Health Insurance Portability and Accountability Act (HIPAA) Violations

Chapter 9
Privacy and Security

Privacy is an individual’s constitutional right to be left alone, to be free from unwarranted
publicity, and to conduct his or her life without its being made public. In the healthcare
environment, privacy is an individual’s right to limit access to his or her health care information.
In spite of this constitutional protection and other legislated protections discussed in this chapter,
approximately 112 million Americans (a third of the United States population) were affected by
breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large
insurance-related corporations accounted for nearly one hundred million records being exposed
(Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained
entrance through food and beverage computers, approximately 3.7 million individuals’
information was accessed, much of it health information (Goedert, 2016).

Health information privacy and security are key topics for healthcare administrators. In today’s
ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every
health care organization employee and visitor has a smart mobile device that is connected to at
least one network, new and more virulent threats are an everyday concern. In this chapter we
will examine and define the concepts of privacy, confidentiality, and security as they apply to
health information. Major legislative efforts, historic and current, to protect health care
information are outlined, with a focus on the Health Insurance Portability and Accountability Act
(HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional
and unintentional, to health information will be discussed. Basic requirements for a strong health
care organization security program will be outlined, and the chapter will conclude with the
cybersecurity challenges in today’s environment of mobile and cloud-based devices, wearable
fitness trackers, social media, and remote access to health information.
Privacy, Confidentiality, and Security Defined
As stated, privacy is an individual’s right to be left alone and to limit access to his or her health
care information. Confidentiality is related to privacy but specifically addresses the expectation
that information shared with a health care provider during the course of treatment will be used
only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security
refers to the systems that are in place to protect health information and the systems within
which it resides. Health care organizations must protect their health information and health
information systems from a range of potential threats. Certainly, security systems must protect
against unauthorized access and disclosure of patient information, but they must also be
designed to protect the organization’s IT assets—such as the networks,hardware, software, and
applications that make up the organization’s health care information systems—from harm.

Legal Protection of Health Information
There are many sources for the legal and ethical requirements that healthcare professionals
maintain the confidentiality of patient information and protect patient privacy. Ethical and
professional standards, such as those published by the American Medical Association and
other organizations, address professional conduct and the need to hold patient information in
confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and

the government through Centers for Medicare and Medicaid, dictate that health care
organizations follow standard practice and state and federal laws to ensure the confidentiality
and security of patient information.

Today, legal protection specially addressing the unauthorized disclosure of an individual’s health
information generally comes from one of three sources (Koch, 2016):

Federal HIPAA Privacy, Security, and Breach Notification rules
State privacy laws. These laws typically apply more stringent protections for information related
to specific health conditions (HIV/AIDS, mental or reproductive health, for example).
Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or
deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require
certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or
third-party providers for PHR vendors or PHR-related entities to notify individuals of a security
breach.
However, there are two other major federal laws governing patient privacy that, although they
have been essentially superseded by HIPAA, remain important, particularly from a historical
perspective.

The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975])
Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2)
The Privacy Act of 1974
In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the
American public with the right to obtain information from federal agencies. The act covers all
records created by the federal government, with nine exceptions. The sixth exception is for
personnel and medical information, “the disclosure of which would constitute a clearly
unwarranted invasion of personal privacy.” There was, however, concern that this exception to
the FOIA was not strong enough to protect federally created patient records and other health
information. Consequently, Congress enacted the Privacy Act of 1974. This act was written
specifically to protect patient confidentiality only in federally operated health care facilities, such
as Veterans Administration hospitals, Indian Health Service facilities, and military health care
organizations. Because the protection was limited to those facilities operated by the federal
government, most general hospitals and other non government health care organizations did not
have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not
only because it addressed the FOIA exemption for patient information but also because it
explicitly stated that patients had a right to access and amend their medical records. It also
required facilities to maintain documentation of all disclosures. Neither of these things was
standard practice at the time.

Confidentiality of Substance Abuse Patient Records
During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and
alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of
Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These
regulations have been amended twice, with the latest version published in 1999. They offer

specific guidance to federally assisted health care organizations that provide referral, diagnosis,
and treatment services to patients with alcohol or drug problems. Not surprisingly, they set
stringent release of information standards, designed to protect the confidentiality of patients
seeking alcohol or drug treatment.

HIPAA
HIPAA is the first comprehensive federal regulation to offer specific protection to private health
information. Prior to the enactment of HIPAA there was no single federal regulation governing
the privacy and security of patient-specific information, only the limited legislative protections
previously discussed. These laws were not comprehensive and protected only specific groups
of individuals.

The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:

Title I addresses health care access, portability, and renewability, offering protection for
individuals who change jobs or health insurance policies. (Although Title I is an important piece
of legislation, it does not address health care information specifically and will therefore not be
addressed in this chapter.)
Title II includes a section titled, “Administrative Simplification.”
The requirements establishing privacy and security regulations for protecting individually
identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was
required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules
were subsequently amended and the Breach Notification Rule was added as a part of the
HITECH Act in 2009.

The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is
information that

Relates to a person’s physical or mental health, the provision of health care, or the payment for
health care
Identifies the person who is the subject of the information
Is created or received by a covered entity
Is transmitted or maintained in any form (paper, electronic, or oral)
Unlike the Privacy Rule, the Security Rule addresses only PHI transmitted or maintained in
electronic form. Within the Security Rule this information is identified as ePHI.

The HIPAA rules also define covered entities (CEs), those organizations to which the rules
apply:

Health plans, which pay or provide for the cost of medical care
Health care clearinghouses, which process health information (for example, billing services)
Health care providers who conduct certain financial and administrative transactions
electronically (These transactions are defined broadly so that the reality of HIPAA is that it
governs nearly all health care providers who receive any type of third-party reimbursement.)

If any CE shares information with others, it must establish contracts to protect the shared
information. The HITECH Act amended HIPAA and added “Business Associates” as a category
of CE. It further clarified that certain entities, such as health information exchange organizations,
regional health information organizations, e-prescribing gateways, or a vendor that contracts
with a CE to allow the CE to offer a personal health record as a part of its EHR, are business
associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, &
Brokelman, PLC, 2012).
HIPAA Privacy Rule
Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the
enforcement of existing state laws that are more protective of individual privacy, and states are
also free to pass more stringent laws. Therefore, health care organizations must still be familiar
with their own state laws and regulations related to privacy and confidentiality.

The major components to the HIPAA Privacy Rule in its original form include the following:

Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions.
Security. PHI should not be distributed without patient authorization unless there is a clear basis
for doing so, and the individuals who receive the information must safeguard it.
Consumer control. Individuals are entitled to access and control their health records and are to
be informed of the purposes for which information is being disclosed and used.
Accountability. Entities that improperly handle PHI can be charged under criminal law and
punished and are subject to civil recourse as well.
Public responsibility. Individual interests must not override national priorities in public health,
medical research, preventing health care fraud, and law enforcement in general.
With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements
for HIPAA-covered entities and business associates. In addition, the rights of individuals to
request and obtain their PHI are strengthened, as is the right of the individual to prevent a
healthcare organization from disclosing PHI to a health plan, if the individual paid in full out of
pocket for the related services. There were also some new provisions for accounting of
disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al.,
2012).

The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health
information by distinguishing between patient consent to use PHI and patient authorization to
release PHI. Health care providers and others must obtain a patient’s written consent prior to
disclosure of health information for routine uses of treatment, payment, and health care
operations. This consent is fairly general in nature and is obtained prior to patient treatment.
There are some exceptions to this in emergency situations, and the patient has a right to
request restrictions on the disclosure. However, health care providers can deny treatment if they
feel that limiting the disclosure would be detrimental. Health care providers and others must
obtain the patient’s specific written authorization for all nonroutine uses or disclosures of PHI,
such as releasing health records to a school or a relative.

Exhibit 9.1 is a sample release of information form used by a hospital, showing the following
elements that should be present on a valid release form:

Patient identification (name and date of birth)
Name of the person or entity to whom the information is being released
Description of the specific health information authorized for disclosure
Statement of the reason for or purpose of the disclosure
Date, event, or condition on which the authorization will expire, unless it is revoked earlier
Statement that the authorization is subject to revocation by the patient or the patient’s legal
representative
Patient’s or legal representative’s signature
Signature date, which must be after the date of the encounter that produced the information to be
released
Health care organizations need clear policies and procedures for releasing PHI. A central point
of control should exist through which all nonroutine requests for information pass, and all
disclosures should be well documented.

In some instances, PHI can be released without the patient’s authorization. For example, some
state laws require disclosing certain health information. It is always good practice to obtain a
patient authorization prior to releasing information when feasible, but in state-mandated cases it
is not required. Some examples of situations in which information might need to be disclosed to
authorized recipients without the patient’s consent are the presence of a communicable disease,
such as AIDS and sexually transmitted diseases, which must be reported to the state or county
department of health; suspected child abuse or adult abuse that must be reported to designated
authorities; situations in which there is a legal duty to warn another person of a clear and
imminent danger from a patient; bona fide medical emergencies; and the existence of a valid
court order.

The HIPAA Security Rule
The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule
governs only ePHI, which is defined as protected health information maintained or transmitted in
electronic form. It is important to note that the Security Rule does not distinguish between
electronic forms of information or between transmission mechanisms. ePHI may be stored in
any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and
personal computers. Transmission may take place over the Internet or on local area networks
(LANs), for example.

The standards in the final rule are defined in general terms, focusing on what should be done
rather than on how it should be done. According to the Centers for Medicare and Medicaid
Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical
security procedures for covered entities to use to assure the confidentiality of electronic
protected health information (ePHI). The standards are delineated into either required or
addressable implementation specifications.” A required specification must be implemented by a

CE for that organization to be in compliance. However, the CE is in compliance with an
addressable specification if it does any one of the following:

Implements the specification as stated
Implements an alternative security measure to accomplish the purposes of the standard or
specification
Chooses not to implement anything, provided it can demonstrate that the standard or
specification is not reasonable and appropriate and that the purpose of the standard can still be
met; because the Security Rule is designed to be technology neutral, this flexibility was granted
for organizations that employ nonstandard technologies or have legitimate reasons not to need
the stated specification (AHIMA, 2003)
The standards contained in the HIPAA Security Rule are divided into sections, or categories, the
specifics of which we outline here. You will notice overlap among the sections. For example,
contingency plans are covered under both administrative and physical safeguards, and access
controls are addressed in several standards and specifications.

The HIPAA Security Rule
The HIPAA Security Administrative Safeguards section of the Final Rule contains nine
standards:

1. Security management functions. This standard requires the CE to implement policies and
procedures to prevent, detect, contain, and correct security violations. There are four
implementation specifications for this standard:
Risk analysis (required). The CE must conduct an accurate and thorough assessment of the
potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI.
Risk management (required). The CE must implement security measures that reduce risks and
vulnerabilities to a reasonable and appropriate level.
Sanction policy (required). The CE must apply appropriate sanctions against workforce
members who fail to comply with the CE’s security policies and procedures.
Information system activity review (required). The CE must implement procedures to regularly
review records of information system activity, such as audit logs, access reports, and security
incident tracking reports.
Assigned security responsibility. This standard does not have any implementation
specifications. It requires the CE to identify the individual responsible for overseeing
development of the organization’s security policies and procedures.
Workforce security. This standard requires the CE to implement policies and procedures to
ensure that all members of its workforce have appropriate access to ePHI and to prevent those
workforce members who do not have access from obtaining access. There are three
implementation specifications for this standard:
Authorization and/or supervision (addressable). The CE must have a process for ensuring that
the workforce working with ePHI has adequate authorization and supervision.
Workforce clearance procedure (addressable). There must be a process to determine what
access is appropriate for each workforce member.

Termination procedures (addressable). There must be a process for terminating access to ePHI
when a workforce member is no longer employed or his or her responsibilities change.

Information access management. This standard requires the CE to implement policies and
procedures for authorizing access to ePHI. There are three implementation specifications within
this standard. The first (not shown here) applies to health care clearinghouses, and the other two
apply to healthcare organizations:
Access authorization (addressable). The CE must have a process for granting access to ePHI
through a workstation, transaction, program, or other process.
Access establishment and modification (addressable). The CE must have a process (based on
the access authorization) to establish, document, review, and modify a user’s right to access a
workstation, transaction, program, or process.
Security awareness and training. This standard requires the CE to implement awareness and
training programs for all members of its workforce. This training should include periodic security
reminders and address protection from malicious software, log-in monitoring, and password
management. (These items to be addressed in training are all listed as addressable
implementation specifications.)
Security incident reporting. This standard requires the CE to implement policies and procedures
to address security incidents.
Contingency plan. This standard has five implementation specifications:
Data backup plan (required)
Disaster recovery plan (required)
Emergency mode operation plan (required)
Testing and revision procedures (addressable); the CE should periodically test and modify all
contingency plans
Applications and data criticality analysis (addressable); the CE should assess the relative
criticality of specific applications and data in support of its contingency plan
Evaluation. This standard requires the CE to periodically perform technical and nontechnical
evaluations in response to changes that may affect the security of ePHI.
Business associate contracts and other arrangements. This standard outlines the conditions
under which a CE must have a formal agreement with business associates in order to
exchange ePHI.
The HIPAA Security Physical Safeguards section contains four standards:

Facility access controls. This standard requires the CE to implement policies and procedures to
limit physical access to its electronic information systems and the facilities in which they are
housed to authorized users. There are four implementation specifications with this standard:
Contingency operations (addressable). The CE should have a process for allowing facility
access to support the restoration of lost data under the disaster recovery plan and emergency
mode operation plan.
Facility security plan (addressable). The CE must have a process to safeguard the facility and
its equipment from unauthorized access, tampering, and theft.
Access control and validation (addressable). The CE should have a process to control and
validate access to facilities based on users’ roles or functions.

Maintenance records (addressable). The CE should have a process to document repairs and
modifications to the physical components of a facility as they relate to security.
2. Workstation use. This standard requires the CE to implement policies and procedures that
specify the proper functions to be performed and the manner in which those functions are to be
performed on a specific workstation or class of workstation that can be used to access ePHI
and that also specify the physical attributes of the surroundings of such workstations.
Workstation security. This standard requires the CE to implement physical safeguards for all
workstations that are used to access ePHI and to restrict access to authorized users.
Device and media controls. This standard requires the CE to implement policies and procedures
for the movement of hardware and electronic media that contain ePHI into and out of a facility
and within a facility. There are four implementation specifications with this standard:
Disposal (required). The CE must have a process for the final disposition of ePHI and of the
hardware and electronic media on which it is stored.
Media reuse (required). The CE must have a process for removal of ePHI from electronic media
before the media can be reused.
Accountability (addressable). The CE must maintain a record of movements of hardware and
electronic media and any person responsible for these items.
Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI,
when needed, before movement of equipment.
The HIPAA Security Technical Safeguards section has five standards:

Access control. This standard requires the CE to implement technical policies and procedures
for electronic information systems that maintain ePHI in order to allow access only to those
persons or software programs that have been granted access rights as specified in the
administrative safeguards. There are four implementation specifications within this standard:
Unique user identification (required). The CE must assign a unique name or number for
identifying and tracking each user’s identity.
Emergency access procedure (required). The CE must establish procedures for obtaining
necessary ePHI in an emergency.
Automatic log-off (addressable). The CE must implement electronic processes that terminate an
electronic session after a predetermined time of inactivity.
Encryption and decryption (addressable). The CE should implement a mechanism to encrypt
and decrypt ePHI as needed.
Audit controls. This standard requires the CE to implement hardware, software, and procedures
that record and examine activity in the information systems that contain ePHI.
Integrity. This standard requires the CE to implement policies and procedures to protect ePHI
from improper alteration or destruction.
Person or entity authentication. This standard requires the CE to implement procedures to verify
that a person or entity seeking access to ePHI is in fact the person or entity claimed.
Transmission security. This standard requires the CE to implement technical measures to guard
against unauthorized access to ePHIbeing transmitted across a network. There are two
implementation specifications with this standard:
Integrity controls (addressable). The CE must implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection.

Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate.
The Policies, Procedures, and Documentation section has two standards:

Policies and procedures. This standard requires the CE to establish and implement policies and
procedures to comply with the standards, implementation specifications, and other
requirements.
Documentation. This standard requires the CE to maintain the policies and procedures
implemented to comply with the Security Rule in written form. There are three implementation
specifications:
Time limit (required). The CE must retain the documentation for six years from the date of its
creation or the date when it was last in effect, whichever is later.
Availability (required). The CE must make the documentation available to those persons
responsible for implementing the policies and procedures.
Updates (required). The CE must review the documentation periodically and update it as
needed.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires CEs and their business associates to provide
notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is
PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by the Secretary in guidance”
(US Department of Health and Human Services, n.d.c). To meet the requirement of “secured”
PHI, it must have been encrypted using a valid encryption process, or the media on which the
PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be
shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media
must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US
Department of Health and Human Services, n.d.c).

The notification requirements include, depending on the circumstances, notification to these
sources:

Individuals affected
The Health and Human Services Secretary (via the Office for Civil Rights [OCR])
Major media outlets
All individuals affected by breaches of unsecured PHI must be notified within a reasonable
length of time—less than sixty days—after the breach is discovered. If the CE does not have
sufficient information to contact ten or more individuals directly, the notification must be made on
the home page of its website for at least ninety days or by a major media outlet. A CE that
experiences a breach involving five hundred or more individuals must, in addition to sending
individual notices, provide notice to a major media outlet serving the area. This notification must
also be made within sixty days. All breaches must also be reported to the secretary of HHS; the
breaches involving more than five hundred individuals must be reported within sixty days; all
others may be reported on an annual basis (US Department of Health and Human Services,
n.d.b).

HIPAA Enforcement and Violation Penalties
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is
responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state
attorneys general the authority to bring civil actions on behalf of the residents of their states for
HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA
complaints and has initiated 879 compliance reviews. The resolution of the complaints and
reviews is as follows (US Department of Health and Human Services, 2016):

Settled thirty-five cases resulting in $36,639,200 in penalties
Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or
providing technical assistance to, CEs or business associates
Identified 11,018 cases as no violation and 79,865 cases as non-eligible
HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that
ranges from $100 for a single violation, when the individual did not know he or she was not in
compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note
that civil penalties cannot be levied in situations when the violation is corrected within a specified
period of time.

The structure for HIPAA violations reflects four categories of violations and associated penalties.
Table 9.1 outlines the categories and penalties.
Table 9.1 HIPAA violation categories

Source: What are the penalties for HIPAA violations? (2015).

Violation Category Category Fine*
Category 1: A violation that the CE was unaware of, and could not have realistically avoided,
had a reasonable amount of care been taken to abide by HIPAA rules Minimum fine of $100
per violation up to $50,000
Category 2: A violation that the CE should have been aware of but could not have avoided even
with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)
Minimum fine of $1,000 per violation up to $50,000
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in
which an attempt has been made to correct the violation Minimum fine of $10,000 per
violation up to $50,000
Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been
made to correct the violation Minimum fine of $50,000 per violation
*The fines are issued per violation category, per year that the violation was allowed to persist.
The maximum fine per violation category, per year, is $1,500,000.
In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal
penalties are divided into the following three tiers (What are the penalties for HIPAA violations,
2015):

Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail
Tier 2: Obtaining PHI under false pretenses—Up to five years in jail

Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail
As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial
penalties were issued. However, a serious violation can cost a healthcare organization a
significant amount of money. One such case resulting in a substantial financial settlement is
outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August
2016 are listed in Table 9.2.

Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016

Source: Bazzoli (2016).

Organization Individuals Affected Fine Awarded ($ million) Data Awarded
Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left
in a vehicle overnight 4 million 5.55 August 2016
New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other
search engines 6,800 4.8 May 2014
Cignet Health: Did not allow patients access to medical records and refused to cooperate with
OCR 41 4.3 February 2011
Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft
Unknown 3.9 March 2016
Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate
user IDs and passwords, allowing previous employees to access PHI 398,000 3.5
November 2015
University of Mississippi Medical Center: Did not manage risks appropriately, although aware of
risks and vulnerabilities 10,000 2.75 July 2016
Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used
cloud storage without a business associate agreement in place 7,000 2.7 July 2016
CVS Pharmacy: Improperly disposed of PHI such as prescription labels Unknown 2.25
January 2009
New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the
potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.)
Unknown 2.2 April 2016
Concentra Health Services: Failed to remediate an identified lack of encryption after an
unencrypted laptop was stolen 870 1.73 April 2014
Perspective
$750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis
The University of Washington Medicine (UWM) has agreed to settle charges that it potentially
violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule
by failing to implement policies and procedures to prevent, detect, contain, and correct security
violations. UWM is an affiliated covered entity, which includes designated health care
components and other entities under the control of the University of Washington, including
University of Washington Medical Center, the primary teaching hospital of the University of
Washington School of Medicine. Affiliated covered entities must have in place appropriate
policies and processes to assure HIPAA compliance with respect to each of the entities that are

part of the affiliated group. The settlement includes a monetary payment of $750,000, a
corrective action plan, and annual reports on the organization’s compliance efforts.

The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its
investigation of the UWM following receipt of a breach report on November 27, 2013, which
indicated that the electronic protected health information (e-PHI) of approximately 90,000
individuals was accessed after an employee downloaded an email attachment that contained
malicious malware. The malware compromised the organization’s IT system, affecting the data
of two different groups of patients: (1) approximately 76,000 patients involving a combination of
patient names, medical record numbers, dates of service, and/or charges or bill balances; and
(2) approximately 15,000 patients involving names, medical record numbers, other
demographics such as address and phone number, dates of birth, charges or bill balances,
Social Security numbers, insurance identification or Medicare numbers.

OCR’s investigation indicated UWM’s security policies required its affiliated entities to have
up-to-date, documented system-level risk assessments and to implement safeguards in
compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities
were properly conducting risk assessments and appropriately responding to the potential risks
and vulnerabilities in their respective environments.

Source: HHS.gov (2015). Used with permission.

Threats to Health Care Information
What are the threats to health care information systems? In general, threats to health care
information systems fall into one of these three categories:

Human tampering threats
Natural and environmental threats, such as floods and fire
Environmental factors and technology malfunctions, such as a drive that fails and has no
backup or a power outage
Threats to health care information systems from human beings can be intentional or
unintentional. They can be internal, caused by employees, or external, caused by individuals
outside the organization.

Intentional threats include knowingly disclosing patient information without authorization, theft,
intentional alteration of data, and intentional destruction of data. The culprit could be a computer
hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information
systems has increased significantly in recent years. In the 2014–2015 two-year period, more
than 90 percent of health care organizations reported a health information security breach, and
of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional
destruction or disruption of health care information is generally caused by some form of
malware, a general term for software that is written to “infect” and subsequently harm a host
computer system. The best-known form of malware is the computer virus, but there are others,
including the particularly virulent ransomware, attacks from which are on the rise in health care.

The following list includes common forms of malware with a brief description of each (Comodo,
2014):

Viruses are generally spread when software is shared among computers. It is a “contagious”
piece of software code that infects the host system and spreads itself.
Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program.
They can be programmed to steal personal information or to take over the resources of the host
computer making it unavailable for its intended use.
Spyware tracks Internet activities assisting the hacker in gathering information without consent.
Spyware is generally hidden and can be difficult to detect.
Worms are software code that replicates itself and destroys files that are on the host computer,
including the operating system.
Ransomware is an advanced form of malware that hackers use to cripple the organization’s
computer systems through malicious code, generally launched via an e-mail that is opened
unwittingly by an employee, a method known as phishing. The malicious code then encrypts
and locks folders and operating systems. The hacker demands money, generally in the form of
bitcoins, a type of digital currency, to provide the decryption key to unlock the organization’s
systems (Conn, 2016).
Some of the causes of unintentional health information breaches are lack of training in proper
use of the health information system or human error. Users may unintentionally share patient
information without proper authorization. Other examples include users sharing passwords or
downloading information from nonsecure Internet sites, creating the potential for a breach in
security. Some of the more common forms of internal breaches of security across all industries
are the installation or use of unauthorized software, use of the organization’s computing
resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and
so forth), and the use of the organization’s computing resources for personal profit. Losing or
improperly disposing of electronic devices, including computers and portable electronic devices,
also constitute serious forms of unintentional health information exposure. In 2015, the OCR
portal, which lists breach incidents potentially affecting five hundred or more individuals, reported
more than seventy-five thousand individuals’ data were breached either because of loss or
improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fire or flood, are less common than human threats, but
they must also be addressed in any comprehensive health care information security program.
Loss of information because of environmental factors and technical malfunctions must be
secured against by using appropriate safeguards.

