/ Conn, J. (2016, Feb. 18). Hospital pays hackers $17,000 to unlock EHRs frozen in “ransomware” attack. Retrieved November 11, 2016, from http://www.modernhealthcare.com/article/20160217/NEWS/160219920 Coppersmith, Gordon, Schermer, & Brockelman, PLC. (2012). HITECH Act expands HIPAA privacy and security rules. Retrieved March 2012 from http://www.azhha.org/member_and_media_resources/documents/HITECHAct.pdf DeSalvo, K. B., & Samuels, J. (2016, July 19). Examining oversight of the privacy & security of health data collected by entities not regulated by HIPAA. Health IT Buzz. Retrieved August 10, 2016, from https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-se curity-health-data-collected-entities-not-regulated-hipaa/ Goedert, J. (2016, Aug. 8). Hack of Banner systems highlights the need for more firewalls. Retrieved August 10, 2016, from http://www.healthdatamanagement.com/news/hack-of-banner-systems-highlights-the-need-for- more-firewalls?utm_medium=email HHS.gov. (2015). $750,000 HIPAA settlement underscores the need for organization-wide risk analysis. Retrieved from http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-orga nization-wide-risk-analysis.html ESET. (n.d.). HIPAA security checklist [Brochure]. Retrieved August 8, 2016, from https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf
Koch, D. D. (2016, Spring). Is HIPAA Security Rule enough to protect electronic personal health information (PHI) in the cyber age? Journal of Health Care Finance. Retrieved August 8, 2016, from http://www.healthfinancejournal.com/index.php/johcf/article/view/67 National Institute of Standards and Technology (NIST). (2016). Framework for improving critical infrastructure cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/CSF-for-law-policy-symposium.pdf National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity framework. Retrieved August 10, 2016, from http://www.nist.gov/cyberframework/ ONC. (2015). Guide to privacy and security of electronic health information. Retrieved from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf ONC. (n.d.). Top 10 tips for cybersecurity in health care [Brochure]. Retrieved August 8, 2016, from https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf Siwicki, B. (2016, May 17). Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities. Healthcare IT News. Retrieved August 10, 2016, from http://www.healthcareitnews.com/node/525131 Sullivan, T. (2016, Aug. 9). “DarkOverLord” ransomware accounts for nearly 30 percent of health data breaches in July. Healthcare IT News. Retrieved August 10, 2016, from http://www.healthcareitnews.com/news/darkoverlord-ransomware-accounts-nearly-30-percent- health-data-breaches-july Office for Civil Rights (OCR). (n.d.). HHS Breach Portal. Retrieved August 8, 2016, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf US Department of Health and Human Services. (2016, Sept. 30). Enforcement highlights. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlight s/index.html US Department of Health and Human Services. (n.d.a). Addressing gaps in cybersecurity: OCR releases crosswalk between HIPAA Security Rule and NIST cybersecurity framework. Retrieved August 10, 2016, from http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/ US Department of Health and Human Services. (n.d.b). Breach Notification Rule. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html US Department of Health and Human Services. (n.d.c). Guidance to render unsecured protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Retrieved August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html What are the penalties for HIPAA violations? (2015, June 14). HIPAA Journal. Retrieved from http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com