The Health Care Organization’s Security Program
The realization of any of the threats discussed in the previous section can cause significant
damage to the organization. Resorting to manual operations if the computers are down for days,
for example, can lead to organizational chaos. Theft or loss of organizational data can lead to
litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware
can corrupt databases, corruption from which there may be no recovery. The function of the

health care organization’s security program is to identify potential threats and implement
processes to remove these threats or mitigate their ability to cause damage. The primary
challenge of developing an effective security program in a health care organization is balancing
the need for security with the cost of security. An organization does not know how to calculate
the likelihood that a hacker will cause serious damage or a backhoe will cut through network
cables under the street. The organization may not fully understand the consequences of being
without its network for four hours or four days. Hence, it may not be sure how much to spend to
remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health care information system
security and health care data and information availability. As we saw in Chapter Two, the major
purpose of maintaining health information and health records is to facilitate high-quality care for
patients. On the one hand, if an organization’s security measures are so stringent that they
prevent appropriate access to the health information needed to care for patients, this important
purpose is undermined. On the other hand, if the organization allows unrestricted access to all
patient-identifiable information to all its employees, the patients’ rights to privacy and
confidentiality would certainly be violated and the organization’s IT assets would be at
considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for
health care providers includes a chapter describing a seven-step approach for implementing a
security management process. The guidance is directed at physician practices or other small
health care organizations, and it does not include specific technical solutions. Specific solutions
for security protection will be driven by the organization’s overall plan and will be managed by
the organization’s IT team. Larger organizations must also develop comprehensive security
programs and will follow the same basic steps, but it will likely have more internal resources for
security than smaller practices.

Each step in the ONC security management process for health care providers is listed in the
following section.

Step 1: Lead Your Culture, Select Your Team, and Learn
This step includes six actions:

Designate a security officer, who will be responsible for developing and implementing the
security practices to meet HIPAA requirements and ensure the security of PHI.
Discuss HIPAA security requirements with your EHR developer to ensure that your system can
be implemented to meet the security requirements of HIPAA and Meaningful Use.
Consider using a qualified professional to assist with your security risk analysis. The security
risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to
health information within the organization.
Use tools to preview your security risk analysis. Examples of available tools are listed within
Step 3.
Refresh your knowledge base of the HIPAA rules.

Promote a culture of protecting patient privacy and securing patient information. Make sure to
communicate that all members of the organization are responsible for protecting patient
information.
Step 2: Document Your Process, Findings, and Actions
Documenting the processes for risk analysis and implementation of safeguards is very
important, not to mention a requirement of HIPAA. The following are some examples cited by
the ONC of records to retain:

Policies and procedures
Completed security checklists (ESET, n.d.)
Training materials presented to staff members and volunteers and any associated certificates of
completion
Updated business associate (BA) agreements
Security risk analysis report
EHR audit logs that show utilization of security features and efforts to monitor users’ actions
Risk management action plan or other documentation that shows appropriate safeguards are in
place throughout your organization, implementation timetables, and implementation notes
Security incident and breach information
Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and
availability” (ONC, 2015, p. 41) of PHI. Several excellent government-sponsored guides and
toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a
corresponding web address.

Table 9.3 Resources for conducting a comprehensive risk analysis

OCR’s Guidance on Risk Analysis Requirements under the HIPAA Rule
http://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.
html
OCR Security Rule Frequently Asked Questions (FAQs)
http://www.hhs.gov/hipaa/for-professionals/faq
ONC SRA (Security Risk Assessment) Tool for small practices
https://www.healthit.gov/providers-professionals/security-risk-assessment
National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit
https://scap.nist.gov/hipaa/
The three basic actions recommended for the organization’s first comprehensive security risk
analysis are as follows:

Identify where ePHI exists.
Identify potential threats and vulnerabilities to ePHI.
Identify risks and their associated levels.
Step 4: Develop an Action Plan
As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which
allows an organization to take into account its specific needs. The action plan should include five

components. Once in place, the plan should be reviewed regularly by the security team, led by
the security officer.

Administrative safeguards
Physical safeguards
Technical safeguards
Organizational standards
Policies and procedures
Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be
employed.

Table 7.4 Common examples of vulnerabilities and mitigation strategies

Source: ONC (2015).

Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies
Administrative safeguards No security officer is designated.
Workforce is not trained or is unaware of privacy and security issues. Security officer is
designated and publicized.
Workforce training begins at hire and is conducted on a regular and frequent basis.
Security risk analysis is performed periodically and when a change occurs in the practice or the
technology.
Physical safeguards Facility has insufficient locks and other barriers to patient data access.
Computer equipment is easily accessible by the public.
Portable devices are not tracked or not locked up when not in use. Building alarm systems are
installed.
Offices are locked.
Screens are shielded from secondary viewers.
Technical safeguards Poor controls enable inappropriate access to EHR.
Audit logs are not used enough to monitor users and other HER activities.
No measures are in place to keep electronic patient data from improper changes.
No contingency plan exists.
Electronic exchanges of patient information are not encrypted or otherwise secured. Secure
user IDs, passwords, and appropriate role-based access are used.
Routine audits of access and changes to EHR are conducted.
Anti-hacking and anti-malware software is installed.
Contingency plans and data backup plans are in place.
Data is encrypted.
Organizational standards No breach notification and associated policies exist.
BA agreements have not been updated in several years. Regular reviews of agreements are
conducted and updates made accordingly.
Policies and procedures Generic written policies and procedures to ensure HIPAA security
compliance were purchased but not followed.

The manager performs ad hoc security measures. Written policies and procedures are
implemented and staff members are trained.
Security team conducts a monthly review of user activities.
Routine updates are made to document security measures.
Step 5: Manage and Mitigate Risks
The security plan will reduce risk only if it is followed by all employees in the organization. This
step has four actions associated with it.

Implement your plan.
Prevent breaches by educating and training your workforce.
Communicate with patients.
Update your BA contracts.
Step 6: Attest for Meaningful Use Security Related Objective
Organizations can attest to the EHR Incentive Program security-related objective after the
security risk analysis and correction of any identified deficiencies.

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
The security officer, IT administrator, and EHR developer should work together to ensure that
the organization’s monitoring and auditing functions are active and configured appropriately.
Auditing and monitoring are necessary to determine the adequacy and effectiveness of the
security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015,
p. 54) patients’ ePHI is accessed.

Beyond HIPAA: Cybersecurity for Today’s Wired Environment
Clearly, HIPAA is an important legislative act aimed at protecting health data and information.
However, in today’s increasingly wired environment, health care organizations face threats that
were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were
because of cybercrime—hacking. In July of the same year a single hacker was responsible for
30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care
organizations are easy targets for cybercriminals because they are inadequately prepared. The
average health care provider spends less than 6 percent of its total IT budget on security,
compared to the government, which spends 16 percent, and the banking industry, which spends
between 12 and 15 percent. By one estimate the increase in cybercrime against health care
organizations is because of, at least in part, PHI’s value on the black market, estimating that
PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).

The reality of today’s environment is that there are more entry points into health care information
networks and computers than ever before. Mobile devices, cloud use, the use of smart
consumer products, health care devices with Internet connectivity, along with more employees
connecting to health care networks from remote locations create an increased need for
cybersecurity in health care organizations. One recent survey found that among medical
students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a
clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents

believed using the devices increased risk of breaching patient information (Buchholz, Perry,
Weiss, & Cooley, 2016).

So-called mHealth technologies, which include entities that support personal health records and
cloud-based or mobile applications that collect patient information directly from patients or allow
uploading of health-related data from wearable devices, are also on the rise, as is the use of
health-related social media sites. These technologies were not addressed in HIPAA and,
therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).

To provide assistance to healthcare organizations to combat cyber attacks and improve
cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The
first tip reminds health care organizations to establish a security culture, the same initial tip in
their guidance for developing a security plan, clearly emphasizing the importance of this aspect
of any security program. The other tips in the publication contain some more specific ways to
mitigate the threat from cyber attacks. These tips are listed with specific checkpoints to ensure
security (ONC, n.d.). The full version of the top-ten document is available at HealthIT.gov.

Protect Mobile Devices
Ensure your mobile devices are equipped with strong authentication and access controls.
Ensure laptops have password protection.
Enable password protection on handheld devices (if available). Take extra physical control
precautions over the device if password protection is not provided.
Protect wireless transmissions from intrusion.
Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi).
When it is absolutely necessary to commit PHI to a mobile device or remove a device from a
secure area, encrypt the data.
Do not use mobile devices that cannot support encryption.
Develop and enforce policies specifying the circumstances under which devices may be
removed from the facility.
Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.
Maintain Good Computer Habits
Uninstall any software application that is not essential to running the practice (e.g., games,
instant message clients, photo-sharing tools).
Do not simply accept defaults or “standard” configurations when installing software.
Find out whether the EHR developer maintains an open connection to the installed software (a
“back door”) in order to provide updates and support.
Disable remote file sharing and remote printing within the operating system (e.g., Windows
Operating System).
Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update).
Monitor for critical and urgent patches and updates that require immediate attention and act on
them as soon as possible.
Disable user accounts for former employees quickly and appropriately.
If an employee is to be involuntarily terminated, close access to the account before the notice of
termination is served.

Prior to disposal, sanitize computers and any other devices that have had data stored on them.
Archive old data files for storage if needed or clean them off the system if not needed, subject to
applicable data retention requirements.
Fully uninstall software that is no longer needed (including trial software and old versions of
current software).
Work with your IT team or other resources to perform malware, vulnerability, configuration, and
other security audits on a regular basis.
Use a Firewall
Unless your electronic health record (EHR) and other systems are totally disconnected from the
Internet, you must install a firewall to protect against intrusions and threats from outside
sources.
Larger health care organizations that use a local area network (LAN) should consider a
hardware firewall.
Install and Maintain Antivirus Software
Use an antivirus product that provides continuously updated protection against viruses,
malware, and other code that can attack your computers through web downloads, CDs, e-mail,
and flash drives.
Keep antivirus software up-to-date.
Most antivirus software automatically generates reminders about these updates, and many are
configurable to allow for automated updating.
Plan for the Unexpected
Create data backups regularly and reliably.
Begin backing up data from day one of a new system.
Ensure the data are being captured correctly.
Ensure the data can be quickly and accurately restored.
Use an automated backup system, if possible.
Consider storing the backup far away from the main system.
Protect backup media with the same type of access controls described in the next section.
Test backup media regularly for their ability to restore data properly, especially as the backups
age.
Have a sound recovery plan. Know the following:
What data was backed up (e.g., databases, pdfs, tiffs, docs)
When the backups were done (time frame and frequency)
Where the backups are stored
What types of equipment are needed to restore them
Keep the recovery plan securely at a remote location where someone has responsibility for
producing it in the event of an emergency.
Control Access to PHI
Configure your EHR system to grant PHI access only to people with a “need to know.”
This access control system might be part of an operating system (e.g., Windows), built into a
particular application (e.g., an e-prescribing module), or both.
Manually set file access permissions using an access control list.
This can only be done by someone with authorized rights to the system.

Prior to setting these permissions, identify which files should be accessible to which staff
members.
Configure role-based access control as needed.
In role-based access, a staff member’s role within the organization (e.g., physician, nurse,
billing specialist, etc.) determines what information may be accessed.
Assign staff members to the correct roles and then set the access permissions for each role
correctly on a need-to-know basis.
The following case on access control provides additional examples of access control.

Case Study
Access Control
Mary Smith is the director of the health information management department in a hospital. Under
a user-based access control scheme, Mary would be allowed read-only access to the hospital’s
laboratory information system because of her personal identity—that is, because she is Mary
Smith and uses the proper log-in and password(s) to get into the system. Under a role-based
control scheme, Mary would be allowed read-only access to the hospital’s lab system because
she is part of the health information management department and all department employees
have been granted read-only privileges for this system. If the hospital were to adopt a
context-based control scheme, Mary might be allowed access to the lab system only from her
own workstation or another workstation in the health information services department, provided
she used her proper log-in and password. If she attempted to log in from the emergency
department or another administrative office, she might be denied access. The context control
could also involve time of day. Because Mary is a daytime employee, she might be denied
access if she attempted to log in at night.

Use Strong Passwords
Choose a password that is not easily guessed. Following are some examples of strong
password characteristics:
At least eight characters in length (the longer the better)
A combination of uppercase and lowercase letters, one number, and at least one special
character, such as a punctuation mark
Strong passwords should not include personal information:
Birth date
Names of self, family members, or pets
Social Security number
Anything that is on your social networking sites or could otherwise be discovered easily by
others
Use multifactor authentication for more security. Multi Factor authentication combines multiple
authentication methods, such as a password plus a fingerprint scan; this results in stronger
security protections. If you e-prescribe controlled substances, you must use multifactor
authentication for your accounts.
Configure your systems so that passwords must be changed on a regular basis.
To discourage staff members from writing down their passwords, develop a password reset
process to provide quick assistance in case of forgotten passwords.

Limit Network Access
Prohibit staff members from installing software without prior approval.
When a wireless router is used, set it up to operate only in encrypted mode.
Prohibit casual network access by visitors.
Check to make sure file sharing, instant messaging, and other peer-to-peer applications have
not been installed without explicit review and approval.

Control Physical Access
Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs,
backup tapes) may be tampered with, lost, or stolen.
Document and enforce policies limiting physical access to devices and information:
Keep machines in locked rooms.
Manage keys to facilities.
Restrict removal of devices from a secure area.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Recognizing the severity of the rise in cybercrime, President Obama issued an executive order
in February 2013 to “enhance the security and resilience of the Nation’s critical infrastructure”
(Executive Order 13636). As a result the National Institute of Standards and Technology (NIST)
was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity
framework to reduce cyber-attack risks. The resulting NIST cybersecurity framework consists
of three components (NIST, n.d.):

The Framework Core consists of “five concurrent and continuous Functions—Identify, Protect,
Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an
organization’s management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided
into categories and subcategories as shown in Exhibit 9.2.
The Framework Implementation Tiers characterize an organization’s actual cybersecurity
practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier
4).
The Framework Profile documents outcomes obtained by reviewing all of the categories and
subcategories and comparing them to the organization’s business needs. Profiles can be
identified as “current,” documenting where the organization is now, or as “target,” where the
organization would like to be in the future.
Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as
an important tool for health care organizations to consider when developing a comprehensive
security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to
the NIST framework, which can be found at HHS.gov/hipaa (US Department of Health and
Human Services, n.d.a).

Summary
In this chapter we gained insight into why health information privacy and security are key topics
for healthcare administrators. In today’s ever-increasing electronic world with new and more
virulent threats, the security of health information is an ongoing concern. In this chapter we
examined and defined the concepts of privacy, confidentiality, and security and explored major

legislative efforts, historical and current, to protect health care information, with a focus on the
HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human,
natural and environmental, intentional and unintentional, were identified, with a focus on the
increase in cybercrime. Basic requirements for a strong health care organization security
program were outlined and the chapter ended with a discussion of the cybersecurity challenges
within the current healthcare environment.

References
American Health Information Management Association (AHIMA). (2003). Final Rule for HIPAA
security standards. Chicago, IL: Author.
Bazzoli, F. (2016, Aug. 9). 12 largest fines levied for HIPAA violations. Health Data
Management. Retrieved August 9, 2016, from
http://www.healthdatamanagement.com/list/12-largest-fines-levied-for-hipaa-violations
Buchholz, A., Perry, B., Weiss, L. B., & Cooley, D. (2016). Smartphone use and perceptions
among medical students and practicing physicians. Journal of Mobile Technology in Medicine,
5(1), 27–32. doi:10.7309/jmtm.5.1.5
Centers for Medicare and Medicaid Services (CMS). (2004). HIPAA administrative
simplification: Security—Final Rule. Retrieved November 2004 from
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security
Comodo. (2014, Aug. 4). Malware versus viruses: What’s the difference? Retrieved August 10,
2016, from

Malware vs Viruses: What Is the Difference Between Malware and a Virus?

Conn, J. (2016, Feb. 18). Hospital pays hackers $17,000 to unlock EHRs frozen in
“ransomware” attack. Retrieved November 11, 2016, from
http://www.modernhealthcare.com/article/20160217/NEWS/160219920
Coppersmith, Gordon, Schermer, & Brockelman, PLC. (2012). HITECH Act expands HIPAA
privacy and security rules. Retrieved March 2012 from
http://www.azhha.org/member_and_media_resources/documents/HITECHAct.pdf
DeSalvo, K. B., & Samuels, J. (2016, July 19). Examining oversight of the privacy & security of
health data collected by entities not regulated by HIPAA. Health IT Buzz. Retrieved August 10,
2016, from
https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-se
curity-health-data-collected-entities-not-regulated-hipaa/
Goedert, J. (2016, Aug. 8). Hack of Banner systems highlights the need for more firewalls.
Retrieved August 10, 2016, from
http://www.healthdatamanagement.com/news/hack-of-banner-systems-highlights-the-need-for-
more-firewalls?utm_medium=email
HHS.gov. (2015). $750,000 HIPAA settlement underscores the need for organization-wide risk
analysis. Retrieved from
http://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-orga
nization-wide-risk-analysis.html
ESET. (n.d.). HIPAA security checklist [Brochure]. Retrieved August 8, 2016, from
https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf

Koch, D. D. (2016, Spring). Is HIPAA Security Rule enough to protect electronic personal health
information (PHI) in the cyber age? Journal of Health Care Finance. Retrieved August 8, 2016,
from http://www.healthfinancejournal.com/index.php/johcf/article/view/67
National Institute of Standards and Technology (NIST). (2016). Framework for improving critical
infrastructure cybersecurity. Retrieved from
http://www.nist.gov/cyberframework/upload/CSF-for-law-policy-symposium.pdf
National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity framework.
Retrieved August 10, 2016, from http://www.nist.gov/cyberframework/
ONC. (2015). Guide to privacy and security of electronic health information. Retrieved from
https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
ONC. (n.d.). Top 10 tips for cybersecurity in health care [Brochure]. Retrieved August 8, 2016,
from https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf
Siwicki, B. (2016, May 17). Cybersecurity special report: Ransomware will get worse, hackers
targeting whales, medical devices and IoT trigger new vulnerabilities. Healthcare IT News.
Retrieved August 10, 2016, from http://www.healthcareitnews.com/node/525131
Sullivan, T. (2016, Aug. 9). “DarkOverLord” ransomware accounts for nearly 30 percent of
health data breaches in July. Healthcare IT News. Retrieved August 10, 2016, from
http://www.healthcareitnews.com/news/darkoverlord-ransomware-accounts-nearly-30-percent-
health-data-breaches-july
Office for Civil Rights (OCR). (n.d.). HHS Breach Portal. Retrieved August 8, 2016, from
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
US Department of Health and Human Services. (2016, Sept. 30). Enforcement highlights.
Retrieved August 8, 2016, from
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlight
s/index.html
US Department of Health and Human Services. (n.d.a). Addressing gaps in cybersecurity: OCR
releases crosswalk between HIPAA Security Rule and NIST cybersecurity framework.
Retrieved August 10, 2016, from
http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/
US Department of Health and Human Services. (n.d.b). Breach Notification Rule. Retrieved
August 8, 2016, from http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
US Department of Health and Human Services. (n.d.c). Guidance to render unsecured
protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Retrieved August 8, 2016, from
http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
What are the penalties for HIPAA violations? (2015, June 14). HIPAA Journal. Retrieved from
http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

Chapter 10
Performance Standards and Measures

This chapter examines public and private organizations and processes that establish standards
for ensuring that health records are maintained accurately and completely and that they contain
the data and information needed to define and report a wide range of measures to determine the
quality and efficiency of health care. These activities are very important and have a significant
influence on providers and HIT capabilities, significant enough for us to devote an entire chapter
to them.

Health care organizations and health plans use data and information to measure performance
against internal and external standards; to compare performance to other like organizations; to
demonstrate performance to licensing, certifying, and accrediting bodies; and to demonstrate
performance for reimbursement purposes. This chapter begins with an examination of the
licensure, certification, and accreditation of health care facilities and health plans, followed by an
overview of key comparative data sets often used by health care organizations in benchmarking
performance. The chapter concludes with a description of the national initiatives using
performance measures to improve the quality and safety of health care, including those affecting
provider reimbursement.

In the section titled “Licensure, Certification, and Accreditation,” we define these processes, list
the accrediting organizations recognized by CMS, and examine the missions and general
functions of the Joint Commission and the National Committee for Quality Assurance (NCQA).
These discussions focus on how the licensure, certification, and accreditation processes not
only use health information to measure performance but also how they influence the health care
information that is collected.

“Measuring the Quality of Care” begins with a historical perspective of major milestones in the
national agenda for health care quality improvement, followed by a discussion of the current
efforts to improve health care quality and patient safety, focusing on the efforts that involve using
health care data and information to measure performance. Quality measures are created and
validated by a range of organizations, private and public. However, in the recent years significant
progress has been made in aligning these measures across organizations. Another significant
movement related to quality measurement in the United States is implementation of value-based
reimbursement programs, which are based on established performance criteria. The
government plans for significant growth in these programs over the next decade.

Licensure, Certification, and Accreditation
Health care organizations, such as hospitals, nursing homes, home health agencies, and the
like, must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must
also be certified, and if they wish to demonstrate quality performance, they will undergo an
accreditation process. What are these processes, and how are they related? If a health care
organization is licensed, certified, and accredited, how will this affect the health care information

that it creates, uses, and maintains? In this section we will examine each of these processes,
their impact on the health care organizations, and their relationships with one another.

Licensure
Licensure is the process that gives a facility legal approval to operate. As a rule, state
governments oversee the licensure of health care facilities, and each state sets its own
licensure laws and regulations. All facilities must have a license to operate, and it is generally
the state department of health or a similar agency that carries out the licensure function.
Licensure regulations tend to emphasize areas such as physical plant standards, fire safety,
space allocations, and sanitation. They may also contain minimum standards for equipment and
personnel. A few states tie licensure to professional standards and quality of care, but not all. In
their licensure regulations, states generally set minimum standards for the content, retention,
and authentication of patient medical records. Exhibit 10.1 is an excerpt from the South Carolina
licensure regulations for hospitals. This excerpt governs patient medical record content (with the
exception of newborn patient records, which are addressed in a separate section of the
regulations). Although each state has its own set of medical record content standards, these are
fairly typical in scope and content.

Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards for Licensing
Hospitals and Institutional General Infirmaries
601.5 Contents:

A. Adequate and complete medical records shall be written for all patients admitted to the
hospital and newborns delivered in the hospital. All notes shall be legibly written or typed and
signed. Although use of initials in lieu of licensed nurses’ signatures is not encouraged, initials
will be accepted provided such initials can be readily identified within the medical record. A
minimum medical record shall include the following information:

Admission Record: An admission record must be prepared for each patient and must contain
the following information, when obtainable: Name; address, including county; occupation; age;
date of birth; sex; marital status; religion; county of birth; father’s name; mother’s maiden name;
husband’s or wife’s name; dates of military service; health insurance number; provisional
diagnosis; case number; days of care; social security number; the name of the person providing
information; name, address and telephone number of person or persons to be notified in the
event of emergency; name and address of referring physician; name, address and telephone
number of attending physician; date and hour of admission;
History and physical within 48 hours after admission;
Provisional or working diagnosis;
Pre-operative diagnosis;
Medical treatment;
Complete surgical record, if any, including technique of operation and findings, statement of
tissue and organs removed and post-operative diagnosis;
Report of anesthesia;
Nurses’ notes;

Progress notes;
Gross pathological findings and microscopic;
Temperature chart, including pulse and respiration;
Medication Administration Record or similar document for recording of medications, treatments
and other pertinent data. Nurses shall sign this record after each medication administered or
treatment rendered;
Final diagnosis and discharge summary;
Date and hour of discharge summary;
In case of death, cause and autopsy findings, if autopsy is performed;
Special examinations, if any, e.g., consultations, clinical laboratory, x-ray and other
examinations.
Source: South Carolina Department of Health and Environmental Control, Standards for
Licensing Hospitals and Institutional General Infirmaries, Regulation 61–16 § 601.5 (2010).
An initial license is required before a facility opens its doors, and this license to operate must
generally be renewed annually. Some states allow organizations with the Joint Commission or
other accreditation to forgo a formal licensure survey conducted by the state; others require the
state survey regardless of accreditation status. As we will see in the section on accreditation,
the accrediting bodies’ standards are more detailed and more stringent than the typical state
licensure regulations. Also, most accreditation standards are updated annually; most licensure
standards are not.

Certification
Certification gives a health care organization the authority to participate in the federal Medicare
and Medicaid programs. Legislation passed in 1972 mandated that hospitals had to be reviewed
and certified to receive reimbursement from Medicare and Medicaid programs (CMS, n.d.a). At
that time the Health Care Financing Administration, now the Centers for Medicare and Medicaid
Services (CMS), developed a set of minimum standards known as the conditions of
participation (CoPs). CMS contracts with state agencies to inspect facilities to make sure they
meet these minimum standards, organized by facility functions and services. See Exhibit 10.2
for the CoP standards section governing medical record content.

Exhibit 10.2 Medical Record Content: Excerpt from the Conditions of Participation for Hospitals
Sec. 482.24 Condition of participation: Medical record services.

(c) Standard: Content of record. The medical record must contain information to justify
admission and continued hospitalization, support the diagnosis, and describe the patient’s
progress and response to medications and services.
(1) All entries must be legible and complete, and must be authenticated and dated promptly
by the person (identified by name and discipline) who is responsible for ordering, providing, or
evaluating the service furnished.
(i) The author of each entry must be identified and must authenticate his or her entry.
(ii) Authentication may include signatures, written initials or computer entry.
(2) All records must document the following, as appropriate:

(i) Evidence of a physical examination, including a health history, performed no more than 7
days prior to admission or within 48 hours after admission.
(ii) Admitting diagnosis.
(iii) Results of all consultative evaluations of the patient and appropriate findings by clinical
and other staff involved in the care of the patient.
(iv) Documentation of complications, hospital acquired infections, and unfavorable reactions
to drugs and anesthesia.
(v) Properly executed informed consent forms for procedures and treatments specified by
the medical staff, or by Federal or State law if applicable, to require written patient consent.
(vi) All practitioners’ orders, nursing notes, reports of treatment, medication records,
radiology, and laboratory reports, and vital signs and other information necessary to monitor the
patient’s condition.
(vii) Discharge summary with outcome of hospitalization, disposition of case, and provisions
for follow-up care.
(viii) Final diagnosis with completion of medical records within 30 days following discharge.
Source: Conditions of Participation: Medical Record Services, 42 C.F.R. §§ 482.24c et seq.
(2007).

Accreditation
Accreditation is an external review process that an organization elects to undergo; it is voluntary
and has fees associated with it. The accrediting agency grants recognition to organizations that
meet its predetermined performance standards. The review process and standards are devised
and regulated by the accrediting agency. By far the best-known health care accrediting agency
in the United States is the Joint Commission, but there are others. The National Committee for
Quality Assurance (NCQA) is a leading accrediting agency for health plans.

Although accreditation is voluntary, there are financial and legal incentives for health care
organizations to seek accreditation. In order to eliminate duplicative processes, Section 1865 of
the Social Security Act “permits providers and suppliers ‘accredited’ by an approved national
accreditation organization (AO) to be exempt from routine surveys by State survey agencies to
determine compliance with Medicare conditions” (CMS, 2015). This is often referred to as
deemed status. Table 10.1 lists the 2015 approved AOs with corresponding program types and
websites.
Table 10.1 2015 approved CMS accrediting organizations

Accrediting Organization Program Types Website
Accreditation Association for Ambulatory Health Care (AAAHC) ASC (ambulatory surgery
center) www.aaahc.org
Accreditation Commission for Health Care, Inc. (ACHC) HHA (home health agency)
Hospice www.achc.org
American Association for Accreditation of Ambulatory Surgery Facilities (AAAASF) ASC
OPT (outpatient physical therapy)
RHC (rural health clinics) www.aaaasf.org
American Osteopathic Association/Healthcare Facilities Accreditation Program (HFAP) ASC

CAH (critical access hospital)
Hospital www.hfap.org
Center for Improvement in Healthcare Quality (CIHQ) Hospital www.cihq.org
Community Health Accreditation Program (CHAP) HHA
Hospice www.chapinc.org
DNV GL—Healthcare (DNV GL) CAH
Hospital www.dnvglhealthcare.com
The Compliance Team (TCT) RHC www.thecomplianceteam.org
The Joint Commission (TJC) ASC
CAH
HHA
Hospice
Hospital
Psychiatric hospital www.jointcommission.org
Similar to CMS, many states also recognize accreditation in lieu of their own licensure surveys.
Other benefits for an organization are that accreditation

May be required for reimbursement from payers (including CMS)
Validates the quality of care within the organization
May favorably influence liability insurance premiums
May enhance access to managed care contracts
Gives the organization a competitive edge over nonaccredited organizations
The Joint Commission
The Joint Commission’s stated mission is “to continuously improve health care for the public, in
collaboration with other stakeholders, by evaluating health care organizations and inspiring them
to excel in providing safe and effective care of the highest quality and value” (The Joint
Commission, n.d.). The Joint Commission on Accreditation of Hospitals (as the Joint
Commission was first called) was formed as an independent, not-for-profit organization in 1951,
as a joint effort of the American College of Surgeons, American College of Physicians,
American Medical Association, and American Hospital Association. The Joint Commission has
grown and evolved to set standards for and accredit nearly twenty-one thousand health care
organizations and programs in the United States. In addition to hospitals, the Joint Commission
has accreditation programs for health care organizations that offer ambulatory care, behavioral
health care, home care, long-term care, and office-based surgery. They also provide an
accreditation program for organizations that offer laboratory services (The Joint Commission,
2016, n.d.).

In order to maintain accreditation, a health care organization must undergo an on-site survey by
a Joint Commission survey team every three years. Laboratories must be surveyed every two
years. This survey is conducted to ensure that the organization continues to meet the
established standards. The standards themselves are the result of an ongoing, dynamic
process that incorporates the experience and perspectives of health care professionals and
others throughout the country. New standards manuals are published annually and health care
organizations are responsible for knowing and incorporating any changes as they occur.

Categories of accreditation (The Joint Commission, 2016) that an organization can achieve are
the following:

Preliminary accreditation: for organizations that demonstrate compliance with selected
standards under the Early Survey Policy, which allows organizations to undergo a survey prior
to having the ability to demonstrate full compliance. Organizations that receive preliminary
accreditation will be required to undergo a second on-site survey.
Accreditation: for organizations that demonstrate compliance with all standards.
Accreditation with follow-up survey: for organizations that are not in compliance with specific
standards and require a follow-up survey within thirty days to six months.
Contingent accreditation: for organizations that fail to address all requirements in an
accreditation with follow-up survey decision or for organizations that do not have the proper
license or other similar issue at the time of the initial survey. A follow-up survey is generally
required within thirty days.
Preliminary denial of accreditation: for organizations for which there is justification for denying
accreditation. This decision is subject to appeal.
Denial of accreditation: for organizations that fail to meet standards and that have exhausted all
appeals.
The Joint Commission focus on quality of care provided in health care facilities dates back to
the early 1900s, when the American College of Surgeons began surveying hospitals and
established a hospital standardization program. With the program came the question, how is
quality of care measured? One of the early concerns of the standardization program was the
lack of documentation in patient records. The early surveyors found that documentation was so
poor that they had no way to judge the quality of care provided. The Joint Commission’s
emphasis on health care information and the documentation of care has continued to the
present. Not only do the Joint Commission reporting requirements rely heavily on patient
information but also the current survey process uses “tracer methodology,” through which the
surveyors analyze the organization’s systems by tracing the care provided to individual patients.
Patient records provide the road maps for the tracer methodology. The absence of quality health
records would have a direct impact on the accreditation process. The following sections discuss
Joint Commission standards that directly influence the creation, maintenance, and use of health
care information. These sections further illustrate how the overall accreditation process relies on
the availability of high-quality health care information (The Joint Commission, 2016).

The Joint Commission Record of Care (RC), Treatment, and Services Standards
The Joint Commission Record of Care (RC), Treatment, and Services standards provide
information about the requirements for the content of a complete health record, regardless of its
format. The RC standards for an ambulatory care program dictate that the organization will do
the following:

Maintain complete and accurate clinical record.
Ensure clinical record entries are authenticated appropriately by authorized persons.
Ensure documentation in clinical records is timely.

Audit their clinical records.
Retain their clinical records according to relevant laws and regulations.
Ensure clinical records contain specific information that reflects the patient’s care, treatment, or
services.
Ensure clinical records accurately reflect operative and high-risk procedures and use of
sedation and anesthesia.
Ensure documentation of proper use of restraints and seclusion.
Ensure ambulatory care records contain a summary list.
Ensure qualified staff members receive and record verbal orders.
(The Joint Commission, 2014b)
Each RC standard has specific elements that must be addressed. For more information, refer to
the most recent edition of the appropriate Comprehensive Accreditation Manual. All Joint
Commission–accredited organizations have access to the complete manual.

The Joint Commission Information Management Standards
The Joint Commission Information Management (IM) standards reflect the Joint Commission’s
belief that quality information management influences quality care. In the overview of the IM
standards, the Joint Commission states, “Every episode of care generates health information
that must be managed systematically” (emphasis is the authors’). Information is a resource that
must be managed similar to any other resource within the organization. Whether the information
management systems employed by the organization are basic or sophisticated, the functions
should include features that allow for the following:

Categorizing, filing, and maintaining all data and information used by the organization
Accurately capturing health information generated by delivery of care, treatment, and services
Accessing information by those authorized users who need the information to provide safe,
quality care (The Joint Commission, 2014a)
The IM standards apply to noncomputerized systems and systems employing the latest
technologies. The first standard within the IM chapter focuses on information planning. The
organization’s plan for IM should consider the full spectrum of data generated and used by the
organization as well as the flow of information within and to and from external organizations.
Identifying and understanding the flow of information is critical to meeting the organization’s
needs for data collection and distribution while maintaining the appropriate level of security (The
Joint Commission, 2014a). The remaining IM standards address the requirements for health
care organizations:

Provide continuity of the information management process, including managing system
interruptions and maintaining backup systems.
Ensure the privacy, security, and integrity of health information.
Manage data collection, including use of standardized data sets and terminology and limiting the
use of abbreviations.
Manage health information retrieval, dissemination, and transmission.
Provide knowledge-based information resources twenty-four hours a day, seven days a week.
Ensure the accuracy of the health information. (The Joint Commission, 2011, 2014a)

National Committee for Quality Assurance
The National Committee for Quality Assurance (NCQA) is the leading accrediting body for
health plans, including health maintenance organizations (HMOs), Preferred Provider
Organizations (PPOs), and Point of Service (POS) plans in the United States. In addition, the
NCQA also accredits the following programs:

Disease management
Case management
Wellness and health promotion
Accountable care organizations
Wellness and health promotion
Managed behavioral health care organizations (NCQA, n.d.a)
The full list of NCQA accreditation requirements are published on its website at www.ncqa.org.
The 2015 Health Plan Accreditation Program requirements include specific criteria divided into
the following sections:

Quality management and improvement (QI)
Utilization management (UM)
Credentialing and recredentialing (CR)
Members’ rights and responsibilities (RR)
Member connections (MEM)
Medicaid benefits and services (MED)
Health Effectiveness Data and Information Set (HEDIS) performance measures (see the
“Measuring the Quality of Care” section for more information about HEDIS) (NCQA, 2015).
Measuring the Quality of Care
Two landmark Institute of Medicine (IOM) reports, To Err Is Human: Building a Safer Health
System, published in 2000 (Kohn, Corrigan, & Donaldson), and Crossing the Quality Chasm: A
New Health System for the 21st Century, published in 2001, are often cited as marking the
beginning of the modern era of national health care quality and patient safety initiatives. The two
reports led to increased awareness of the severity of patient safety and quality issues and
helped frame the national landscape of improvement efforts. To Err Is Human estimated that as
many as ninety-eight thousand people died in hospitals each year as a result of preventable
medical errors. The report found that most errors could be traced to poor processes and
systems and recommended development and implementation of improved performance
standards, including those associated with licensure, certification, and accreditation. Crossing
the Quality Chasm specifically outlined six aims for establishing quality health care, stating that
health care in the United States should be (CMSS, 2014; Kohn, Corrigan, & Donaldson, 2000;
IOM, 2001):

Safe
Effective
Patient-centered
Timely
Efficient

Equitable
One of the challenges to meeting these aims was determining how to measure success in each
area. What are the standards and performance measures associated with these important
aims?

Types of Measures
Whether at the local organizational level or at a national level, quality improvement requires the
identification of standards that define quality care and measurement of performance to
determine whether or not the identified standards are met. Quality measures are used across
the full continuum of care, from individual physicians to health plans. As we will examine in this
chapter, there are literally hundreds of different health care quality measures in use today. These
existing quality measures can generally be categorized into four types: structure, process,
outcome, and patient experience. Table 10.2 summarizes the types of measures, descriptions,
and examples of each.

Table 10.2 Major types of quality measures

Source: Morris (2014).

Type Description Example
Structure Assesses the characteristics of a care setting, including facilities, personnel, and
policies related to care delivery Does an intensive care unit (ICU) have a critical care
specialist on staff at all times?
Process Determines if the services provided to patients are consistent with routine clinical
care Does a doctor ensure that his or her patients receive recommended cancer screenings?
Outcome Evaluates patient health as a result of the care received What is the survival
rate for patients who experience a heart attack?
Patient Experience Provides feedback on patients’ experiences of care Do patients report that
their provider explains their treatment options in ways that are easy to understand?
Data Sources for Measures
Whether quality measures are applied by an individual physician or by a federal agency, they
rely on valid and reliable data. A few of the common sources of health care data used in
performance measurement are listed in the following sections.

Administrative Data
Administrative data submitted to private and government payers have the advantage of being
easy to obtain. Private and public payers have very large claims databases.

Disease Registries
Public health agencies, including state and federal agencies collect data on patients with specific
conditions. These disease registries often go beyond administrative claims data.
Health Records
The EHR is recognized as a rich source of detailed patient information. However, the full
potential of the EHR as an easy-to-use source of reliable data has not been reached. More work

on standardization and tools for data extraction is needed. Data extraction from paper records is
labor intensive and, therefore, expensive to implement. As you have seen in previous chapters,
Meaningful Use criteria address the need for EHR data extraction and sharing.

Qualitative Data
Qualitative data from patient surveys or interviews are often used for patient experience
measures (Morris, 2014).

Measurement Development
Regardless of the data source, the resulting measures must not only be reliable and valid but
also feasible to collect (CMSS, 2015). There are dozens of public and private organizations that
develop health care–related performance measures. The following paragraphs identify a few of
the key players and their respective role in the development of recognized measures.

The NCQA is responsible for the HEDIS measures, one of the oldest and most widely used
sets of health care performance measures in the United States. More than 90 percent of health
plans in the United States collect and report HEDIS data. HEDIS data is not only used for
accreditation of health plans but also for the basis of health plan comparison and quality
improvement.

The Joint Commission also has a long history of developing and using performance measures
as a component of accreditation. In 1987, the Joint Commission revamped its accreditation
process with the goal of incorporating standardized performance measures. This initiative led to
the development of ORYX program. The current ORYX program is closely aligned with CMS
quality initiatives, using many of the same measures. Hospitals seeking Joint Commission
Accreditation in 2016 were required to report on six of nine sets of chart (paper)-abstracted
clinical quality measures (CQMs) or six of eight electronic clinical quality measures (eCQMs)
(The Joint Commission, 2015b).

CQMs are identified and updated by CMS each year. Selected CQMs are used in the EHR
Incentive Programs for eligible professionals and other CMS quality initiatives (discussed
following in this chapter). The CMS does not develop all of the CQMs but rather relies on private
organizations, such as NCQA, the Joint Commission, the American Medical Association
Physician Consortium for Performance Improvement (AMA-PCPI), and a host of other health
care societies, collaboratives, and alliances, as well as government agencies, such as AHRQ,
Centers for Disease Control and Prevention (CDC), and Health Resources and Services
Administration (HRSA) for most of them. Table 10.3 is an excerpt from the CQMs for the 2014
EHR Incentive Programs. Note that each measure is defined by a unique identifier, National
Quality Forum (NQF) number, a measure description, numerator and denominator statements,
measure steward, and Physicians Quality Reporting System (PQRS) number. Note: The PQRS
role in quality improvement and performance measurement is discussed in more detail following
in this chapter.

Table 10.3 Excerpt of CQMs for 2014 EHR Incentive Programs

Source: CMS (n.d.f).

CMS eMeasure ID NQF No. Measure Title and NQS Domain Measure Description
Numerator Statement Denominator Statement Measure Steward PQRS No.
CMS69v5 0421 Preventive Care and Screening: Body Mass Index (BMI) Screening and
Follow-Up Plan
Domain: Population/Public Health Percentage of patients aged eighteen years and older with
a BMI documented during the current encounter or during the previous six months AND with a
BMI outside of normal parameters, a follow-up plan is documented during the encounter or
during the previous six months of the current encounter
Normal Parameters:
Age eighteen years and older BMI = > 18.5 and < 25 kg/m2 Patients with a documented
BMI during the encounter or during the previous six months, AND when the BMI is outside of
normal parameters, a follow-up plan is documented during the encounter or during the previous
six months of the current encounter All patients eighteen and older on the date of the encounter
with at least one eligible encounter during the measurement period Centers for Medicare &
Medicaid Services 128
GPRO
PREV-9
CMS132v5 0564 Cataracts:
Complications within Thirty Days Following Cataract Surgery Requiring Additional Surgical
Procedures
Domain: Patient Safety Percentage of patients aged eighteen years and older with a
diagnosis of uncomplicated cataract who had cataract surgery and had any of a specified list of
surgical procedures in the thirty days following cataract surgery which would indicate the
occurrence of any of the following major complications: retained nuclear fragments,
endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence
Patients who had one or more specified operative procedures for any of the following major
complications within thirty days following cataract surgery: retained nuclear fragments,
endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence
All patients aged eighteen years and older who had cataract surgery and no significant ocular
conditions impacting the surgical complication rate PCPI(R)
Foundation
(PCPI[R]) 192
CMS133v5 0565 Cataracts: 20/40 or Better Visual Acuity within Ninety Days Following
Cataract Surgery
Domain: Clinical Process/Effectiveness Percentage of patients aged eighteen years and
older with a diagnosis of uncomplicated cataract who had cataract surgery and no significant
ocular conditions impacting the visual outcome of surgery and had best-corrected visual acuity
of 20/40 or better (distance or near) achieved within 90 days following the cataract surgery
Patients who had best-corrected visual acuity of 20/40 or better (distance or near) achieved
within ninety days following cataract surgery All patients aged eighteen years and older who had
cataract surgery PCPI(R)

Foundation (PCPI[R]) 191
CMS158v5 N/A Pregnant Women That Had HBsAg Testing
Domain: Clinical Process/Effectiveness This measure identifies pregnant women who had a
HBsAg (hepatitis B) test during their pregnancy Patients who were tested for hepatitis B
surface antigen (HBsAg) during pregnancy within 280 days prior to delivery All female
patients aged twelve and older who had a live birth or delivery during the measurement period
Optum 369
CMS159v5 0710 Depression Remission at Twelve Months
Domain: Clinical Process/Effectiveness Patients age eighteen and older with major
depression or dysthymia and an initial Patient Health Questionnaire (PHQ-9) score greater than
nine who demonstrate remission at twelve months (+/- 30 days after an index visit) defined as a
PHQ-9 score less than five. This measure applies to both patients with newly diagnoses and
existing depression whose current PHQ-9 score indicates a need for treatment. Patients who
achieved remission at twelve months as demonstrated by a twelve month (+/- 30 days grace
period) PHQ-9 score of less than five Patients age eighteen and older with a diagnosis of
major depression or dysthymia and an initial PHQ-9 score greater than nine during the index
visit MN Community Measurement
The NQF is a nonprofit, member organization whose mission is “to lead national collaboration to
improve health and healthcare quality through measurement” (NQF, n.d.). It was created in 1999
and includes board members from private and public sectors, including providers, purchasers,
and representatives from AHRQ, CDC, CMS, and HRSA. The NQF maintains a large,
searchable database of performance measures. Measures can be searched on the NQF
website (www.qualityforum.org) by any combination of the following dimensions:

Endorsement Status (e.g. Endorsed, Not Endorsed)
Measure Status (Time Limited, Reserved)
Measure Format (eMeasure, Measure)
Measure Steward (e.g., NCQA, CMS, The Joint Commission)
Use in Federal Program (e.g., Meaningful Use, Medicare Shared Savings Program)
Clinical Condition/Topic Area (e.g., Cancer, Infectious Disease)
Cross-Cutting Area (e.g., Overuse, Safety, Disparities)
Care Setting (e.g., Ambulatory Care, Home Health, Hospital)
National Quality Strategy Priorities (e.g., Affordable Care, Patient Safety)
Actual/Planned Use (e.g., Public Reporting, Payment Program)
Data Source (e.g., Administrative Data, Electronic Clinical Data, Healthcare Provider Survey)
Level of Analysis (e.g., Clinician, Facility, Health Plan)
Target Population (Children’s Health)
Comparative Health Care Data Sets
Comparative health care data sets and information are often aligned with organizations’ quality
improvement efforts. An organization might collect data on one or more of the specific
performance measures, such as those previously identified, and then use this information to
compare its performance to other similar organizations or state average results, for example.
The process of comparing one or more performance measures against a standard is called

benchmarking. Benchmarking may be limited to internally set standards; however, frequently it
employs one or more externally generated benchmark or standard.

Providers may select from many publicly and privately available health care data sets for
benchmarking purposes. Many of the organizations identified in the previous section not only
develop standards but also provide searchable websites that enable consumers and providers
to compare results of their measures across multiple organizations. Although each comparative
data set is unique, they can be loosely categorized by purpose: patient satisfaction, practice
patterns, or clinical data. The following paragraphs identify some of the more well-known and
frequently used comparative data sets and list their associated searchable website when
applicable.

Patient Satisfaction Data Sets
Patient satisfaction data generally come from survey data. Several private organizations, such
as NRC+Picker, Press Ganey, and the health care division of Gallup, provide extensive
consulting services to health care organizations across the country. One of these services is to
conduct patient satisfaction surveys. Some health care organizations undertake patient
satisfaction surveys on their own. The advantage of using a national organization is the
comparative database it offers, which organizations can use for benchmarking purposes.

Some of the most widely used groups of patient experience surveys in the public arena were
developed under the Agency for Healthcare Research and Quality (AHRQ) Consumer
Assessment of Healthcare Providers and Systems (CAHPS) program. CAHPS originated in
1995 to assess participants’ perspectives on their health plans. Since that time the program has
evolved to include the following surveys:

Health Plan
Clinician & Group
Hospital
Home Health Care
In-Center Hemodialysis
Nursing Home
Surgical Care
American Indian
Dental Plan
Experience of Care and Health Outcomes (for mental health and substance abuse services)
CAHPS surveys are available to any organization. Federal agencies, such as CMS, use the
CAHPS survey results, but the results are also used by health systems, physician practices,
hospitals, and other health care providers in their quality improvement efforts (AHRQ, 2016).
The Hospital CAHPS (HCAHPS) results are available to consumers as a part of CMS Hospital
Compare (discussed under “Clinical Data Sets”) and from the AHRQ website. Information about
the CAHPS comparative data and access to the database and chart books is located at
http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html (AHRQ, 2016).

Practice Patterns Data Set
The Dartmouth Atlas is a widely used, interactive, online tool that enables health care
organizations to compare data across a wide variety of parameters. The project is a privately
funded program through the Dartmouth Institute for Health Policy and Clinical Practice, which
primarily uses Medicare data to document variations in the use of medical resources across the
United States. To access the Dartmouth Atlas, go to http://www.dartmouthatlas.org (The
Dartmouth Institute, n.d.).
Clinical Data Sets
The Joint Commission and CMS are committed to the improvement of clinical outcomes, and
as a part of that commitment they provide consumers with comparative data that encompasses
clinical measures. The Joint Commission’s Quality Check has evolved since its introduction in
1994 to become a comprehensive guide to health care organizations in the United States.
Visitors to www.Qualitycheck.org can search for health care organizations by a variety of
parameters, identify accreditation status, and compare hospital performance measures in terms
of the Joint Commission’s (2015a) National Patient Safety Goals. The 2016 National Patient
Safety Goals for Hospitals describes sixteen specific goals, including these:

Identifying patients correctly
Improving staff member communication
Using medicines safely
Using alarms safely
Preventing infection
Identifying patient safety risks
Preventing mistakes in surgery (The Joint Commission, 2016)
Hospital Compare is the CMS-sponsored interactive, online comparative data set. Located at
www.medicare.gov/hospitalcompare, this data set contains information about the quality of care
at over four thousand Medicare-certified hospitals. The interactive tool enables consumers to
compare clinical and patient satisfaction data. The purpose of the tool is to promote informed
decision making by consumers of hospital care and to encourage hospitals to improve the
quality of care they provide (CMS, n.d.b). In addition to Hospital Compare, CMS sponsors public
reporting of other health care organizations, such as nursing homes, home health agencies, and
kidney dialysis facilities (CMS, n.d.d).

Comparative Data for Health Plans
In addition to data sets used by providers, the NCQA website enables consumers to have
access to comparative data for health plans through a variety of report cards. The majority of
the comparative data is derived from HEDIS and CAHPS. NCQA health care report cards are
found at http://reportcard.ncqa.org. NCQA also offers a subscription service for a more detailed
interactive tool, Quality Compass (NCQA, n.d.b, n.d.c).

Federal Quality Improvement Initiatives
As stated at the beginning of the chapter, the publication of the IOM reports addressing serious
quality concerns marked a new era of government initiatives to improve the quality of patient
care. Multiple new programs were established and new efforts to link Medicare and Medicaid

reimbursement to quality care were undertaken. In this section we will examine the Patient
Safety Act, the National Quality Strategy, and a selection of related government programs aimed
at improving the quality of health care through performance measurement including the related
aspects of the Medicare Access & CHIP Reauthorization Act of 2015 (MACRA).

The Patient Safety Act
The IOM To Err Is Human: Building a Safer Health System (Kohn, Corrigan, & Donaldson, 2000)
outlined serious concerns about and the need to improve the safety and quality of health care in
the United States. Despite the ongoing efforts by voluntary accrediting bodies to ensure
high-quality care, this report identified a critical need for reporting and analyzing individual facility
and aggregate data related to adverse events. To address the need to capture information to
improve health care quality and prevent harm to patients, the Patient Safety and Quality
Improvement Act of 2005 (Patient Safety Act) was passed by Congress “to promote shared
learning to enhance quality and safety nationally.” To implement the act, the Department of
Health and Human Services issued the Patient Safety Rule (effective January 2009), which
authorized the identification of Patient Safety Organizations (PSOs). As of August 2016, there
were eighty-two PSOs in twenty-eight states. PSOs are responsible for the collection and
analysis of health information that is referred to in the Final Rule as patient safety work product
(PSWP). The PSWP contains identifiable patient information that is covered by specific privilege
and confidentiality protections (AHRQ, n.d.a).
The types of patient safety events that are reported under these protections include the
following:

Incidents: patient safety events that reached the patient, whether or not there was harm involved
Near misses (or close calls): patient safety events that did not reach the patient
Unsafe conditions: circumstances that increase the probability of a patient safety event
occurring
To facilitate these activities, AHRQ has created Common Formats, which are “common
definitions and reporting formats to help providers uniformly report patient safety events”
(AHRQ, n.d.b).

National Quality Strategy
The requirement for a National Strategy for Quality Improvement in Health Care (National
Quality Strategy) was established by the Affordable Care Act and subsequently published in
2011. More than three hundred groups and individuals representing all aspects of the health care
industry and public provided input. It has subsequently been updated on an annual basis, but the
three broad aims and six priorities have remained consistent. The three broad aims used to
“guide and assess national efforts to improve health and the quality of health care” (AHRQ,
2011) are as follows:

Better care: Improve the overall quality by making health care more patient-centered, reliable,
accessible, and safe.

Healthy people/healthy communities: Improve the health of the US population by supporting
proven interventions to address behavioral, social, and environmental determinants of health in
addition to delivering higher-quality care.
Affordable care: Reduce the cost of quality health care for individuals, families, employers, and
government
To achieve these aims, the National Quality Strategy identifies the following six priorities:

Making care safer by reducing harm caused in the delivery of care
Ensuring that each person and family are engaged as partners in their care
Promoting effective communication and coordination of care
Promoting the most effective prevention and treatment practices for the leading causes of
mortality, starting with cardiovascular disease
Working with communities to promote wide use of best practices to enable healthy living
Making quality care more affordable for individuals, families, employers, and governments by
developing and spreading new health care delivery models
The strategy goes further by recommending that all sectors of the health care system
(individuals, families, payers, providers, employers, and communities) employ one or more of
the following “levers” to “align” with the National Quality Strategy (NQS)(AHRQ, 2011):
Measurement and feedback: Provide performance feedback to plans and providers to improve
care.
Public reporting: Compare treatment results, costs, and patient experience for consumers.
Learning and technical assistance: Foster learning environments that offer training, resources,
tools, and guidance to help organizations achieve quality improvement goals.
Certification, accreditation, and regulation: Adopt or adhere to approaches to meet safety and
quality standards.
Consumer incentives and benefit designs: Help consumers adopt healthy behaviors and make
informed decisions.
Payment: Reward and incentivize providers to deliver high-quality, patient-centered care.
Health information technology: Improve communication, transparency, and efficiency for better
coordinated health and health care.
Innovation and diffusion: Foster innovation in health care quality improvement, and facilitate
rapid adoption within and across organizations and communities.
Workforce development: Invest in people to prepare the next generation of health care
professionals and support lifelong learning for providers.
CMS Quality Programs
The Centers for Medicare and Medicaid (CMS) released its specific Quality Strategy in 2016,
which is based on the NQS. Adhering to the same broad aims in the NQS, CMS developed a
strategy to improve health care delivery by the following means:

Using incentives to improve care
Tying payment to value through new payment models
Changing how care is given through
Better teamwork
Better coordination across health care settings

More attention to population health
Putting the power of health care information to work (CMS, 2016)
Since 2001, CMS has engaged in a variety of Quality Initiatives, including initiatives that result in
public reporting of performance measures as previously discussed. The Physician Quality
Reporting System (PQRS) encourages individual “eligible professionals” (EPs) (e.g.,
physicians) and group practices to assess and report the quality of care provided to their
patients. EPs and group practices that do not report on quality measures as outlined for
Medicare Part B covered services risk a negative payment adjustment. There are several
mechanisms for reporting PQRS data, including EHRs (CMS, n.d.g).

Using PQRS reporting to determine reimbursement for Medicare Part B is one of many
mechanisms through which CMS incentivizes improved quality of care. CMS has multiple
value-based or pay-for-performance programs aimed at tying reimbursements to demonstration
of quality. CMS’s original value-based programs were an attempt to link performance on
endorsed quality measures to reimbursement. These programs included the following:

Hospital Value-Based Purchasing (HVBP) program rewards acute care hospitals for quality care
using incentives.
Hospital Readmissions Reduction (HRR) program rewards acute care hospitals that reduce
unnecessary hospital readmissions for certain conditions, such as acute myocardial infarction,
health failure, pneumonia, chronic obstructive pulmonary disease, elective hip or knee
replacement, and coronary artery bypass surgery.
Hospital-Acquired Conditions (HAC) program determines whether or not an acute care hospital
should be paid a reduced amount based on performance across health-acquired infections and
unacceptable adverse events.
Value Modifier (VM) program (also known as Physician Value-Based Modifier or PVBM)
rewards physicians (and, beginning in 2018, other primary care professionals, for example,
physician assistants and nurse practitioners) for high-quality, lower-cost performance using an
adjustment (modifier) for each claim.
Three other value-based programs are applied to end-stage renal disease programs, skilled
nursing facilities, and home health programs.

Beyond these traditional value-based programs, CMS encourages innovative, alternative
models of care through the CMS Innovation Center. These models are designed to promote
lower-cost, higher-quality care. All depend on appropriate reporting of performance measures
(CMS, n.d.h).
The Medicare Access and CHIP Reauthorization Act (MACRA)
The Medicare Access and CHIP Reauthorization Act (MACRA) was enacted in 2015. MACRA
is one aspect of CMS’s push toward improving quality and value. In January 2015, the
Department of Health and Human Services announced two goals for value-based payments
and alternative payment models (APMs):

Goal 1: 30 percent of Medicare payments are tied to quality or value through APMs by the end
of 2016; 50 percent by the end of 2018.

Goal 2: 85 percent of Medicare fee-for-service payments are tied to quality or value by the end
of 2016; 90 percent by the end of 2018.
They also invited private sector payers to match or exceed these same goals.

MACRA affects physician providers, moving HHS closer to meeting these goals. Key elements
to MACRA are the following:

Changes the way Medicare rewards physicians and practitioners for value over volume
Streamlines multiple quality programs directed at physicians and practitioners under the new
Merit-based Incentive Payment System (MIPS)
Provides bonus payments for physician and practitioners participation in eligible APMs (see
Chapter One for examples of APMs)
MIPS will incorporate aspects of three existing quality and value programs: PQRS, Value-based
Modifier, and the Medicare EHR Incentive Program. The resulting set of performance measures
will be divided into the following categories to calculate a score (between 0 and 100) for eligible
professionals. Each category of performance will be weighted as shown in Table 10.4.
Table 10.4 MIPS performance categories

Category Weight (%)
Quality 50
Advancing care information 25
Clinical practice improvement activities 15
Resource use 10
Health care providers meeting the established threshold score will receive no adjustment to
payment; those scoring below will receive a negative adjustment and those above, a positive
adjustment. Exceptional performers may receive bonus payments (CMS, n.d.c, n.d.e).

The exact implementation dates for MACRA were not set by the publication date for this
textbook; however, the projected timetable for implementation of the various aspects of the law
is shown in Figure 10.2 (CMS, n.d.c).

Figure 10.2 Projected timetable for implementation of MACRA

Source: CMS (n.d.e).

Summary
In this chapter we examined how health care organizations and health plans use data and
information to demonstrate performance to licensing, certifying, and accrediting bodies; to
measure performance against internal and external standards; to compare performance to other
similar organizations; and to demonstrate performance for reimbursement purposes. This
chapter began with an examination of the licensure, certification, and accreditation of health care
facilities and health plans, followed by an overview of key comparative data sets often used by
health care organizations in benchmarking performance. The chapter further explored major

milestones in the national agenda for health care quality improvement, followed by a discussion
of the current efforts to improve health care quality and patient safety, focusing on the efforts that
involve using health care data and information to measure performance. The private and public
organizations responsible for developing and endorsing national quality measures were
introduced, and the progress that has been made in aligning these measures across these
organizations was discussed. The chapter concluded with an overview of the significant
movement toward value-based reimbursement programs and plans for significant growth in
these programs over the next decade.

Clearly, there is a bewildering and complex set of measures with many organizations involved.
Consequently, many measures being collected are inconsistent across the organizations
requiring them. There are differences of opinion about which measures to be collected and the
specific definitions of these measures. Efforts are under way, largely driven by CMS, to align
measures to ease the collection burden for health care providers. However, today’s reality
remains an overwhelmingly complex web of standards and measurement requirements.

EHRs have been cited as the solution for easing the collection burden for health care
organizations and providers. However, the most current EHR systems are limited in their ability
to collect the required measures. The result is that organizations and providers must resort to
manual data collection. In other chapters in this text we have explored reasons for the current
limitations of EHRs in this area, including provider resistance because of the time burden. There
is a largely unresolved tension in the health care community and HIT industry between the
desire to collect accurate and timely measures and the provider resistance to entering the data
into the EHR in a standard, retrievable format.

References
Agency for Healthcare Research and Quality (AHRQ). (2011). National quality strategy (NQS).
Retrieved August 31, 2016, from http://www.ahrq.gov/workingforquality/nqs/nqs2011annlrpt.pdf
Agency for Healthcare Research and Quality (AHRQ). (2016, July). Comparative data.
Retrieved August 31, 2016, from
http://www.ahrq.gov/cahps/cahps-database/comparative-data/index.html
Agency for Healthcare Research and Quality (AHRQ). (n.d.a). About the PSO program.
Retrieved August 31, 2016, from https://pso.ahrq.gov/about
Agency for Healthcare Research and Quality (AHRQ). (n.d.b). Common formats. Retrieved
August 31, 2016, from https://pso.ahrq.gov/common
Centers for Medicare and Medicaid (CMS). (2015, Sept.). CMS-approved accrediting
organizations contacts for prospective clients. Retrieved August 30, 2016, from
https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInf
o/Downloads/Accrediting-Organization-Contacts-for-Prospective-Clients-.pdf
Centers for Medicare and Medicaid (CMS). (2016). CMS quality strategy 2016. Retrieved
August 31, 2016, from
https://www.cms.gov/medicare/quality-initiatives-patient-assessment-instruments/qualityinitiativ
esgeninfo/downloads/cms-quality-strategy.pdf

Centers for Medicare and Medicaid (CMS). (n.d.a). Accreditation of Medicare-certified providers
& suppliers. Retrieved August 21, 2016, from
https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInf
o/Accreditation-of-Medicare-Certified-Providers-and-Suppliers.html
Centers for Medicare and Medicaid (CMS). (n.d.b). Hospital compare. Retrieved August 31,
2016, from https://www.medicare.gov/hospitalcompare
Centers for Medicare and Medicaid (CMS). (n.d.c). MACRA. Retrieved August 31, 2016, from
https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base
d-Programs/MACRA-MIPS-and-APMs/MACRA-MIPS-and-APMs.html
Centers for Medicare and Medicaid (CMS). (n.d.d). Medicare. Retrieved August 31, 2016, from
https://www.cms.gov/Medicare
Centers for Medicare and Medicaid (CMS). (n.d.e). The Medicare Access & CHIP
Reauthorization Act of 2015: Path to value. Retrieved August 31, 2016, from
https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base
d-Programs/MACRA-MIPS-and-APMs/MACRA-LAN-PPT.pdf
Centers for Medicare & Medicaid Services (n.d.f). The merit-based incentive payment system:
MIPS scoring methodology overview. Retrieved August 4, 2016, from
https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base
d-Programs/MACRA-MIPS-and-APMs/MIPS-Scoring-Methodology-slide-deck.pdf
Centers for Medicare and Medicaid (CMS). (n.d.g). Physician quality reporting system.
Retrieved August 31, 2016, from
https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/PQRS/inde
x.html?redirect=/pqri
Centers for Medicare and Medicaid (CMS). (n.d.h). Value-based programs. Retrieved August
31, 2016, from
https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Base
d-Programs/Value-Based-Programs.html
Council of Medical Specialty Societies (CMSS). (2014, Nov.). The measurement of health care
performance (3rd ed.). Retrieved August 21, 2016, from
http://cmss.org/wp-content/uploads/2015/07/CMSS-Quality-Primer-layout.final.pdf
The Dartmouth Institute (n.d.) Understanding of the efficiency and effectiveness of the health
care system. Retrieved August 31, 2016, from http://www.dartmouthatlas.org/
Institute of Medicine Committee (IOM) on Quality in America. (2001). Crossing the quality
chasm: A new health system for the 21st century. Washington, DC: National Academy Press.
The Joint Commission. (2011). Comprehensive accreditation manual for hospitals. Oakbrook
Terrace, IL: Author.
The Joint Commission. (2014a, Aug.). Program: Ambulatory. Chapter: information management
(e-dition). Retrieved August 21, 2016, from http://foh.hhs.gov/tjc/im/standards.pdf
The Joint Commission. (2014b, Aug.). Program: Ambulatory. Chapter: Record of care,
treatment and services (e-dition). Retrieved August 21, 2016, from
http://foh.hhs.gov/tjc/roc/standards.pdf
The Joint Commission. (2015a, Nov. 5). Hospital: 2016 national patient safety goals. Retrieved
August 31, 2016, from https://www.jointcommission.org/hap_2016_npsgs/

The Joint Commission. (2015b, Sept. 2). Joint Commission measure sets effective January 1,
2016. Retrieved August 21, 2016, from
https://www.jointcommission.org/joint_commission_measure_sets_effective_january_1_2016/
The Joint Commission. (2016, April 27). Accreditation process overview. Retrieved August 21,
2016, from https://www.jointcommission.org/accreditation_process_overview/
The Joint Commission. (n.d.). About the Joint Commission. Retrieved August 21, 2016, from
https://www.jointcommission.org/about_us/about_the_joint_commission_main.aspx
Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a safer health
system. Washington, DC: National Academy Press.
Morris, C. (2014, May). Measuring health care quality: An overview of quality measures (Issue
brief). FamiliesUSA. Retrieved August 21, 2016, from
http://familiesusa.org/sites/default/files/product_documents/HIS_QualityMeasurement_Brief_fina
l_web.pdf
National Committee for Quality Assurance (NCQA). (2015). 2015 NCQA health plan
accreditation standards. Retrieved August 21, 2016 from
http://www.ncqa.org/programs/accreditation/health-plan-hp
National Committee for Quality Assurance (NCQA). (n.d.a). About NCQA. Retrieved August 21,
2016, from http://www.ncqa.org/about-ncqa
National Committee for Quality Assurance (NCQA). (n.d.b). Quality compass. Retrieved August
21, 2016, from http://www.ncqa.org/tabid/177/Default.aspx
National Committee for Quality Assurance (NCQA). (n.d.c). Report cards. Retrieved August 21,
2016, from http://www.ncqa.org/report-cards
National Quality Forum (NQF). (n.d.). About us. Retrieved August 31, 2016, from
http://www.qualityforum.org/About_NQF/

Chapter 11
Health Care Information System Standards

Throughout this text we have examined a variety of different types of standards that affect,
directly or indirectly, the management of health information systems. In Chapter Ten we
examined health care performance standards; Chapter Two looked at data quality standards,
Chapter Nine at security standards, and so on. In this chapter we will examine yet another
category of standards that affect healthcare data and information systems: health care
information system (HCIS) standards. In all cases the standards examined represent the
measuring stick or set of rules against which an entity, such as an organization or system, will
compare its structures, processes, or functions to determine compliance. In the case of the
HCIS standards discussed in this chapter the aim is to provide a common set of rules by which
health care information systems can communicate. Systems that conform to different standards
cannot possibly communicate with one another. Portability, data exchange, and interoperability
among different health information systems can be achieved only if they can “communicate.”
For a simple analogy, think about traveling to a country where you do not speak the language.
You would not be able to communicate with that country’s citizens without a common language
or translator. Think of the common language you adopt as the standard set of rules to which all
parties agree to adhere. Once you and others agree on a common language, you and they can
communicate. You may still have some problems, but generally these can be overcome.

By nature HCIS standards include technical specifications, which make it less easy for the
typical health care administrator to fully understand them. In addition, a complex web of public
and private organizations create, manage, and implement HCIS standards, resulting in
standards that are not always aligned, making the standards even more difficult to fully grasp. In
fact, some may actually compete with one another. In addition to the complex web of standards
specifically designed for HCIS, there are many general IT standards that affect healthcare
information systems. Networking standards, such as Ethernet and Wi-Fi, employed by health
care organizations are not specific to healthcare. Extensible markup language (XML) is widely
accepted as a standard for sharing data using web-based technologies in healthcare and other
industries. There are many other examples that are beyond the scope of this text. Our focus will
be on the standards that are specific to HCIS.

With HIPAA came the push for adoption of administrative transaction and data exchange
standards. This effort has been largely successful; claims are routinely submitted via standard
electronic transaction protocols. However, although real progress has been made in recent
years, complete interoperability among health care information systems remains elusive.
Chapter Three examined the need for interoperability among health care information systems to
promote better health of our citizens; Chapter Two discussed the lack of standardization in
EHRs as an issue with using EHR data in research; and Chapter Nine outlined problems
associated with misalignment of quality and performance measures, in part because of a lack of
interoperability and standardization in EHRs and other health care information systems.
Interoperability, as defined by the ONC (2015) in its publication Connecting Health Care for the
Nation: A Shared Nationwide Interoperability Roadmap, results from multiple initiatives, including

payment, regulatory, and other policy changes to support a collaborative and connected health
care system. The best political and social infrastructures, however, will not succeed in achieving
interoperability without supportive technologies.

This chapter is divided into three main sections. The first section is an overview of HCIS
standards, providing general information about the types of standards and their purposes. The
second section examines a few of the major initiatives, public and private, responsible for
creating, requiring, or implementing HCIS standards. Finally, the last section of the chapter
examines some of the most commonly adopted HCIS standards, including examples of the
standards when possible.
HCIS Standards Overview
Keith Boone, a prolific blogger and writer on all topics related to HIT standards, once wrote,
“Standards are like potato chips. You always need more than one to get the job done” (Boone,
2012b). In general, the health care IT community discusses HCIS standards in terms of their
specific function, such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab
reporting, and so on, but the reality is that achieving one of these or other functions requires
multiple standards directed at different levels within the HCIS. For example, there is a need for
standards at the level of basic communication across the Internet or other network
(Transporting), standards for structuring the content of messages communicated across the
network (Data Interchange and Messaging), standards that describe required data elements for
a particular function, such as the EHR or clinical summary (Content), and standards for naming
or classifying the actual data, such as units of measure, lab tests, diagnoses, and so on
(Vocabulary/Terminology). Unfortunately, there is no universal model for categorizing the
plethora of HCIS standards. In this chapter we will look at standards described as Data
Interchange and Messaging, Content, and Vocabulary/Terminology standards.

Standards, as we have seen, are the sets of rules for what should be included for the needed
function and system level. This is only a portion of the challenge in implementing standards. The
other challenge is how are the standards used for a particular function or use case? Much of the
work today toward achieving interoperability of healthcare information systems is concerned
with the how. Organizations that develop standards may also create specific implementation
guides for using the standard in a particular use case. (To further complicate the already
complicated standards environment, these implementation guides are sometimes referred to as
standards.) Other organizations, such as the ONC, develop frameworks for implementing
standards, and several government initiatives, such as HIPAA and HITECH, have set
requirements for implementing specific standards or sets of standards.
Standards Development Process
When seeking to understand why so many different IT and health care information standards
exist, it is helpful to look first at the standards development process that exists in the United
States (and internationally). In general the methods used to establish healthcare IT standards
can be divided into four categories (Hammond & Cimino, 2006):

Ad hoc. A standard is established by the ad hoc method when a group of interested people or
organizations agrees on a certain specification without any formal adoption process. The Digital

Imaging and Communications in Medicine (DICOM) standard for health care imaging came
about in this way.
De facto. A de facto standard arises when a vendor or other commercial enterprise controls
such a large segment of the market that its product becomes the recognized norm. The SQL
database language and the Windows operating system are examples of de facto standards.
XML is becoming a de facto standard for health care and other types of industry messaging.
Government mandate. Standards are also established when the government mandates that the
healthcare industry adopt them. Examples are the transaction and code sets mandated by the
Health Insurance Portability and Accountability Act (HIPAA) regulations.
Consensus. Consensus-based standards come about when representatives from various
interested groups come together to reach a formal agreement on specifications. The process is
generally open and involves considerable comment and feedback from the industry. This
method is employed by the standards developing organizations (SDOs) accredited by the
American National Standards Institute (ANSI). Many health care information standards are
developed by this method, including Health Level Seven (HL7) standards and the health-related
Accredited Standards Committee (ASC) standards.
The relationships among standard-setting organizations can be confusing, to say the least. Not
only do many of the acronyms sound similar but also the organizations themselves, as
voluntary, member-based organizations, can set their own missions and goals. Therefore,
although there is a formally recognized relationship among the International Organization for
Standardization (ISO), ANSI, and the SDOs, there is also some overlap in activities. Table 11.1
outlines the relationships among the formal standard-setting organizations and for each one
gives a brief overview of important facts and a current website.

Table 11.1 Relationships among standards-setting organizations

Source: ANSI (n.d.a, n.d.b, n.d.c); ISO (n.d.).

Organizations Facts Website
International Organization for Standardization (ISO)
Members are national standards bodies from many different countries around the world.
Oversees the flow of documentation and international approval of standards development under
the auspices of the its member bodies
www.iso.org
American National Standards Institute (ANSI)
US member of ISO
Accredits standards development organizations (SDOs) from a wide range of industries,
including health care
Does not develop standards but accredits the organizations that develop standards
Publishes more than ten thousand standards developed by accredited SDOs
www.ansi.org
Standards Developing Organizations (SDOs)
Must be accredited by ANSI
Develop standards in accordance with ANSI criteria

Can use the label “Approved American National Standard”
Approximately two hundred SDOs are accredited; twenty of these produce 90 percent of the
standards.
www.standardsportal.org
All the ANSI-accredited SDOs must adhere to the guidelines established for accreditation;
therefore, they have similar standard-setting processes. According to ANSI, this process
includes the following:

Consensus on a proposed standard by a group or “consensus body” that includes
representatives from materially affected or interested parties
Broad-based public review and comment on draft standards
Consideration of and response to comments submitted by voting members of the relevant
consensus body and by public review commenters
Incorporation of approved changes into a draft standard
Right to appeal by any participant that believes that due process principles were not sufficiently
respected during the standards development in accordance with the ANSI-accredited
procedures of the standards developer (ANSI, n.d.c)
The IT industry in general has experienced a movement away from the process of establishing
standards via the accredited SDOs. The Internet and World Wide Web standards, for example,
were developed by groups with much less formal structures. However, the accredited SDOs
continue to have a significant impact on the IT standards for the healthcare industry.

Boone (2012a) lists the following organizations as major developers of HIT standards in the
United States, which includes a mix of accredited SDOs and other developers. Each
organization’s specific areas for standard development are indicated in parentheses.
ANSI-accredited SDOs are indicated with an “*.”

International Standards Organization (ISO) [various]
ASTM International (ASTM) [various]*
Accredited Standards Committee (ASC) X12 [Insurance Transactions]*
Health Level Seven International (HL7) [various]*
Digital Imaging and Communication in Medicine (DICOM) [Imaging]
National Council for Prescription Drug Programs (NCPDP) [ePrescribing]
Regienstrief (LOINC) [Laboratory Vocabulary]

international Health Terminology SDO (IHTSDO) [Clinical Terminology]
In addition, Boone (2012a) identifies the following “other” organizations as having a major impact
on HIT:

World Wide Web Consortium (W3C) [XML, HTML]
Internet Engineering Task Force (IETF) [Internet]
Organization for the Advancement of Structured Information Standards (OASIS) [Business use
of XML]

He further identifies key groups known as “profiling bodies” (Boone, 2012a) that use existing
standards to create comprehensive implementation guides. Two examples of profiling bodies
are Integrating the Healthcare Enterprise (IHE) and the ONC, which focus on guidance for
implementing clinical interoperability standards.
Perspective
European Committee for Standardization (CEN)
Although the focus of this chapter is standards developed within the United States, it is important
to recognize there are other standards organizations worldwide. For example, the European
Committee for Standardization (CEN) was created in Brussels in 1975. In 2010 CEN partnered
with another European standards developing organization, the European Committee for
Electrotechnical Standardization (CENELEC), to form the CEN-CENELEC Management Centre
(CCMC) in Brussels, Belgium. The CCMC current membership includes national standards
bodies from thirty-three European countries (CEN-CENELEC, n.d.).

The Technical Committee within CEN that oversees healthcare informatics standards is CEN
TC 251, which consists of two working groups:

WG1: Enterprise and Information
WG2: Technology and Applications
Source: CEN (n.d.).
Federal Initiatives Affecting Healthcare IT Standards
There are many federal initiatives that affect healthcare IT standards. In this section we look at
federal initiatives for healthcare IT standards as a part of HIPAA, CMS e-prescribing, CMS EHR
Incentive Program, and the Office of the National Coordinator for Health Information Technology
(ONC), including the Interoperability Roadmap.

HIPAA
In August 2000, the US Department of Health and Human Services published the final rule
outlining the standards to be adopted by health care organizations for electronic transactions
and announced the designated standard maintenance organizations (DSMOs). In publishing this
rule, which has been modified as needed, the federal government mandated that health care
organizations adopt certain standards for electronic transactions and standard code sets for
these transactions and identified the standards organizations that would oversee the adoption of
standards for HIPAA compliance. The DSMOs have the responsibility for the development,
maintenance, and modification of relevant electronic data interchange standards. HIPAA
transaction standards apply to all covered entities’ electronic data interchange (EDI) related to
claims and encounter information, payment and remittance advice, claims status, eligibility,
enrollment and disenrollment, referrals and authorizations, coordination of benefits, and
premiums payment. The current HIPAA transaction standards are ASC X12N version 5010
(which accommodates ICD-10) along with NCPDP D.0 for pharmacy transactions (CMS,
2016b). In addition to these transaction standards, several standard code sets were established
for use in electronic transactions, including ICD-10-CM, ICD-10-PCS, HCPCS, CPT, and Code
on Dental Procedures and Nomenclature (CDT) (CMS, 2016a).
Centers for Medicare and Medicaid E-prescribing

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA)
established a Voluntary Prescription Drug Benefit program. There is no requirement in this act
that providers write prescriptions electronically, but those who choose to do so must comply
with specific e-prescribing standards. The current published CMS e-prescribing standards
consist of three sets of existing healthcare IT standards as “foundation” standards, which
include NCPDP’s SCRIPT Standard for e-Prescribing, ASC X12N standard for Health Care
Eligibility Benefit and Response, and NCPDP’s telecommunications standard. In addition, the
final rule identifies three additional electronic tools to be used in implementing e-prescribing:

NCPDP Formulary and Benefit Standard Implementation Guide, which provides information
about drugs covered under the beneficiary’s benefit plan
NCPDP SCRIPT Medication History Transactions, which provides information about
medications a beneficiary has been taking
Fill Status Notification (RxFill), which allows prescribers to receive an electronic notice from the
pharmacy regarding the beneficiary’s prescription status (CMS, 2013)
Centers for Medicare and Medicaid EHR Incentive Programs
As discussed previously, the Medicare and Medicaid EHR Incentive Programs were
established as a part of the HITECH Act to encourage eligible providers (EPs) and eligible
hospitals (EHs) to demonstrate Meaningful Use of certified EHR technology. EHR certification
for Stage 1 and Stage 2 Meaningful Use requires EPs and EHs to meet specific criteria.
Certification requirements are organized according to objectives, measures, specific criteria,
and standards. Not all criteria include specific standards, but many do. Examples of standards
required by 2014 certification rules include using the HL7 Implementation Guide for CDA in
meeting the criteria for providing patients the ability to view online, download, and transmit
information about a hospital. Other standards include SNOMED CT, which is required for coding
a patient’s smoking status, RxNorm, which is required for medications, and LOINC, which is
required for laboratory tests, among others (HealthIT.gov, 2014).
Office of the National Coordinator for Health Information Technology
As discussed in previous chapters the Office of the National Coordinator for Health Information
Technology (ONC) was established in 2004 and charged with providing “leadership for the
development and nationwide implementation of an interoperable health information technology
infrastructure to improve the quality and efficiency of health care” (HHS, 2008). In 2009, the role
of the ONC was strengthened when the HITECH Act legislatively mandated ONC to provide this
leadership and oversight (HHS, 2012). Today, the ONC is “the principal federal entity charged
with coordination of nationwide efforts to implement and use the most advanced health
information technology and the electronic exchange of health information” (HealthIT.gov, n.d.).

Current ONC initiatives, in addition to implementing HITECH, include implementation of
healthcare IT standards for interoperability. In Chapter Three, the ONC Interoperability Roadmap
was introduced and key milestones related to payment reform and outcomes were outlined. The
Roadmap also outlines key milestones for the development and implementation of technologies
to support interoperability (ONC, 2015). Beginning in 2015, the ONC published its first
Interoperability Standards Advisory, which has been subsequently updated annually. This
Advisory document outlines the ONC-identified “best available” standards and implementation

specifications for clinical IT interoperability. The identified standards and specifications in the
2016 Advisory are grouped into three sections:

Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications,
which address the “semantics,” or standard meanings of codes and terms needed for
interoperability
Best Available Content/Structure Standards and Implementation Specifications, which address
the “syntax,” or rules by which the common data elements can be shared to achieve
interoperability
Best Available Standards and Implementation Specification for Services, which address
infrastructure components needed to achieve interoperability (ONC, 2016)
Each specific standard is identified and defined by six characteristics: process maturity,
implementation maturity, adoption level, federal requirement status, cost, and whether a testing
tool is available. The Advisory also includes hyperlinks to the standards and implementation
guides cited. Exhibit 11.1 is an excerpt from the 2016 Advisory.
Exhibit 11.1 Excerpt from ONC 2016 Interoperability Standards Advisory
Section I: Best Available Vocabulary/Code Set/Terminology Standards and Implementation
Specifications
I-A: Allergies

Interoperability Need: Representing patient allergic reactions
Type Standard/Implementation Specification Standards Process Maturity
Implementation Maturity Adoption Level Federally Required Cost Test Tool
Availability
Standard SNOMED CT Final Production No Free N/A
Limitations, Dependencies, and Preconditions for Consideration: Applicable Value Set(s):
SNOMED CT may not be sufficient to differentiate between an allergy or adverse reaction, or
the level of severity
Value Set Problem urn:oid:2.16.840.1.113883.3.88.12.3221.7.4
Interoperability Need: Representing patient allergens: medications
Type Standard/Implementation Specification Standards Process Maturity
Implementation Maturity Adoption Level Federally Required Cost Test Tool
Availability
Standard RxNorm Final Production Yes Free N/A
Standard NDF-RT Final Production Unknown No Free N/A
Source: ONC (2016).

Other Organizations Influencing Health Care IT Standards
The following organizations certainly do not represent the full list of bodies that are involved with
healthcare IT standards development and implementation. However, they do represent a few of
the most significant non government contributors. ASTM International and HL7 International are
accredited SDOs with standards specifically addressing health care information. IHE is a
recognized profiling body influencing the implementation of interoperability standards.

ASTM International
ASTM International was formerly known as the American Society for Testing and Materials.
ASTM International has more than thirty thousand members from across the globe, and they
are responsible for publishing more than twelve thousand standards. ASTM standards range
from those that dictate traffic paint to cell phone casings (ASTM, n.d.a, n.d.b). The ASTM
Standards for Healthcare Services, Products and Technology include medical device standards
and health information standards. The health information standards are managed by the ASTM
Committee E31, which focuses on “the development of standards that help doctors and health
care practitioners preserve and transfer patient information using EHR technologies” (ASTM,
2014). Of particular note, the E31 standards include the continuity of care record (CCR)
discussed further on in this chapter.

HL7 International
HL7 International was founded in 1987. It is an ANSI-accredited SDO “dedicated to providing a
comprehensive framework and related standards for the exchange, integration, sharing, and
retrieval of electronic health information that supports clinical practice and the management,
delivery and evaluation of health services” (HL7, n.d.). The HL7 standards related to
interoperability and listed on its website as “Primary Standards,” or most used, include the
following:

Version 2 and 3 HL7 messaging standards, interoperability specifications for health and medical
transactions; these are the standards commonly referred to as HL7
Clinical Document Architecture (CDA), a document markup standard for clinical information
exchange among providers based on version 3 of HL7
Continuity of Care Document (CCD), a joint effort with ASTM providing complete guidance for
implementation of CDA in the United States
Clinical Context Object Workgroup (CCOW), interoperability standards for visually integrating
applications “at the point of use”
These primary standards are not the only ones developed by HL7 International. The
organization also publishes Functional EHR and PHR specifications; Arden Syntax, a markup
language for sharing medical information; and GELLO, a query language for medical records.
One of the most promising of the HL7 International standards is Fast Healthcare Interoperability
Resources (FHIR). FHIR is built on HL7 but is considered easier to implement because it uses
web-based technologies (Ahier, 2015). Several of the HL7 standards, including FHIR, will be
explained in greater detail further on in this chapter.

IHE
Integrating the Healthcare Enterprise (IHE) has developed a series of profiles to guide health
care documentation sharing. These profiles are not standards but rather include very specific
guidance for how existing standards can be implemented to meet clinical needs (IHE, n.d.b).
The current IHE profiles are organized as follows:

Anatomic Pathology
Cardiology

Eye Care
IT Infrastructure
Laboratory
Pathology and Laboratory Medicine
Patient Care Coordination
Patient Care Device
Pharmacy
Quality, Research, and Public Health
Radiation Oncology
Radiology
As an example, the IHE Patient Care Coordination Profile group includes twenty individual
profiles, and each profile is further identified by its current implementation stage (IHE, n.d.a).

Health IT Standards
The development and implementation of healthcare IT standards is complex and constantly
evolving. The preceding sections of this chapter are intended to provide some insight into the
processes of the organizations involved in standards development. The following sections
examine examples of the actual standards. This is by no means an exhaustive list of healthcare
IT standards but rather samplings of a few that are commonly used or significant in other ways.

Vocabulary and Terminology Standards
One of the most difficult problems in exchanging health care information and creating
interoperable EHRs is coordinating the vast amount of health information that is generated in
diverse locations for patients and populations. The vocabulary and terminology standards
discussed in this section serve similar purposes—to create a common language that enables
different information systems or vendor products to communicate unambiguously with one
another. In a very simplified example, a standard vocabulary would ensure that the medical term
myocardial infarction, for example, is mapped to the term heart attack and that both terms share
exactly the same attributes. An effective standard vocabulary must also standardize the very
complex hierarchy and syntax of the language used in the health industry. This is a complicated
and detailed endeavor to say the least. So it is not surprising that, to date, no single vocabulary
has emerged to meet all the information exchange needs of the health care sector.

The most widely recognized coding and classification systems—ICD, Current Procedural
Terminology (CPT), and diagnosis related groups (DRGs)—were discussed in Chapter Two.
Although these systems and the other coding systems discussed in this section do not meet the
criteria for full clinical vocabularies, they are used to code diagnoses and procedures and are
the basis for information retrieval in healthcare information systems. Most were originally
developed to facilitate disease and procedure information retrieval, but they have been adopted
to code for billing services as well. Several of the most commonly used classification systems
are actually incorporated across more robust standard vocabularies such as SNOMED CT and
UMLS.

The code sets required by HIPAA include the following:

HCPCS (ancillary services or procedures) (see Chapter Two)
CPT-4 (physicians procedures) (see Chapter Two)
CDT (dental terminology)
ICD-10 (see Chapter Two)
NDC (national drug codes)
The HITECH Meaningful Use final rule also includes ICD-10 as its classification standard.

The National Committee on Vital and Health Statistics (NCVHS) has the responsibility, under a
HIPAA mandate, to recommend uniform data standards for patient medical record information
(PMRI). Although no single vocabulary has been recognized by NCVHS as the standard, they
have recommended the following as a core set of PMRI terminology standards:

Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT)
Logical Observation Identifiers Names and Codes (LOINC) laboratory subset
Several federal drug terminologies, including RxNorm (NCVHS, 2003)
The HITECH Meaningful Use final rule and the ONC Advisory include these standards and the
standard for clinical vaccines administered (CVX).

In this section we will describe SNOMED CT, LOINC, CVX, and RxNorm, along with the
National Library of Medicine’s Unified Medical Language (UMLS) (of which RxNorm is one
component), which has become the standard for bibliographic searches in health care and has
the potential for other uses as well.

Code on Dental Procedures and Nomenclature
The American Dental Association (ADA) publishes the CDT, Code on Dental Procedures and
Nomenclature. This set of codes is designed to support accurate recording and reporting of
dental treatments. The ADA strives to maintain an up-to-date set of codes that reflect actual
practice (ADA, n.d.). The code set is divided into twelve sections, as follows (Washington Dental
Service, 2012):

Diagnostic (D0000–D0999)
Preventative (D1000–D1999)
Restorative (D2000–D2999)
Endodontics (D3000–D3999)
Periodontics (D4000–D4999)
Prosthodontics (D5000–D5899)
Maxillofacial prosthetics (D5900–D5999)
Implant services (D6000–D6199)
Prosthodontics (D6200–D6999)
Oral and maxillofacial surgery (D7000–7999)

Orthodontics (D8000–8999)
General Services (D9000–D9999)

National Drug Codes
The National Drug Code (NDC) is the universal product identifier for all human drugs. The Drug
Listing Act of 1972 requires registered drug companies to provide the Food and Drug
Administration (FDA) a current listing of all drugs “manufactured, prepared, propagated,
compounded, or processed by it for commercial distribution” (FDA, 2016). The FDA, in turn,
assigns the unique, three-segment NDC (listed as package code in the following example) and
maintains the information in the National Drug Code Directory. The NDC Directory is updated
twice each month. Data maintained for each drug include up to sixteen fields. The information for
the common over-the-counter drug Tylenol PM (Extra Strength), for example, is as follows:

Product NDC: 50580–176
Product Type Name: Human OTC Drug Proprietary Name: Tylenol PM (Extra Strength)
Non-proprietary Name: Acetaminophen and Diphenhydramine Hydrochloride
Dosage Formulation: Tablet, Coated Route Name: Oral
Start Marketing Date: 12–01–1991 End Marketing Date: <blank field>
Marketing Category Name: OTC Monograph Final Application Number: part338
Labeler Name: McNeil Consumer Healthcare Div. McNeil-PPC, Inc Substance Name:
Acetaminophen; Diphenhydramine Hydrochloride Strength Number/Unit: 500 mg/1, 25 mg/1
Pharm Class: Histamine H1 Receptor Antagonists [MoA], Histamine-1 Receptor Antagonist
[EPC]
Package Code: 50580–176–10
Package Description: 1 Bottle, Plastic in 1 Carton (50580–176–10) > 100 tablet, coated in 1
Bottle, Plastic
DEA classification: <blank> (US FDA, 2016)
Systematized Nomenclature of Medicine—Clinical Terms
Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT) is a comprehensive
clinical terminology developed specifically to facilitate the electronic storage and retrieval of
detailed clinical information. It is the result of collaboration between the College of American
Pathologists (CAP) and the United Kingdom’s National Health Service (NHS). SNOMED CT
merges CAP’s SNOMED Reference Terminology, an older classification system used to group
diseases, and the NHS’s Clinical Terms Version 3 (also known as Read Codes), an established
clinical terminology used in Great Britain and elsewhere. As a result, SNOMED CT is based on
decades of research. As of April 2007 SNOMED is owned, maintained, and distributed by the
International Health Terminology Standards Development Organization (IHTSDO), a nonprofit
association based in Denmark. The National Library of Medicine is the US member of the
IHTSDO and distributes SNOMED CT at no cost within the United States (IHTSDO, n.d.; NLM,
2016b).

Logical Observation Identifiers Names and Codes
The Logical Observation Identifiers Names and Codes (LOINC) system was developed to
facilitate the electronic transmission of laboratory results to hospitals, physicians, third-party
payers, and other users of laboratory data. Initiated in 1994 by the Regenstrief Institute at
Indiana University, LOINC provides a standard set of universal names and codes for identifying

individual laboratory and clinical results. These standard codes enable users to merge clinical
results from disparate sources (Regenstrief Institute, n.d.).
LOINC codes have a fixed length field of seven characters. Current codes range from three to
seven characters long. There are six parts in the LOINC name structure: component/analyte,
property, time aspect, system, scale type, and method. The syntax for a name follows this
pattern (Case, 2011):

LOINC Code: Component: Property Measured: Timing: System: Scale: Method
Example
5193–8:Hepatitis B virus surface Ab: ACnc:Pt:Ser:Qn:EIA
Clinical Vaccines Administered
The Centers for Disease Control and Prevention (CDC) National Center of Immunization and
Respiratory Diseases (NCIRD) developed the Clinical Vaccines Administered (CVX) as
standard codes and terminology for use with HL7 messaging standards. Table 11.2 is an
excerpt from the full CVX table.

Table 11.2 Excerpt from CVX (clinical vaccines administered)

Short Description Full Vaccine Name CVX Code Status Last Date Updated Notes
adenovirus types 4 and 7 adenovirus, type 4 and type 7, live, oral 143 Active
3/20/2011 This vaccine is administered as two tablets.
anthrax anthrax vaccine 24 Active 5/28/2010
BCG Bacillus Calmette-Guerin vaccine 19 Active 5/28/2010
DTaP, IPV, Hib, HepB Diphtheria and Tetanus Toxoids and Acellular Pertussis Absorbed,
Inactivated Poliovirus, Haemophilus b Conjugate (Meningococcal Outer Membrane Protein
Complex), and Hepatitis B (Recombinant) Vaccine 146 Pending 9/21/2015 Note
that this vaccine is different from CVX 132.
influenza, seasonal, injectable influenza, seasonal, injectable 141 Active
7/17/2013 This is one of two codes replacing CVX 15, which is being retired.
influenza, live, intranasal influenza virus vaccine, live, attenuated, for intranasal use 111
Inactive 5/28/2010
RxNorm
The National Library of Medicine (NLM) produces RxNorm, which serves two purposes: as “a
normalized naming system for generic and brand name drugs and as a tool for supporting
semantic interoperation between drug terminologies and pharmacy knowledge–based systems”
(NLM, 2016a). The goal of RxNorm is to enable disparate health information systems to
communicate with one another in an unambiguous manner.

There are twelve separate RxNorm data files that are released on a monthly basis. The files
show this information:

Drug names and unique identifiers
Relationships

Attributes
Semantic types
Data history (three files)
Obsolete data (three files)
Metadata (two files)
The following example from the first RxNorm data file represents the “concept,” Azithromycin
250 MG Oral Capsule, with the unique identifier 141962 (NLM, 2016a):

141962|ENG||||||944489|944489|141962||RXNORM|SCD|141962|
Azithromycin 250 MG Oral Capsule||N||
Unified Medical Language System
The NLM began the Unified Medical Language System (UMLS) project in 1986, and it is ongoing
today. The purpose of the UMLS project is “to facilitate the development of computer systems
that behave as if they ‘understand’ the meaning of the language of biomedicine and health. The
UMLS provides data for system developers as well as search and report functions for less
technical users” (NLM, 2016b).

The UMLS has three basic components, called knowledge sources:

UMLS Metathesaurus, which contains concepts from more than one hundred source
vocabularies. All the common health information vocabularies, including SNOMED CT, ICD, and
CPT, along with approximately one hundred other vocabularies, including RxNorm, are
incorporated into the metathesaurus. The metathesaurus project’s goal is to incorporate and
map existing vocabularies into a single system.
UMLS Semantic Network, which defines 133 broad categories and dozens of relationships
between categories for labeling the biomedical domain. The semantic network contains
information about the categories (such as “Disease or Syndrome” and “Virus”) to which
metathesaurus concepts are assigned. The semantic network also outlines the relationships
among the categories (for example, “Virus” causes “Disease or Syndrome”).
SPECIALIST Lexicon and Lexical Tools. The SPECIALIST lexicon is a dictionary of English
words, common and biomedical, which exist to support natural language processing.
The UMLS products are widely used in NLM’s own applications, such as PubMed, and they are
available to other organizations free of charge, provided the users submit a license agreement
(NLM, 2016b). Currently, components of UMLS are incorporated into other standards and
profiles for health care IT interoperability.
Data Exchange and Messaging Standards
The ability to exchange and integrate data among health care applications is critical to the
success of any overall health care information system, whether an organizational, regional, or
national level of integration is desired. Although there is some overlap, these standards differ
from the vocabulary standards because their major purpose is to standardize the actual
“messaging” between health care information systems. Messaging standards are key to
interoperability. In this section we will look at a few of the standards that have been developed
for this purpose. There are others, and new needs are continually being identified. However, the
following groups of standards are recognized as important to the health care sector, and

together they provide examples of broad standards addressing all types of applications and
specific standards addressing one type of application:

Health Level Seven Messaging standards (HL7)
Digital Imaging and Communications in Medicine (DICOM)
National Council for Prescription Drug Programs (NCPDP)
ANSI ASC X12N standards
Two other groups of standards discussed in this section actually combine some features of
messaging standards and content standards:

Continuity of Care Document (CCD)
Fast Health Interoperability Resources (FHIR)
HIPAA specifically requires covered entities to comply with specific ANSI X12N and NCPCP.
HITECH and the ONC Advisory also cite specific messaging standards and the CCD. FHIR is
currently under development by HL7 International and is being cited by health care IT
professionals as a major advancement toward true interoperability.

Health Level Seven Standards
Two versions of HL7 messaging standards, Version 2 and Version 3, are listed by HL7
International as “primary,” or commonly used. HL7 v2 remains popular in spite of the
development of HL7 v3. HL7 v2 was first introduced in 1987 and has become the “workhorse of
electronic data exchange” (HL7, n.d.). HL7 v3 incorporates the root elements of XML and, as
such, is a significant change from early versions. See the HL7 Perspective for an example of
HL7 v3.
Digital Imaging and Communications in Medicine Standards
The growth of digital diagnostic imaging (such as CT scans and MRIs) gave rise to the need for
a standard for the electronic transfer of these images between devices manufactured by
different vendors. The American College of Radiology (ACR) and the National Electrical
Manufacturers Association (NEMA) published the first standard, a precursor to the current
Digital Imaging and Communications in Medicine (DICOM) standard, in 1985. The goals of
DICOM are to “achieve compatibility and to improve workflow efficiency between imaging
systems and other information systems in healthcare environments worldwide.” It is used by all
of the major diagnostic medical imaging vendors, which translates to its use in nearly every
medical profession that uses images (DICOM, 2016).

National Council for Prescription Drug Program Standards
The National Council for Prescription Drug Programs (NCPDP), an ANSI-accredited SDO with
more than 1,600 members representing the pharmacy services industry, has developed a set of
standards for the electronic submission of third-party drug claims (NCPDP, 2012). These
standards not only include the telecommunication standards and batch standards required by
HIPAA but also the SCRIPT standard required for e-prescribing, among others. Of note, the
SCRIPT standard currently incorporates the RxNorm as its standardized medication
nomenclature. The NCPDP Provider Identification Number is a unique identifier of more than
seventy-five thousand pharmacies. Table 11.3 presents excerpts from the NCPDP Data

Dictionary, which outlines a few of the Transmission Header Segment requirements. The entire
data dictionary table is more than seventy pages long (CMS, 2002).

Table 11.3 Excerpt from NCPDP data dictionary

NCPDP Data Dictionary Name Field Number NCPDP Definition of Field Version D.0
Format Valid Values per the Standard
Service Provider ID Qualifier 202-B2 Code qualifying the Service Provider ID X(02)
Blank=Not Specified
01=National Provider Identifier (NPI)
02=Blue Cross
03=Blue Shield
04=Medicare
05=Medicaid
06=UPIN
07=NCPDP Provider ID
08=State License
09=Champus
10=Health Industry Number (HIN)
11=Federal Tax ID
12=Drug Enforcement Administration (DEA)
13=State Issued
14=Plan Specific
15=HCID (HC IDea)
99=Other
Service Provider ID 201-B1 ID assigned to pharmacy or provider X(15) N/A
Date of Service 401-D1 Identifies the date the prescription was filled or professional
service rendered or subsequent payer began coverage following Part A expiration in a long-term
care setting only 9(08) Format=CCYYMMDD
Perspective
HL7 Laboratory Results Use Case
The following object identifiers (OIDs) are used within the Good Health Hospital (GHH):

GHH Placer Order IDs: 2.16.840.1.113883.19.1122.14
GHH Lab Filler Order IDs: 2.16.840.1.113883.19.1122.4
The code system for the observation within the GHH is LOINC: 2.16.840.1.113883.6.1
The HL7 Confidentiality Code system: 2.16.840.1.113883.5.25
The HL7 v3 Message: Domain Content Excerpt
The “Domain Content” starts with its own root element: observationEvent. The elements within
specify the type of observation, the ID, the time of the observation, statusCode, and the results.
The value for the actual result is shown in the value element. The interpretationCode element
shows that the value has been interpreted as high (H), while referenceRange provides the
normal values for this particular observation.

<observationEvent>
<id root=“2.16.840.1.113883.19.1122.4” extension=“1045813”
assigningAuthorityName=“GHH LAB Filler Orders”/>
<code code=“1554–5” codeSystemName=“LN” codeSystem=“2.16.840.1.113883.6.1”
displayName=“GLUCOSE^POST 12H CFST:MCNC:PT:SER/PLAS:QN”/>
<statusCode code=“completed”/>
<effectiveTime value=“200202150730”/>
<priorityCode code=“R”/>
<confidentialityCode code=“N” codeSystem=“2.16.840.1.113883.5.25”/>
<value xsi_type=“PQ” value=“182” unit=“mg/dL”/>
<interpretationCode code=“H”/>
<referenceRange>
<interpretationRange>
<value xsi_type=“IVL_PQ”>
<low value=“70” unit=“mg/dL”/>
<high value=“105” unit=“mg/dL”/>
</value>
<interpretationCode code=“N”/>
</interpretationRange>
</referenceRange>
</assignedEntity>
</author>
Source: Spronk (2007). http://www.ringholm.de/docs/04300_en.htm. Used under CC BY-SA 3.0,
https://creativecommons.org/licenses/by-sa/3.0/. Used with permission.
ANSI ASC X12N Standards
The ANSI Accredited Standards Committee (ASC) X12 develops standards in X12 and XML
formats for the electronic exchange of business information. One ASC X12 subcommittee,
X12N, has been specifically designated to deal with electronic data interchange (EDI) standards
in the insurance industry, and this subcommittee has a special health care task group, known as
TG2. According to the X12 TG2 website, “the purpose of the Health Care Task group shall be
the development and maintenance of data standards (both national and international) which shall
support the exchange of business information for healthcare administration. Health care data
includes, but is not limited to, such business functions as eligibility, referrals and authorizations,
claims, claim status, payment and remittance advice, and provider directories” (ASC X12, n.d.).
To this end ASC X12N has developed a set of standards that are monitored and updated
through ASC X12N work groups.

Table 11.4 lists the current X12 work group areas. A portion of the X12 5010 Professional Claim
standard is shown in Exhibit 11.2. The standard for Professional Claim alone is more than ninety
pages in length.

Table 11.4 X12 TG2 work groups

Source: ASC X12 (n.d.).

Work Group Number Work Group Name
WG1 Health Care Eligibility
WG2 Health Care Claims
WG3 Claim Payments
WG4 Enrollments
WG5 Claims Status
WG9 Patient Information
WG10 Health Care Services Review
WG15 Provider Information
WG20 Insurance—824 Implementation Guide
WG21 Health Care Regulation Advisory/Collaboration
Exhibit 11.2 X12 5010 Professional Claim Standard
5010
Element Identifier Description ID Min. Max. Usage Reg. Loop Loop Repeat
Values
837-P 5010
ISA INTERCHANGE CONTROL HEADER 1 R ___ 1
ISA01 Authorization Information Qualifier ID 2-2 R 00, 03
ISA02 Authorization Information AN 10-10 R
ISA03 Security Information Qualifier ID 2-2 R 00, 01
ISA04 Security Information AN 10-10 R
ISA05 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29,
30, 33, ZZ
ISA06 Interchange Sender ID AN 15-15 R
ISA07 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29,
30, 33, ZZ
ISA08 Interchange Receiver ID AN 15-15 R
ISA09 Interchange Date DT 6-6 R YYMMDD
ISA10 Interchange Time TM 4-4 R HHMM
ISA11 Interchange Control Standards ID 1-1 R
ISA12 Interchange Control Version Number ID 5-5 R 00501
ISA13 Interchange Control Number N0 9-9 R
ISA14 Acknowledgement Requested ID 1-1 R 0, 1
ISA15 Usage Indicator ID 1-1 R P, T
ISA16 Component Element Separator AN 1-1 R
GS FUNCTIONAL GROUP HEADER 1 R ___ 1
GS01 Functional Identifier Code ID 2-2 R
GS02 Application Sender Code AN 2-15 R
GS03 Application Receiver Code AN 2-15 R
GS04 Date DT 8-8 R CCYYMMDD
GS05 Time TM 4-8 R HHMM
GS06 Group Control Number N0 1-9 R
GS07 Responsible Agency Code ID 1-2 R X

GS08 Version Identifier Code AN 1-12 R 005010X222
Continuity of Care Document (CCD)
The Continuity of Care Document (CCD) is a standard for the electronic exchange of patient
summary information, so-called transportable patient care information. The current CCD
standard is actually a merger of two other standards: the HL7 Clinical Document Architecture
(CDA) standard and the ASTM Continuity of Care Record (CCR). There has been some
discussion among experts about the CCR and CCD being competing standards, but HL7 has
taken the position that CCD is an implementation of CCR and simply an evolution of the CCR
(Rouse, 2010). Although discussed in this section, the CCD standard is not solely a content
standard; it includes elements of a data exchange standard. It has an XML-based specification
for exchanging patient summary data, but it also includes a standard outline of the summary
content. The content sections of the CCD include the following:
Payers
Advance Directives
Support
Functional Status
Problems
Family History
Social History
Allergies
Medications
Medical Equipment
Immunizations
Vital Signs
Results
Procedures
Encounters
Plan of Care (Dolin, 2011)

Fast Health Interoperability Resources (FHIR)
Fast Health Interoperability Resources (FHIR) is currently being tested (as of this text’s
publication date) by a range of healthcare IT professionals. So far, the testing has led to
predominantly positive results, with many citing FHIR as having the potential to truly accelerate
healthcare IT interoperability. The difference between FHIR and other standards is that it goes
beyond the function of a traditional messaging system and includes modern web services to
exchange clinical information. FHIR builds on the HL7 Clinical Document Architecture (CDA)
and HL7 messaging, However, unlike CDA, FHIR enables granular pieces of information rather
than an entire summary document to be shared (Ahier, 2015). According to Ahier (2015), FHIR
offers easy-to-use tools not only to build faster and more efficient data exchange mechanisms
but also to use personal health care information to create “innovative new apps” with the
potential to create a “plug and play platform . . . similar to the Apple app store.”

Health Record Content and Functional Standards

Health record content and functional standards are not the same as messaging or data
exchange standards. These standards outline what should be included in an EHR or other
clinical record. They do not include technical specifications but rather the EHR content
requirements. As mentioned previously, the CCD and FHIR have content standards within
them, along with messaging standards. HL7 EHR-S (Electronic Health Record-System)
Functional Model is an example of a comprehensive EHR content and functional standard that
does not include technical specifications.
HL7 EHR-S Functional Model
The HL7 Health Record-System (EHR-S) Functional Model, Release 2 was published by Health
Level Seven International in 2014. The purpose of this functional model is to outline important
features and functions that should be contained in an EHR. Targeted users of the functional
model include vendors and care providers, and it has been recognized by the ISO as an
international standard (ISO 10781). The stated benefits of the functional model are as follows:

Provide an international standard for global use.
Enable a consistent framework for the development of profiles that are conformant to the base
model.
Support the goal of interoperability.
Provide a standard that is easily readable and understandable to an “everyday person,” which
enables a user to articulate his or her business requirements (HL7, 2014).
The EHR-S Functional Model is divided into seven sections:

Overarching (OV)
Care Provision (CP)
Care Provision Support (CPS)
Population Health Support (POP)
Administrative Support (AS)
Record Infrastructure (RI)
Trust Infrastructure (TI)
Each function within the model is identified by section and described by specific elements. Table
11.5 is an example of the function list for managing a problem list. Note: The list type indicates
Header (H), Function (F), or Conformance Criteria (C).

Table 11.5 Excerpt from the HL7 EHR-S Functional Model

ID Type Name Statement Description Conformance Criteria
CP.1 H Manage Clinical History Manage the patient’s clinical history lists used to
present summary or detailed information on patient health history. Patient Clinical History lists
are used to present succinct snapshots of critical health information including patient history,
allergy intolerance and adverse reactions, medications, problems, strengths, immunizations,
medical equipment/devices, and patient and family preferences.
CP.1.4 F Manage Problem List Create and maintain patient-specific problem lists. A
problem list may include but is not limited to chronic conditions, diagnoses, or symptoms,

injury/poisoning (both intentional and unintentional), adverse effects of medical care (e.g., drugs,
surgical), functional limitations, visit or stay-specific conditions, diagnoses, or symptoms . . .
CP.1.4 C 1. The system SHALL provide the ability to manage, as
discrete data, all active problems associated with a patient.
CP.1.4 C 2. The system SHALL capture and render a history of all
problems associated with a patient.
CP.1.4 C 3. The system SHALL provide the ability to manage
relevant dates including the onset date and resolution date of the problem.
Summary
Multiple standard-setting organizations have roles in standards development, leading to a
somewhat confusing array of current healthcare IT standards that address code sets,
vocabularies and terminology, data exchange and messaging, and content and function. The
standards developing organizations and standards discussed in this chapter, along with other
general IT standards, enable health care information systems to be interoperable, portable, and
to exchange data. The future of our healthcare system relies on having interoperable EHRs and
other health care information systems. Clearly, this will not be realized without standards. The
government, as well as the private sector, is actively engaged in promoting the development of
best practices for implementing health care IT standards. HIPAA and CMS, for example, have
had a significant impact on the adoption of specific health care information standards that focus
on code set, terminology, and transactions. The ONC is charged with coordinating the national
efforts for achieving interoperability among health care information systems, which has led to
their publication of the Interoperability Roadmap and annual Interoperability Standards
Advisories. Both of these tools will likely have a significant impact on the direction of national
standards development and cooperation among the many standards developing organizations.

References
Accredited Standards Committee X12 (ASC X12). (n.d.). X12N/TG2: Health care purpose and
scope. Retrieved September 6, 2016, from http://www.wpc-edi.com/onlyconnect/TG2.htm
Ahier, B. (2015, Jan. 6). FHIR and the future of interoperability. Retrieved November 10, 2016,
from http://www.healthcareitnews.com/news/fhir-and-future-interoperability
American Dental Association (ADA). (n.d.). Code on dental procedures and nomenclature (CDT
code). Retrieved September 7, 2016, from http://www.ada.org/en/publications/cdt/
American National Standards Institute (ANSI). (n.d.a). About ANSI. Retrieved September 7,
2016, from https://www.ansi.org/about_ansi/overview/overview.aspx?menuid=1
American National Standards Institute (ANSI). (n.d.b). Resources: Standards developing
organizations (SDOs). Retrieved September 7, 2016, from
https://www.standardsportal.org/usa_en/resources/sdo.aspx
American National Standards Institute (ANSI). (n.d.c). Standards activities overview. Retrieved
September 7, 2016, from
https://www.ansi.org/standards_activities/overview/overview.aspx?menuid=3
ASTM International. (2014, Nov.). ASTM standards for healthcare services, products and
technology. Retrieved September 5, 2016, from
http://www.astm.org/ABOUT/images/Medical_sector.pdf

ASTM International. (n.d.a). ASTM video. Retrieved September 5, 2016, from
https://www.astm.org/about-astm-corporate.html
ASTM International. (n.d.b). Standards & publications. Retrieved September 6, 2016, from
https://www.astm.org/Standard/standards-and-publications.html
Boone, K. W. (2012a, April 9). Health IT standards 101. Retrieved September 7, 2016, from
http://www.healthcareitnews.com/blog/health-it-standards-101
Boone, K. W. (2012b, March 26). An informatics model for HealthIT standards [Web log post].
Retrieved September 22, 2016, from
http://motorcycleguy.blogspot.com/2012/03/informatics-model-for-healthit.html
Case, J. (2011). Using RELMA or . . . In search of the missing LOINC [PowerPoint]. Retrieved
March 2012 from http://loinc.org/slideshows/lab-loinc-tutorial
CEN CENELEC. (n.d.). About us. Retrieved September 7, 2016, from
http://www.cencenelec.eu/aboutus/Pages/default.aspx
Centers for Disease Control and Prevention (CDC). (2016, June 21). IIS: HL7 standard code set
CVX—Vaccines administered. Vaccines and Immunizations. Retrieved September 6, 2016,
from http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx
Centers for Medicare and Medicaid (CMS). (2002). NCPDP flat file format. NCPDP reference
manual. Retrieved September 6, 2016, from
http://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/downloads/NCPDPflatfile.pdf
Centers for Medicare and Medicaid (CMS). (2013, April 2). Adopted standard and transactions,
adopted part D: E-prescribing standards. Retrieved September 5, 2016, from
https://www.cms.gov/Medicare/E-Health/Eprescribing/Adopted-Standard-and-Transactions.html
Centers for Medicare and Medicaid (CMS). (2016a, June 23). Adopted standards and operating
rules. Retrieved September 5, 2016, from
https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Ado
ptedStandardsandOperatingRules.html
Centers for Medicare and Medicaid (CMS). (2016b, June 21). Standards-setting and related
organizations. Retrieved September 5, 2016, from
https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Stan
dardsSettingandRelatedOrganizations.html
Department of Health and Human Services (HHS). (2008). The ONC-coordinated federal health
information technology strategic plan: 2008–2012. Retrieved August 2008 from
http://www.hhs.gov/healthit/resources/HITStrategicPlanSummary.pdf
Department of Health and Human Services (HHS). (2012). About ONC. The Office of the
National Coordinator for Health Information Technology. Retrieved March 2012 from
http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_onc/1200
DICOM. (2016). Strategic document. DICOM: Digital Imaging and Communications in Medicine.
Retrieved September 6, 2016, from http://dicom.nema.org/dicom/geninfo/Strategy.pdf
Dolin, B. (2011). CDA and CCD for patient summaries. Retrieved November 10, 2016, from
https://www.hl7.org/documentcenter/public_temp_143D9F91-1C23-BA17-0C15A882DDE6815D
/calendarofevents/himss/2012/CDA%20and%20CCD%20for%20Patient%20Summaries.pdf
European Committee for Standardization (CEN). (n.d.). CEN/TC 251: Health informatics.
Retrieved September 7, 2016, from

https://standards.cen.eu/dyn/www/f?p=204:29:0::::FSP_ORG_ID,FSP_LANG_ID:6232,25&cs=
1FFF281A84075B985DD039F95A2CAB820#1
Food and Drug Administration (FDA). (2016, April 22). National drug code directory. Retrieved
September 7, 2016, from http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm
Hammond, W., & Cimino, J. (2006). Standards in biomedical informatics. In E. Shortliff & J.
Cimino (Eds.), Biomedical informatics (pp. 265–311). New York, NY: Springer-Verlag.
HealthIT.gov (2014). Meaningful use table series. Retrieved September 22, 2016, from
https://www.healthit.gov/sites/default/files/meaningfulusetablesseries1_110112.pdf
HealthIT.gov. (n.d.). About ONC. Retrieved September 5, 2016, from
https://www.healthit.gov/newsroom/about-onc
Health Level Seven International (HL7). (2014). HL7 EHR-System Functional Model, release 2.
Retrieved September 6, 2016, from
http://www.hl7.org/implement/standards/product_brief.cfm?product_id=269
Health Level Seven International (HL7). (n.d.). HL7 version 2 product suite. Retrieved
September 6, 2016, from
http://www.hl7.org/implement/standards/product_brief.cfm?product_id=185
Integrating the Healthcare Enterprise (IHE). (n.d.a.). IHE patient care coordination profiles.
Retrieved November 10, 2016, from
http://wiki.ihe.net/index.php/Profiles#IHE_Patient_Care_Coordination_Profiles
Integrating the Healthcare Enterprise (IHE). (n.d.b.). Profiles. Retrieved November 10, 2016,
from https://www.ihe.net/Profiles/
International Health Terminology Standards Development Organization (IHTSDO). (n.d.).
History of SNOMED CT. Retrieved September 7, 2016, from
http://www.ihtsdo.org/snomed-ct/what-is-snomed-ct/history-of-snomed-ct
International Organization for Standardization (ISO). (n.d.). About ISO. Retrieved September 7,
2016, from http://www.iso.org/iso/home/about.htm
National Committee on Vital and Health Statistics (NCVHS). (2003, Nov. 5). Letter to the
secretary: Recommendations for PMRI terminology standards. Retrieved March 2012 from
http://www.ncvhs.hhs.gov/031105lt3.pdf
National Council for Prescription Drug Programs (NCPDP). (2012). About. Retrieved March
2012 from http://www.ncpdp.org/about.aspx
National Library of Medicine (NLM). (2016a, Jan. 4). RxNorm overview. Unified Medical
Language System (UMLS). Retrieved September 6, 2016, from
https://www.nlm.nih.gov/research/umls/rxnorm/overview.html
National Library of Medicine (NLM). (2016b, July 13). SNOMED CT. Retrieved September 7,
2016, from https://www.nlm.nih.gov/healthit/snomedct/

Office of the National Coordinator for Health Information Technology (ONC). (2015). Connecting
health and care for the nation: A shared nationwide interoperability roadmap. Retrieved August
3, 2016, from
https://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.
pdf
Office of the National Coordinator for Health Information Technology (ONC). (2016). 2016
interoperability standards advisory: Best available standards and implementation specifications.

Retrieved September 5, 2016, from
https://www.healthit.gov/sites/default/files/2016-interoperability-standards-advisory-final-508.pdf
Regenstrief Institute, Inc. (n.d.). About LOINC. Retrieved September 7, 2016, from
https://loinc.org/background
Rouse, M. (2010, May). Continuity of care document. SearchHealthIT. Retrieved March 2012
from http://searchhealthit.techtarget.com/definition/Continuity-of-Care-Document-CCD
Spronk, R. (2007). HL7 message examples: Version 2 and version 3. Retrieved from
http://www.ringholm.de/docs/04300_en.htm
United States Food & Drug Administration (US FDA). (2016). National drug code directory.
Retrieved November 10, 2016, from
http://www.fda.gov/Drugs/InformationOnDrugs/ucm142438.htm
Washington Dental Service. (2012). CDT procedure code information. Retrieved March 2012
from
http://wwwldeltadentalwa.com/Dentist/Public/ResourceCenter/CDT%20Procedure%20Codes.as
px

MANAGEMENT SCIENCE
Vol. 62, No. 4, April 2016, pp. 1042–1063
ISSN 0025-1909 (print) � ISSN 1526-5501 (online) http://dx.doi.org/10.1287/mnsc.2015.2194

© 2016 INFORMS

The Impact of Privacy Regulation and Technology
Incentives: The Case of Health Information Exchanges

Idris Adjerid
Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556, [email protected]

Alessandro Acquisti, Rahul Telang, Rema Padman
H. John Heinz III Heinz College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213

{[email protected], [email protected], [email protected]}

Julia Adler-Milstein
School of Information, University of Michigan, Ann Arbor, Michigan 48109 [email protected]

Health information exchanges (HIEs) are healthcare information technology efforts designed to foster coordi-nation of patient care across the fragmented U.S. healthcare system. Their purpose is to improve efficiency
and quality of care through enhanced sharing of patient data. Across the United States, numerous states have
enacted laws that provide various forms of incentives for HIEs and address growing privacy concerns associ-
ated with the sharing of patient data. We investigate the impact on the emergence of HIEs of state laws that
incentivize HIE efforts and state laws that include different types of privacy requirements for sharing healthcare
data, focusing on the impact of laws that include requirements for patient consent. Although we observe that
privacy regulation alone can result in a decrease in planning and operational HIEs, we also find that, when
coupled with incentives, privacy regulation with requirements for patient consent can actually positively impact
the development of HIE efforts. Among all states with laws creating HIE incentives, only states that combined
incentives with consent requirements saw a net increase in operational HIEs; HIEs in those states also reported
decreased levels of privacy concern relative to HIEs in states with other legislative approaches. Our results
contribute to the burgeoning literature on health information technology and the debate on the impact of pri-
vacy regulation on technology innovation. In particular, they show that the impact of privacy regulation on the
success of information technology efforts is heterogeneous: both positive and negative effects can arise from
regulation, depending on the specific attributes of privacy laws.

Keywords : privacy; information systems; IT policy and management; economics of information systems;
healthcare

History : Received April 19, 2012; accepted December 16, 2014, by Anandhi Bharadwaj, information systems.
Published online in Articles in Advance November 13, 2015.

1. Introduction
The U.S. healthcare system is in the midst of an infor-
mation technology revolution. Adoption of electronic
medical record (EMR) systems is quickly rising (Office
of the National Coordinator for Health Information
Technology 2012). In parallel, health information
exchanges (HIEs) have emerged. HIEs provide infor-
mation technology solutions that allow electronic
information sharing between otherwise disconnected
healthcare organizations. They are intended to facil-
itate the exchange of patient health information
between hospitals belonging to different health sys-
tems or distinct physician practices. In turn, this
enables patients’ health records to electronically fol-
low them between care settings. HIEs are viewed
as a particularly critical investment because much
of the anticipated efficiency and quality gains from
EMRs come from the ability to support the electronic
exchange of patient data across healthcare providers

(Walker et al. 2005). Without HIEs, data are trapped
in individual institutions, thereby inhibiting coordina-
tion of care, resulting in avoidable medical errors, and
driving up costs from duplicative utilization. This has
resulted in substantial legislative activity1 aimed at
realizing the vision of nationwide adoption of EMRs
coupled with the ability to exchange data between
them (Blumenthal 2010).

Legislative efforts have focused on creating a favor-
able environment in which HIEs can flourish. The
rationale for government involvement is that HIEs
have experienced both slow growth rates and high
failure rates across the United States (Adler-Milstein
et al. 2009, 2011). Research on the underlying causes
of these failures revealed an array of barriers to the

1 See, e.g., the Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, 123 Stat.
226 (2009); and the Patient Protection and Affordable Care Act of
2010, Pub. L. No. 111-148, 124 Stat. 119 (2010).

1042

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1043

development of HIE efforts. Central among them are
challenges related to financial sustainability (National
eHealth Collaborative 2011, Vest and Gamm 2010,
eHealth Initiative 2005–2010) and issues related to
patient privacy (Simon et al. 2009, McDonald 2009,
McGraw et al. 2009). These challenges have spurred
25 states (as well as the District of Columbia) to
enact legislation to incentivize HIE efforts (e.g., by
providing funding for HIE efforts), address privacy
concerns, or, most often, both. However, the best
approach to ameliorating the issues associated with
HIE efforts remains unclear. In particular, HIEs have
spurred significant debate over the appropriate bal-
ance of patient privacy and the potential gains to
healthcare providers and their patients. The sensitiv-
ity of the digital health information that is exchanged
by HIEs has made the role of patient consent espe-
cially contentious.

One side of the debate is that consent require-
ments add administrative costs and restrict the
availability of patient information (National eHealth
Collaborative 2011, Pritts et al. 2009). By contrast,
Simon et al. (2009) find that patients felt that their
consent should be obtained for the exchange of
health information (i.e., an opt-in system); a system
that assumed their willingness to participate with-
out obtaining explicit consent (i.e., an opt-out system)
would not be acceptable. Thus, policy makers seeking
to foster the growth of HIE efforts face the same chal-
lenge that emerges in other industries: how to address
privacy concerns without overregulating the disclo-
sure of personal information and stifling the growth
and emergence of valuable information technology
efforts reliant on it.

Careful empirical literature related to that chal-
lenge has been recently emerging. Work by Miller and
Tucker (2009) finds that the presence of privacy reg-
ulation inhibits technology adoption by hospitals. In
subsequent work, Miller and Tucker (2011) account
for some of the variation in the statutory require-
ments of privacy regulation and hospital character-
istics, and they identify some heterogeneous effects
of privacy regulation.2 Adopting a similarly granular
approach to measuring privacy regulation, we explore
whether different forms of privacy regulation enable
or impede HIE efforts. Extending prior work, we dif-
ferentiate between states that coupled privacy regula-
tion with HIE incentives and those that did not. We
posit that incentives could offset the significant costs
associated with HIE efforts, including those that arise

2 For instance, they find that, although privacy regulation most
often negatively impacted hospital technology adoption, it also had
a positive effect on adoption in some cases (e.g., when laws had
limits on redisclosure).

from varying degrees of privacy regulation. We eval-
uate the impact of these laws compared to states with
no laws pertaining to HIE efforts.

Our empirical strategy takes advantage of the
fact that across different states policy makers have
approached HIE challenges in different ways, enact-
ing legislation that varied both in terms of the incen-
tives they create for HIEs, and in terms of the types
of privacy protections they afford to patient data
exchanged through HIEs. Specifically, some states
enacted legislation with HIE incentives alongside
requirements for patient consent while other states
enacted legislation with HIE incentives but with pri-
vacy regulation that did not require consent. Yet other
states enacted legislation with HIE incentives but no
privacy regulation or only privacy regulation, or they
did not enact relevant legislation at all. Our work
leverages this variation to evaluate the impact of this
legislation—in particular, the variation in privacy pro-
tection afforded by these laws—on the propensity of
regional healthcare markets to have an HIE working
toward exchange capabilities (planning HIE) or an
HIE that is actively exchanging patient health infor-
mation between healthcare entities (operational HIE).
We use semiannual data from a six-year period (2004–
2009) to compare the probability of a hospital refer-
ral region (HRR)3 having an HIE in the planning or
operational stage across states with variation in the
extent to which legislation provided patients the right
to consent to the exchange of their data by the HIE.
We disentangle the impact of consent requirements
from HIE incentives using between-state and across-
time variation in consent requirements and regula-
tions providing HIE incentives. We include HRR and
time fixed effects and control for relevant observables
(e.g., other elements of the laws, differences in HRR
wealth, populations, health information technology
(IT) adoption).

Although we show that privacy regulation without
incentives had a negative effect on HIE efforts, we
also find that privacy regulation, particularly regula-
tion that includes consent requirements, was a nec-
essary condition for incentives to positively impact
HIE efforts. Incentives coupled with privacy regula-
tion that included requirements for patient consent
resulted in a 47% increase in the propensity of an
HRR having a planning HIE and a 23% increase in
the propensity of an HRR having an operational HIE.
By contrast, incentives without any privacy regula-
tion resulted in no measurable gain in the propensity
of HRRs having planning or operational HIEs, and

3 HRRs are areas defined by the Dartmouth Atlas for Healthcare as
regional healthcare markets for tertiary medical care that contain at
least one hospital that performs major cardiovascular procedures
and neurosurgery (Wennberg and Cooper 1996, p. 201).

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1044 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

incentives coupled with privacy regulation that did
not include consent requirements resulted in either no
gains (e.g., for planning HIEs) or comparably mod-
est gains (a 9% increase in the propensity of an HRR
having an operational HIE) that only offset but did
not overcome the baseline negative effects of privacy
regulation. As a result, of all attempts to incentivize
HIE efforts, only those coupled with privacy regula-
tion including consent requirements resulted in a net
gain in HIE efforts. Specifically, HRRs in these states
saw an 11% net increase in the propensity of having
an operational HIE.

Our findings are bolstered by the fact that we do
not find evidence that HIE laws are passed as a
result of increased HIE activity (i.e., reverse causa-
tion). We find consistent results when we consider
the impact of unobservable state characteristics that
may be correlated with the passage of HIE incentives
(such as changes in political attitudes or public opin-
ion toward the importance of health IT). Moreover,
we find no correlation between consent requirements
and the availability of funding or the number of
patients covered by an HIE. We theorize that this sur-
prising interplay between HIE incentives and consent
requirements may be due to an association between
incentives and privacy concerns. Specifically, we posit
that incentives may be associated with an increased
attention to and salience of HIE privacy concerns,
which inhibits their effectiveness when they are not
coupled with comprehensive privacy regulation (e.g.,
regulation with consent requirements). We find evi-
dence in support of this interpretation: HIEs in states
with incentives but no consent requirements were sig-
nificantly more likely to report that privacy was a
major challenge in their development relative to HIEs
in states with other legislative approaches (includ-
ing no law). By contrast, HIEs in states with con-
sent requirements reported the lowest level of privacy
concerns.

Our work contributes to two streams of literature.
One stream relates to the adoption and the diffusion
of IT in healthcare—in particular, the factors and bar-
riers that impact their adoption (Angst and Agarwal
2009, Angst et al. 2010, Anderson and Agarwal 2011).
Specific to HIEs, numerous national surveys have
suggested that health privacy issues are some of
the most significant barriers to HIE efforts (eHealth
Initiative 2005–2010, Adler-Milstein et al. 2009, 2011).
As a result, research has also focused on how to
address privacy concerns associated with informa-
tion technology in healthcare and HIE in particu-
lar (Greenberg et al. 2009, McDonald 2009, McGraw
et al. 2009). Within this stream of literature, which is
largely nonempirical, experts disagree on the appro-
priate solution for addressing privacy concerns. To
our knowledge, our work is the first to empirically

evaluate the impact on the emergence of planning and
operational HIEs of varying approaches to privacy
regulation.

Another stream relates to the economic and policy
literature evaluating the impact of privacy protections
on technological progress. Numerous consumer ser-
vices thrive today thanks to the exchange and use
of personal—and sometimes sensitive—information.
The risks associated with the potential misuse of
that information, however, have fueled a debate over
the best approach to protecting consumers’ privacy
and the role of regulation in that protection (Solove
2004, Lenard and Rubin 2005). This has led to a
small but growing body of careful empirical analy-
ses of that relationship (e.g., Miller and Tucker 2009,
2011; Goldfarb and Tucker 2011). We extend that
work in various ways. First, this literature has either
focused on contexts where technology incentives did
not exist or (as in the case of work in the context
of health IT) predated a paradigm shift in the pol-
icy approach toward promoting health IT. Focusing
on the interaction of various forms of privacy reg-
ulation with previously unstudied attempts to pro-
mote information technology efforts in healthcare, we
document a surprising interplay between state initia-
tives aimed at incentivizing HIE efforts and privacy
regulation. We find that HIE incentives consistently
offset the negative baseline effects of privacy regu-
lation on HIEs and, more surprisingly, that incen-
tives were more effective in doing so when coupled
with privacy regulation that included consent require-
ments. This suggests that the potential fixed costs
that arise from regulatory privacy protection may be
proactively managed by accompanying incentives for
information technology efforts. Interestingly, coupling
more comprehensive privacy protections (e.g., con-
sent requirements, which seemingly impose higher
costs on HIEs) with HIE incentives may sometimes
be preferred if those protections alleviate privacy con-
cerns that dampen the propensity of incentives to
enable HIE efforts. Furthermore, research is emerg-
ing that points to heterogeneous effects of privacy
regulation on information technology efforts (e.g., the
net effect of privacy regulation on hospital IT adop-
tion may depend on the number of hospitals in a
county; see Miller and Tucker 2011). By documenting
the differential impacts on HIE efforts of privacy reg-
ulation with and without incentives, we extend the
understanding of the heterogeneous effects of privacy
regulation on technology efforts. Thus, the findings
presented here suggest that regulators may have an
opportunity to provide meaningful privacy protection
to patients while encouraging the growth and suc-
cess of valuable information technology efforts. For
instance, legislative efforts such as the HITECH Act
of 2009, which couple significant incentives for health

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1045

IT with enhanced privacy protections for patients,
may offer an effective approach toward providing
improved patient privacy protections while encourag-
ing the growth of valuable health information tech-
nology solutions.

2. Background
The healthcare delivery system in the United States
is highly fragmented. Most people, over their life-
time, receive care from multiple medical providers
who practice in unaffiliated settings. As a result, dif-
ferent pieces of a patient’s medical history reside
in the various places in which they received care,
forcing medical providers to make clinical decisions
with incomplete information. This can contribute to
a range of negative patient consequences, includ-
ing missed diagnoses, duplicative testing, dangerous
combinations of medications, and poor care coordi-
nation. Prompted by estimates of gains in quality4

and efficiency5 of patient care, enabling clinical data
to electronically follow patients between care delivery
settings has gained substantial support. In particular,
in recent years, there has been an increase in efforts to
facilitate electronic exchange of patient data via HIEs.

HIEs are information technology service organiza-
tions that provide a governance framework and tech-
nology solution for exchanging patient data. Entities
with clinical data, such as hospitals, physician prac-
tices, and laboratories (“healthcare entities”), are the
most common participants in an HIE, and they most
often send and receive test results as well as care
summaries.

HIE development typically occurs in two stages:
planning and operational. In the planning stage, a
group of healthcare stakeholders in a given com-
munity initially come together informally to discuss
the problem of care fragmentation and how best to
address it. This is typically initiated by a large stake-
holder in the community, either a healthcare delivery
organization (e.g., a large hospital) or a payer (e.g.,
an insurer or large employer). If there is agreement to

4 Gains in quality of care may be realized from the increased avail-
ability of comprehensive health information, which should allow
clinicians to make better treatment decisions and fewer mistakes.
This benefit would be especially salient in the emergency care con-
text, in which the patient may not be able to report preexisting
conditions or drug allergies (Vest and Gamm 2010).
5 Health information exchanges have the potential to significantly
decrease the costs of providing healthcare. Walker et al. (2005) esti-
mate that, when fully implemented, health information exchanges
could yield approximately $78 billion in annual savings from
administrative efficiencies and reducing redundant utilization. Jha
et al. (2009) estimate that, in the United States, eliminating avoid-
able instances of injury to a patient resulting from a medical
intervention, such as administering the wrong medication, and
redundant medical tests would save over $24 billion per year.

move forward into a more formal planning phase, this
often proceeds in one of two ways: either a third-party
organization is established or identified to serve as a
formal HIE entity or one of the stakeholders agrees to
serve as the lead entity. In our data set, two-thirds of
efforts operated as established, independent organi-
zations and the remaining one-third operated directly
from within another organization (typically a hospi-
tal or health system that spearheaded the effort). The
formal planning phase consists of an array of inter-
related decisions that include conducting an envi-
ronmental scan and needs assessment, establishing
a mission and goals, setting up a governance struc-
ture, establishing legal and information sharing agree-
ments, deciding on an approach to protect patient
privacy (including patient consent), developing a sus-
tainability plan and identifying revenue streams that
at least cover operating costs, marketing to a broader
group of potential stakeholders, and developing a
technical infrastructure.6

The second stage begins when an HIE effort reaches
operational status with a functional technology and
administrative infrastructure and data start to be
exchanged between healthcare entities. Although this
is considered a key milestone, HIEs in this stage con-
tinue efforts to increase participation from healthcare
entities: increasing the quantity and quality of patient
data available through an HIE makes the expected
benefits of exchange more likely and also helps HIEs
to achieve financial sustainability (only 33% of opera-
tional exchanges in our data set reported covering the
cost of operating an HIE with participant fees alone).

The last decade has seen significant growth in
HIE activity, including the number of planned HIEs
and an increasing number of HIEs that are opera-
tional: in our data, we observe 15 total HIEs nation-
wide in 2004, compared to 143 by the end of 2009.
Despite substantial potential benefits, HIEs are not
yet widespread, and many attempts to establish HIEs
have failed (Adler-Milstein et al. 2009, 2011). This has
spurred a growing body of work evaluating barri-
ers to HIEs, which suggests that they have been hin-
dered by financial sustainability challenges stemming
from misaligned incentives from competing health-
care entities and patient privacy concerns (eHealth
Initiative 2005–2010, Adler-Milstein et al. 2009, 2011).

2.1. HIE Incentives
Numerous HIEs have struggled to develop a sustain-
ability plan and identify revenue streams. In part,
this is due to misaligned incentives for HIE partici-
pants (who are the primary source of HIE revenue)
and the significant cost attached to the administra-
tive and technical infrastructure necessary to facili-
tate exchange. Although healthcare entities can derive

6 See National Rural Health Resource Center (2015).

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1046 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

some value from participating in an HIE (e.g., bet-
ter quality of patient care), under the predominant
healthcare reimbursement model of fee-for-service,
redundant care translates into revenue, and physi-
cians have little incentive to avoid care if they believe
it is of even marginal value. Worse, HIE makes it
easier for patients to switch healthcare providers,
potentially resulting in some hospitals and physicians
losing patients. Moreover, healthcare entities (e.g.,
hospitals and physician practices) are expected to pay
for HIE when those paying for care accrue much of
the benefit. For example, if a physician avoids order-
ing a redundant test because he or she has access to
the results of a diagnostic test performed in a differ-
ent setting, the physician (or laboratory) loses revenue
while the payer (and, downstream, the patient) accrue
the savings. The challenges in sustaining HIE efforts
that stem from these misaligned incentives for health-
care entities have been exacerbated by the high costs
of HIE efforts, with considerable resources required
to develop administrative and technical infrastructure
that meets regulatory requirements (e.g., privacy reg-
ulation) while also addressing the concerns and needs
of various HIE stakeholders. These challenges have
led some to argue that HIE should be treated as a
public good with support from the government (e.g.,
Vest and Gamm 2010).

A number of states have heeded these calls,
enacting legislation that attempts to alleviate these
concerns by incentivizing HIE efforts. Specifically,
various state legislations included general provisions
aimed at reducing the costs (financial, legal, man-
agerial, coordination, or otherwise) associated with
pursuing a health information exchange effort in the
state. These laws and their typical provisions are
described in more detail in §4.2.

2.2. HIEs and Privacy
Issues of privacy are among the most widely cited
barriers to HIE formation (Simon et al. 2009) and
have materialized as significant costs to HIEs. HIEs
differ from other forms of health IT (e.g., EMRs) in
ways that have important implications for patient
privacy. First, HIEs facilitate the exchange of infor-
mation between multiple, unaffiliated organizations;
thus the risk to the privacy of health information
and associated concerns expressed by consumers
may be substantially greater than with other tech-
nologies. Also, HIEs are predicated on the idea of
exchanging individual personal health information as
opposed to aggregated population-level data, mak-
ing privacy concerns salient and relevant. These
unique challenges have spurred a stream of liter-
ature evaluating how to best address privacy con-
cerns while still encouraging HIE efforts (Greenberg
et al. 2009, McDonald 2009, McGraw et al. 2009).

Scholars have expressed differing opinions about the
appropriate way to address privacy concerns asso-
ciated with HIEs. For example, Greenberg et al.
(2009) and McDonald (2009) agree that federal pro-
tections need to be revisited in light of a poten-
tial nationwide health information network, which is
envisioned to ultimately link regional and state-level
HIEs; however, they differ on the need to update
state protections. McDonald (2009) suggests that new
restrictions beyond the protection afforded by the
Health Insurance Portability and Accountability Act
of 1996 (HIPAA) would interfere with efficient and
safe care. Greenberg et al. (2009) advocate updates to
state legislation to better address privacy issues spe-
cific to HIEs. The ramifications of this debate can be
observed in the significant heterogeneity in how states
have tackled HIE privacy challenges. The variation in
privacy regulation is described in more detail in §4.2.

3. Theory: Privacy Regulation,
Incentives, and HIE Efforts

Although the stakeholders initiating HIE efforts and
the specific model they pursue can vary, the mech-
anism underlying the choice of stakeholders to start
planning for exchange and whether or not an HIE
becomes operational is the same: HIEs can only cre-
ate value if healthcare entities (i.e., those with clinical
data) participate in an HIE, which typically involves
adhering to the terms set forth by the HIE and using
its offered technology solutions to receive and send
patient health information. The choice of healthcare
entities to participate in an HIE is driven by an
assessment of the costs and benefits that they will
accrue. For example, a hospital would incur tech-
nical costs, participation fees, and potential loss of
patients as a result of reduced switching costs, as
well as the increased legal risk from a data breach
or misuse of patient data. This would be weighed
against potential quality and efficiency gains from
electronic access to more complete information about
their patients, as well as reputational benefits from
joining a community-based effort to improve care
coordination. In addition, a broader group of stake-
holders, which do not deliver care, may stand to
benefit from cost reductions as a result of HIE and
could also influence efforts to plan for an HIE and
whether it becomes operational. For instance, a large
payer may participate in an HIE effort and subsidize
the costs to healthcare entities in order to encourage
broader participation. This could be particularly likely
if the net benefit to healthcare entities (absent these
subsidies) was not sufficiently compelling to promote
widespread participation (e.g., because of the mis-
aligned incentives described earlier). In the remain-
der of this section, we discuss how varying forms of

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1047

privacy regulation and incentives may have diverse
effects on the expected benefits and costs of HIE.

3.1. Privacy Regulation and
Consent Requirements

In principle, regulation that protects patients’ privacy
may have a range of effects on the benefits and costs
of HIE efforts. Consistent with early analysis of pri-
vacy economics by scholars such as Stigler (1980) and
Posner (1981), regulating the use of patient data may
decrease availability of their information when it is
needed by healthcare providers to make decisions,
making promised benefits less likely. Regulation may
also increase the cost of establishing and maintaining
an HIE (for instance, by imposing additional techno-
logical controls or administrative procedures to pro-
tect individuals’ data). On the other hand, privacy
regulation may have a positive effect on the choice
to pursue an HIE. An established literature finds that
privacy concerns can increase the cost of technol-
ogy adoption and reduce its effectiveness (Angst and
Agarwal 2009, Sheng et al. 2008). As a result, schol-
ars have argued that assurances provided by regu-
lation can assuage privacy concerns and positively
impact the success of information technology efforts
(Bamberger and Mulligan 2011, McGraw et al. 2009).

Naturally, privacy regulation is not monolithic; the
extent to which privacy regulation impacts the ben-
efits and costs of HIEs likely depends on the degree
and type of reassurance it affords. In particular, one
of the key differentiating features between regulatory
approaches in the context of HIE is whether they
include requirements for patient consent. Consent, or
informed consent, is a cornerstone of the Organisa-
tion for Economic and Cooperative Development’s
privacy guidelines and the Federal Trade Commis-
sion’s Fair Information Practice Principles. Generally
speaking, consent in the context of HIE refers to
the notion that patients should be informed about
the risks and benefits associated with the electronic
exchange of their health information and have the
right to decide whether they would like to incur them.
As in the case of privacy regulation in general, regu-
lation specifically requiring consent can, in principle,
produce an array of effects, both positive and nega-
tive, on the emergence of planning and operational
HIEs. A central concern relative to patient consent
in the context of HIE is that it may result in lim-
ited or patchy patient agreement to have their data
included in the HIE (Lai and Hui 2006), in which
case the potential benefits of HIE may be hindered.
Healthcare entities may be less willing to participate
in an HIE if they perceive a low likelihood of reaping
efficiency and quality gains as a result of incomplete
or low-quality patient data. Moreover, other stake-
holders (e.g., payers) may be less willing to support

an HIE effort (i.e., subsidize the cost to healthcare
entities) if they perceive the benefits to be unlikely.
Furthermore, requirements for consent are also likely
to impact HIEs’ technology and administrative costs
(i.e., in establishing more stringent legal agreements)
and participation costs for healthcare entities (i.e.,
costs for participants to adhere to them). For example,
HIEs operating in states with consent requirements
may need additional investment in technical and
administrative controls to meet regulatory require-
ments (e.g., clerical time by staff or technical controls
to garner and track patient consent decisions). Hence,
consent requirements may further reduce the propen-
sity of a healthcare entity to participate in an HIE if
they perceive participation to be too costly to justify
their expected benefits.

On the other hand, regulations with consent
requirements can reduce costs stemming from patient
privacy concerns. Patients may demand the right to
consent to the use of their data in the context of an
HIE. Simon et al. (2009) find that patients felt that
an HIE that assumed their willingness to participate
without obtaining explicit consent (i.e., an opt-out
system) would not be acceptable. As a consequence,
healthcare entities may decide not to participate in
HIEs if a lack of patient consent results in significant
privacy costs and pushback from patients and advo-
cacy groups. McGraw et al. (2009) argue in support of
this notion and propose that a comprehensive frame-
work that implements core privacy principles such as
consent can bolster trust from patients and medical
providers. In contrast to previously described effects
of privacy regulation, a reduction in costs stemming
from privacy concerns may encourage increased par-
ticipation by healthcare entities, thus helping HIEs to
reach the critical mass of participants to ensure that
anticipated benefits are realized.

The role of privacy regulation that does not include
consent requirements is also of interest because
numerous states have privacy legislation that does
not require patient consent before the exchange of
health information between providers. For example,
legislation in the state of Indiana does not include
requirements for patient consent but instead, requires
compliance “with the federal Health Insurance Porta-
bility and Accountability Act (HIPAA)” and the pro-
tection of “information privacy.”7 It is likely that the
role of regulation that does not require consent is
similar to consent-based regulation except that the
impact on benefits and costs (and the propensity of
community stakeholders to pursue HIE efforts) may
be less pronounced. For example, privacy regulation
that does not include consent requirements may still
restrict (to some degree) the availability of patient

7 Ind. Code Ann. §5-31-6-1; Ind. Code Ann. §5-31-6-3 (West 2009).

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1048 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

information and also introduce additional costs to
HIE efforts, but these effects may not be as pro-
nounced when compared to regulation with consent
requirements. It may also be the case that regulation
without consent is not as effective in reducing costs
to HIE efforts stemming from patient privacy con-
cerns. In fact, we argue that this is likely the case.
Recent experimental work suggests that providing
consumers with choice relative to the use of their per-
sonal information may be particularly vital in assuag-
ing privacy concerns. Brandimarte et al. (2012) find
that individuals who were provided increased choice
perceived a lower privacy risk, even when the objec-
tive risks were held constant, and were significantly
more likely to make personal disclosures; Stutzman
et al. (2013) find a strong positive correlation between
the granularity of control provided to users of online
social networks and the amount of disclosure by users
(albeit to a narrower set of users). These mecha-
nisms are also likely to be present in the context of
HIEs, given the sensitivity of personal health infor-
mation. Finally, policy makers have also recognized
the unique role of providing choice by increasingly
promoting more control for consumers with respect
to online uses of their personal information (Federal
Trade Commission 2012, White House 2012).

3.2. Incentives and Privacy Concerns
The impact of HIE incentives on the benefits and
costs of establishing an HIE seem, at first glance, com-
paratively straightforward: all else equal, stakehold-
ers with access to incentives that reduce the costs
of pursuing an HIE effort should be more likely to
start planning for exchange, and these HIEs should
be more likely to become operational. For instance,
stakeholders in communities with access to grant pro-
grams associated with HIE incentives would have
less of a challenge generating the required capital
to initiate exchange efforts and be able to provide
healthcare entities the opportunity to participate at
a lower cost (thus increasing the likelihood of more
widespread participation and the propensity of reap-
ing expected benefits from exchange). Additionally,
given the potential of privacy requirements to impose
fixed costs on information technology efforts (e.g.,
Goldfarb and Tucker 2011, Miller and Tucker 2009)
and the anecdotal evidence that privacy requirements
have been key hurdles for HIE efforts, incentives may
serve to offset some of these costs and attenuate some
of the negative effects of privacy regulation on the
propensity of HIE efforts to emerge.

However, there may also be a more nuanced and
less obvious interplay between incentives, privacy
concerns, and the impact of privacy regulation and
incentives. Specifically, legislation intended to encour-
age the pursuit of HIE efforts may also be associ-
ated with elevated salience and awareness of privacy

concerns. We see examples of a similar phenomenon
in other contexts: government subsidies for clean
energy solutions have led to significant investment
in these technologies but have simultaneously high-
lighted the limitations and potentially adverse effects
of these technologies (e.g., lack of cost effective-
ness and efficacy); see Somaskanda (2013) and Cala
(2013). With respect to HIE incentives, they may be
seen to increase the probability that HIEs will be cre-
ated and become operational and thereby increase the
likelihood of patient privacy concerns being realized.
Moreover, it may simply be the case that HIE incen-
tives increase the attention paid to these efforts (e.g.,
by regulators, patient groups, and privacy advocates),
including increased attention to associated privacy
concerns. There is some anecdotal evidence in sup-
port of this notion. For example, the American Civil
Liberties Union brought suit against the legislatively
created Rhode Island HIE on the grounds that it was
not adequately soliciting consent from patients, and
privacy advocates warned that states “will find them-
selves embroiled in legal entanglements over privacy
as they seek to implement HIEs” (Miliard 2010). This
latter statement suggests that state-supported HIEs
(such as those initiated or aided by state legislation)
may receive disproportionate scrutiny from privacy
advocates. It is also possible that the direction of
causality is reversed: states in which the attention to
health information exchange, including attention to
privacy concerns, is high may be more likely to pro-
vide HIE incentives.

3.3. Conceptual Model and Predictions
Although we cannot directly observe the granu-
lar benefits and costs to various stakeholders from
HIE participation, we can observe variation in the
propensity of healthcare stakeholders to start plan-
ning for exchange capabilities (PlanningHIE) and
whether these exchanges start actively exchanging
patient health information between healthcare enti-
ties (OperationalHIE). We argue that these observed
variables are, in turn, a function of the unobserved
expected benefit and costs of an HIE effort to poten-
tial HIE stakeholders, NetRegionalBenefit. Moreover,
we model the choice to pursue an exchange at the
level of a state subregion j since HIEs have emerged
predominately as regionally focused efforts.8 Schol-
ars suggest that this regional focus is due to the sig-
nificant variation between healthcare markets (even
within a given state) and the nuanced challenges
this variation can introduce for the pursuit of HIE
efforts (Grossman et al. 2008). For example, the nec-
essary collaborations, technology infrastructure, and

8 Of the 73 operational exchanges in our data set, 71 were exchang-
ing data predominately in a single HRR.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1049

the priorities of participating providers are likely to
differ considerably between the healthcare market
in metropolitan and rural regions of a state (e.g.,
Manhattan versus upstate New York). Moreover, an
HIE’s goal is to enable clinical data to electronically
follow patients between the settings in which they
receive care, which also are predominantly within a
defined geographic region. Hence, we utilize HRRs as
our unit of analysis because they represent regional
healthcare markets.9 In effect, HRRs are defined pre-
cisely to capture the geographic regions in which
patients are likely to receive the bulk of their care
and thus require the exchange of information. Finally,
and consistent with the preceding arguments, we
suggest that various forms of privacy requirements
(PrivConsent/PrivNoConsent) and legislative provisions
intended to encourage the pursuit of HIE efforts
(Incentives) can affect the benefits and costs of HIE
efforts to stakeholders within the various healthcare
markets in a state, impacting the choice of stake-
holders to start planning for exchange and whether
these HIEs becomes operational. This is summarized
in the following conceptual model (based on Miller
and Tucker 2009):

PlanningHIE∗
jst
1 OperationalHIE∗

jst

= f 4NetRegionalBenefit
jst

� PrivConsentjst1

PrivNoConsentjst1 Incentivesjst50

This model assumes a latent variable construct where
stakeholders in HRR j in state s at time t start
planning for an HIE if the (unobserved) expected
net benefit (NetRegionalBenefit) is positive. Moreover,
we assume that an HIE effort in the region reaches
operational status if the NetRegionalBenefit remains
positive such that they are able to complete key
planning activities (e.g., create data sharing agree-
ments, develop the underlying technical infrastruc-
ture, and gather the critical mass of participation
by healthcare entities to make exchange feasible).
Conversely, healthcare stakeholders will not form
exchanges if they perceive the net benefit to be neg-
ative, and healthcare entities will cease pursuing HIE
efforts (resulting in failed exchange) if they perceive
the net benefit from HIE to no longer be positive.

The arguments from this conceptual model and
the various dynamics described in this section are
summarized in Figure 1. This figure suggests that
the net effect of privacy regulation on HIE efforts
is a function of (1) the costs associated with pri-
vacy regulation; (2) the extent to which privacy con-
cerns are, in fact, barriers to the pursuit of HIE

9 Specifically, HRRs define healthcare markets determined by where
most of the residents in a given area received treatment for
major cardiovascular surgical procedures and for neurosurgery
(Wennberg and Cooper 1996).

efforts; and (3) the likelihood of available regulation
to alleviate these concerns. With this in mind, we
first consider the simplest case where privacy reg-
ulation is enacted without accompanying incentives
(i.e., the left-hand side of Figure 1), where we con-
sider it more likely that privacy regulation will have
a negative overall effect on NetRegionalBenefit, thus
reducing the likelihood that HIEs form and become
operational (this is similar to what has been shown
in the current empirical literature). This implies that
the propensity of privacy regulation to reduce the
NetRegionalBenefit from HIE as a result of increased
implementation costs and the restrictions on the avail-
ability of patient data (�11�25 are likely to outweigh
any gains from reduced patient privacy concerns
(�11�25. Moreover, taking into account the propen-
sity of consent requirements to have more substantial
negative effects on NetRegionalBenefit (�1 > �2), this
effect may be more pronounced for legislation includ-
ing consent requirements.

The introduction of HIE incentives, however, intro-
duces a more complex and interesting dynamic.
Focusing only on the propensity of incentives to
reduce HIE costs (�35, incentives alone may positively
impact NetRegionalBenefit, and, if passed alongside
privacy regulation, HIE incentives could offset some
of the costs of privacy regulation. However, if we also
consider the potential of incentives to be associated
with elevated privacy concerns (�35 that then offset
the positive effects of HIE incentives on NetRegional-
Benefit (�45, we may observe a more nuanced effect of
both incentives and privacy regulation on HIE efforts.
First, we may see a limited positive effect on Net-
RegionalBenefit of incentives passed alone because of
the dampening effect of the simultaneously elevated
privacy concerns (�35. Moreover, this suggests that
privacy regulation, and in particular consent regula-
tion that can better alleviate patient privacy concerns
(�1 > �25, may become a more prominent force in
this dynamic and could play a critical role in unlock-
ing the propensity of HIE incentives to positively
impact the net benefits of exchange. The implication
of this is that coupling consent requirements with HIE
incentives may have a stronger positive impact on
NetRegionalBenefit (and thus differentially increase the
propensity of regional stakeholders to start planning
for exchange and these exchanges becoming opera-
tional) relative to incentives with privacy regulation
that did not include consent requirements or with no
accompanying privacy regulation. Further, this sug-
gests that privacy regulation may have considerably
different (and potentially opposite) effects on HIEs
depending on whether incentives are also in place.

4. Data
Our analysis uses a combination of a six-year panel
data set and cross-sectional HIE survey data to assess

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1050 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Figure 1 Effects of Legislation on HIE Formation

�

�

�

�

�

�

�

�

�

the impact of the different legislative approaches on
planning and operational HIEs. Consistent with the
literature, we define an HIE as any entity that facili-
tates electronic health information exchange between
independent healthcare entities in a defined geo-
graphic region to improve health (Adler-Milstein et al.
2009). As a result, the HIEs in our data set predom-
inately focused on the exchange of patient health
information between medical providers for patient
treatment purposes. Further, we consider facilitation
to be providing a technical infrastructure to support
clinical data exchange. Together, these criteria exclude
efforts whose entire scope is limited to administrative
data exchange as well as efforts working on issues
related to HIE but not directly enabling it to occur.

4.1. Panel HIE Data
To identify HIEs across regions and time, we used
publicly available data from the eHealth Initiative’s
annual compilation of state, regional, and local HIE
efforts (eHealth Initiative 2005–2010). These data are
based on yearly surveys of HIEs completed by the
eHealth Initiative (eHI) and provide longitudinal
information about planning and operational HIEs in
the 2004–2009 period. We also used various online
resources provided by health organizations and indi-
vidual HIEs to determine their status as of the end of
2009 and collect any additional information on char-
acteristics of these exchanges (e.g., profit status). As
noted earlier, at the beginning of 2004, there were

only a handful of established HIEs. As of the end of
2009, we identified 220 HIEs that were in one of two
stages.

• Planning: The HIE has been initiated but is in the
planning stages of development and is not actively
sharing health information 4n = 1325.

• Operational: The HIE is actively enabling the
exchange of health information between healthcare
entities 4n = 885.

We also identified 92 HIEs that had been initiated
during this time period but had subsequently ceased
operations. We do not have longitudinal data on these
exchanges, and they are not included in our panel
data. However, using cross-sectional data on the total
number of failed HIEs in our time period of analysis,
we find no significant differences in failed exchanges
between legislative approaches.10 To identify the date
on which HIEs were initiated and became operational
and their geographic area of operation, we matched
HIEs in the eHealth Initiative survey data with a
national survey of HIEs collected in 2010 that cap-
tured detailed information on HIEs as of the end of
2009 (Adler-Milstein et al. 2011). Our sample includes
the 73 planning and 75 operational exchanges com-
mon to both data sets minus 5 exchanges that were

10 Normalizing by state population, we find that during our time
period, states with incentives and consent requirements had 2.5
failed HIEs compared with 2.9 failed HIEs for states with incentives
but no consent and 3.7 for states without any HIE incentives.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1051

dropped because they did not report detailed infor-
mation on their geographic location, resulting in
143 exchanges (70 planning and 73 operational) in our
panel data set.

On average, HIEs in our data set had been in exis-
tence for approximately four years, and the subset
of HIEs that were operational had been exchanging
health information for three and a half years by the
end of 2009. Most exchanges (86%) operated within
a single state; nearly all exchanges (98%) were oper-
ating in fewer than two states. HIE geographic cov-
erage was measured at the more granular level of an
HRR. HRRs are generally contained within a single
state but can span multiple states and, in some cases,
can also span legislative approaches (although this
was not common).11 Of the operational exchanges,
70% reported covering a single HRR, and 60% of
the planning exchanges anticipated covering a single
HRR. The exchanges that were operational or plan-
ning in multiple HRRs tended to have the major-
ity of their coverage in a single HRR, and thus we
considered only their primary HRR. For example, of
the 22 exchanges that reported operating in multiple
HRRs, 20 reported being primarily operational in a
single HRR with more than 70% of their overall cov-
erage in a single HRR.12 We aggregated HRR cover-
age across individual HIEs to generate two primary
dependent variables.13

• PlanningHIEjst: A binary measure of whether
HRR j in state s at time t had one or more HIEs in
the planning phase. This measure only includes HIEs
that had not failed and were available to take the HIE
survey in 2010.

• OperationalHIEjst: A binary measure of whether
HRR j in state s at time t had one or more operational
HIEs.

These variables are created semiannually over the
period 2004–2009 to most accurately capture the
impact of legislation on HIEs, which commonly went
into effect at the beginning or the middle of the year.

To construct measures of HRR demographics,
including measures of HRR population, income, and
unemployment rates, we used a range of secondary
sources (e.g., U.S. Census Bureau, U.S. Bureau of Eco-
nomic Analysis, and the U.S. Department of Health

11 In our analysis we find that only 9% of HRRs had significant
portions (more than 25%) of the populations they encompass in
other states with different legislative approaches. Our results are
robust to the exclusion of these HRRs.
12 On average, HIEs were operational in 9.5 hospital service areas
(HSAs)—a collection of ZIP codes whose residents receive most of
their hospitalizations from the hospitals in that area (Wennberg and
Cooper 1996)—in their central HRRs compared with 1.5 HSAs in
their secondary HRRs.
13 HRRs having multiple operational exchanges were uncommon,
with only 4% of regions reporting multiple operational exchanges.

and Human Services’ Area Health Resources Files
(AHRF)). Finally, we used the Health Information and
Management Systems Society (HIMSS) Analytics™

Database (HADB) to create measures that enabled
us to control for hospital-level health IT adoption.
In addition to our semiannual panel data set, we con-
structed a cross-sectional data set using HIE survey
data. These data, which were only available for the
final year of our data, offered a detailed snapshot of
HIE activities, including a range of self-reported mea-
sures that captured qualitative differences between
HIEs. We used this cross-sectional data to exam-
ine other dimensions of HIE progress that were not
captured in our panel measures of HIE efforts. For
example, these data include measures of the num-
ber of patients covered by an exchange, organiza-
tional structure, sources of funding, and challenges
faced. We supplemented this with data from other
sources to construct state-level measures of education
levels, age structure, and political leaning. Table 1
includes the full list of measures and associated sum-
mary statistics.

4.2. Legislation
Protection of patients’ personal health information, as
well as requirements for patient consent for the shar-
ing of personal health information in the context of
exchanges, is governed by a combination of federal
and state laws.

At the federal level, patient consent is governed
primarily by HIPAA14 and associated regulation.
HIPAA was amended in 2009 by the HITECH Act,
which added some privacy requirements, including
breach notification requirements for entities covered
by HIPAA.15 Although HIPAA laws impact the dis-
closure of health information by HIEs, HIPAA applies
to all states (our analysis relies on between-state vari-
ation) and was passed before the time period of our
analysis. HITECH was passed in our period of analy-
sis, and its effect on HIE efforts is accounted for by the
time fixed effects in our models. At the state level, two
types of privacy legislation may affect HIE outcomes:
(1) general privacy health laws, not HIE specific, that
were largely enacted before the significant emergence
of HIEs; and (2) HIE-specific laws aimed at promot-
ing HIE activities and/or focusing on the disclosure
of patient data and patient consent.

General health privacy laws (i.e., not HIE spe-
cific) have historically been in place to deal with
various aspects of health privacy, including disclo-
sure of patient health information and consent. We

14 Health Insurance Portability and Accountability Act of 1996,
42 U.S.C. §1320d-9 (2011).
15 Health Information Technology for Economic and Clinical Health
Act of 2009, U.S.C. §3013 (2011).

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1052 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Table 1 Data Overview and Summary Statistics

Panel Cross section

Variable Description Mean SD Mean SD Source

Dependent variables
PlanningHIEjst A binary measure of whether HRR j in state s at

time t is covered by one or more planning HIEs.
0015 0035 0018 0038 HIE/eHi survey

OperationalHIEjst A binary measure of whether HRR j in state s at
time t is covered by one or more operational HIEs.

0010 003 0020 004 HIE/eHi survey

PrivChallengeis Binary variable indicating whether HIE i in state s
reported that privacy concerns were a major
challenge to their progress.

— — 0012 0033 HIE survey

FundChallengeis Binary variable indicating whether an HIE i in state s
reported the lack of funding as a major challenge
to their progress.

— — 0043 0049 HIE survey

HighPatientHIEis Binary variable of whether HIE i in state s covered
more than 50,000 patients.

— — 0062 0048 HIE survey

Independent variables
PrivConsentst Dummy variable indicating a state s at time t has

privacy legislation that requires consent for HIE.
0009 0028 0017 0038 Goldstein and Rein (2010);

Pritts et al. (2009)
PrivNoConsentst Dummy variable indicating a state s at time t has

privacy legislation that does not require patient
consent for HIE.

0039 0048 0047 005 Goldstein and Rein (2010);
Pritts et al. (2009)

Incentivesst Dummy variable indicating whether a state s at time t
enacted any law intended to encourage HIEs.

0016 0036 0045 005 Westlaw/LexisNexis

Controls
BroadbandAccesss The percentage of households in state s with

high-speed Internet access.
— — 0051 0006 U.S. Census Bureau

PerCapGDPs ($1,000) The total GDP of state s divided by the population of
state s.

— — 4301 1308 U.S. Bureau of Economic
Analysis

Fundingst Dummy variable indicating whether HIE-specific
legislation at time t explicitly provides funding
opportunities for HIEs in state s.

001 003 0021 0041 Westlaw/LexisNexis

StateDesignatedst Dummy variable indicating whether HIE-specific
legislation in state s at time t creates or
designates a statewide HIE.

0003 0015 0008 0027 Westlaw/LexisNexis

Populationjst (1,000s) Number of inhabitants in HRR j in state s at time t. 97604 1109609 1100205 1113201 AHRF
MedianIncomejst ($1,000s) The median family income for HRR j in state s at

time t.
4501 1005 4703 1008 AHRF

UnempRatejst The unemployment rate for HRR j in state s at
time t.

601 2003 905 204 AHRF

CPOEADOPTIONjst Percentage of hospitals in HRR j in state s at time t
adopting computerized provider order entry
systems (CPOEs) normalized by staffed beds.

0019 0022 0024 0024 HADB

MonthsPursuingis Months an HIE i in state s has been in existence. — — 48 38 HIE survey
FormalGovis Binary indicator of whether an HIE i in state s has a

formal governance structure.
— — 0081 0039 HIE survey

Democratics Dummy variable indicating whether a democrat has
carried state s in the 2000, 2004, and 2008
presidential elections.

— — 0047 005 National Archives

TopMeds Dummy variable if state s had a hospital in the U.S.
News & World Report hospital honor roll in
2009–2010.

— — 0031 0046 Comarow (2009)

AdvancedDegrees The percentage of individuals in state s with a
graduate degree.

— — 001 0003 U.S. Census Bureau

Over 65s The percentage of individuals in state s over 65. — — 0012 0002 AHRF

identified state health privacy laws using the recent
compilation by Pritts et al. (2009) and the earlier com-
pilation of general state privacy laws by Pritts et al.
(2002). However, we found that most state health pri-
vacy laws, similar to HIPAA, were passed before our
period of analysis. Moreover, there has been consid-
erable debate over the applicability of patient consent
requirements provided in general health privacy laws.
Specifically, most HIEs in our data set focused on

the exchange of patient health information between
providers for treatment purposes. However, patient
consent requirements in the majority of state health
privacy laws include exceptions to garnering patient
consent for data disclosures between providers for
treatment purposes, thus effectively precluding the
majority of exchange activities. According to Pritts
et al. (2009), only two states (Minnesota and New
York) appear to generally require patient permission

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1053

to disclose all types of health information and only
three (New York, Minnesota, and Vermont) usually
require medical providers to obtain patient permis-
sion before disclosing health information to other
providers. Because general health privacy laws that
are not HIE specific were passed before our period
of analysis, and their requirements for consent have
limited applicability to HIEs, we do not use them as
focal independent variables. The states with require-
ments relevant to the exchange of health information
were included in our analysis as interactions with
time-varying HIE-specific legislation. This accounts
for states that may not provide explicit requirements
for consent in HIE-specific legislation because their
existing legislation already has relevant requirements.

Our primary independent variables capture HIE-
specific laws that, unlike general health privacy laws,
were passed in the period of our analysis and have
direct applicability to exchange efforts. We identi-
fied HIE-specific laws primarily through various legal
search services (e.g., LexisNexis Academic and West-
law) and supplemented these searches with recent
reports on disclosure laws and HIEs (Goldstein and
Rein 2010). We find that, in the past decade, vari-
ous states enacted legislation that (1) incentivized HIE
efforts, (2) addressed patient privacy and consent, or,
most commonly, (3) some combination of both.

As we described earlier, we considered state leg-
islation as providing HIE incentives if it included,
at a minimum, general provisions aimed at reducing
any of the costs (financial, legal, managerial, coor-
dination, or otherwise) associated with pursuing a
health information exchange effort in the state. Our
review of state laws fitting this criterion yields a
number of state laws with provisions to incentivize
HIE efforts. For instance, the North Dakota state
law directs its health information technology office
to “facilitate and expand electronic health informa-
tion exchange in the state, directly or by awarding
grants”;16 West Virginia law requires the director of
the Office of Health Enhancement and Lifestyle Plan-
ning to work “through the West Virginia Health Infor-
mation Network, the Bureau for Medical Services
and other appropriate entities, to develop a collabora-
tive approach for health information exchange”;17 and
Kentucky state law tasks the Kentucky eHealth net-
work board with responsibility for “the operation of
an electronic health network in this Commonwealth”
and, among other things, for making recommenda-
tions related to “models for an electronic health net-
work” and “financing the central interchange for the
network.”18 Moreover, we reviewed the specific provi-
sions in state laws incentivizing HIE efforts to identify

16 N.D. Cent. Code, §54-59-26.
17 W. Va. Code Ann. §16-29H-6.
18 Ky. Rev. Stat. Ann. §216.267.

any trends in the nature of HIE incentives. This effort
yielded two broad categories of HIE incentives. First,
we found that 11 states have laws designating explicit
funds authorized for use in support of HIE efforts.
For instance, Minnesota state law allocated funding
for the commissioner of health to award grants for the
purpose of implementing “regional or community-
based health information exchange organizations.”19

North Dakota state law included provisions to create
an “electronic health information exchange fund” and
also instituted a “health information technology loan
program.” We found seven states that had HIE incen-
tives focused on creating or designating a specific
statewide HIE as opposed to focusing on dispersed
regional efforts (such provisions do not exclude other
entities from creating additional exchanges in that
state). For instance, Rhode Island state law estab-
lished a “statewide HIE under state authority to allow
for the electronic mobilization of confidential health
care information,”20 and Vermont state law tasked
the Vermont Information Technology Leaders (a non-
profit organization within the state) with operating
the “statewide health information exchange network
for this state” that included “grant agreements” with
the organization.21 We account for this variation in
the specific provisions included as part of state laws
incentivizing HIE efforts in our empirical analysis.

Similar to general health privacy laws, HIE-specific
laws varied in the extent to which they provided
patients with privacy protections and, in partic-
ular, the extent to which they instituted require-
ments for consent. Given that most states’ general
health privacy laws22 do not include consent require-
ments for disclosing health information23 to other
providers (which are also the majority of HIE par-
ticipants), requirements for consent in HIE-specific
laws are especially relevant to the disclosure of
health information by exchanges. As a result, we
differentiate between legislation including provisions
requiring consent, only general privacy requirements
without consent, and no privacy requirements at all.
Leveraging variation in HIE incentives and privacy
requirements between states, we categorize states that

19 Minn. Stat. Ann. §144.3345.
20 RI Gen L §5-37.7-4.
21 18 V.S.A. §9352.
22 New York, Minnesota, and Vermont have some requirements
that require consent for disclosure between providers. These states
were treated as having consent requirements and are Incentives and
PrivConsent states because they would all subsequently pass HIE-
specific legislation.
23 States have passed more stringent laws for some specific and
sometimes sensitive health data (e.g., mental health or HIV data).
Because this data type is generally not the focus of HIEs, we focus
only on laws restricting the exchange of general health information.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1054 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Figure 2 Overview of HIE-Specific Legislation

Incentives and PrivConsent

Incentives and PrivNoConsent

Incentives only

passed HIE-specific legislation into one of three main
categories:24

• Incentives and PrivConsent: states with laws
intended to encourage the pursuit of HIEs and that
have requirements for patient consent (eight states).25

• Incentives and PrivNoConsent: states with laws
intended to encourage the pursuit of HIEs and that
make some mention of privacy protections but do
not include requirements for consent (i.e., they rely
on the status quo of no consent requirements for the
exchange of health information between healthcare
entities) (11 states).

• Incentives: states with laws intended to encour-
age the pursuit of HIEs but that make no men-
tion of privacy protections; these states also did not
have any preexisting general health privacy laws that
would require consent in the context of exchange
(three states and the District of Columbia).

Figure 2 identifies the states that have enacted HIE-
specific legislation. In addition, we identified three
states that passed or amended health privacy laws
that instituted privacy requirements for HIEs without
accompanying incentives. During the time period of
our analysis, Nevada and New Mexico passed health
privacy legislation that explicitly mentioned exchange
but did not institute consent requirements for the
exchange of health information between healthcare
entities for treatment purposes (similar to general
health disclosure laws discussed previously). Con-
versely, Maine amended existing privacy legislation to

24 See EC.1 in the electronic companion (available as supplemen-
tal material at http://dx.doi.org/10.1287/mnsc.2015.2194) for addi-
tional example statutes and text.
25 Specifically, under this category, we consider any law that man-
dates that patients are provided with notice before the exchange of
their personal health information in an HIE and, at a minimum,
that patients are also provided with the choice to exclude their
information from such an exchange as having consent requirements.

require patient consent prior to the exchange of patient
health information. This leaves 25 states that did not
pass HIE-specific legislation during our time period.

5. Methods
Our empirical approach leverages time-series regres-
sion using longitudinal data on planning and oper-
ational HIEs across HRRs, as well ascross-sectional
analysis using survey data on individual HIEs.

5.1. Model 1: Fixed Effects Model
The first model we estimate is a panel linear prob-
ability model that includes HRR and time fixed
effects with reported standard errors clustered at the
state level. This model evaluates the impact of HIE-
specific legislation on HIE creation (PlanningHIEjst)
and reaching operational status (OperationalHIEjst) in
healthcare market j, in state s, at time t.26 This model
identifies the baseline effects on these variables of

26 In our context, nonlinear models with fixed effects (e.g., logit)
are not desirable because they leverage only variation across time.
In our analysis, this precludes a significant portion of our data
and would result in a specification with estimations using HRR
fixed effects failing to converge. The central limitation to the lin-
ear probability model is that the predicted probabilities are not
constrained between 0 and 1, thus requiring some caution when
interpreting coefficient estimates. However, prior work has shown
little qualitative difference between the logit and linear probabil-
ity specification (Angrist and Pischke 2008), and prior empirical
work in this field has leveraged identical approaches (Miller and
Tucker 2009, Goldfarb and Tucker 2011). In addition to the practical
limitations associated with nonlinear fixed effects models, scholars
(e.g., Neyman and Scott 1948) have demonstrated that estimates
from nonlinear fixed effects models are inconsistent because the
asymptotic variance of the main parameters is a function of a small
and assumed fixed group size; this is also known as the inciden-
tal parameter problem. Greene (2002) finds this problem to be of
significant practical consequence with slope estimates from non-
linear fixed effects models uniformly biased away from zero com-
pounded by estimates of the standard errors biased toward zero.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1055

privacy regulation with and without consent require-
ments and the effects of HIE incentives while allowing
for the differential impact of HIE incentives if privacy
requirements are also in place (model 1):

PlanningHIE
jst
1 OperationalHIE

jst

= �0 + �1 × PrivConsentst + �2 × PrivNoConsentst

+ �3 × Incentivesst + �4 × PrivConsentst × Incentivesst

+ �5 × PrivNoConsentst × Incentivesst

+ B6 × StateDesignatedst + �7 × Fundingst
+ � × Xjst + �js + �t + �jst0

Here, PrivConsentst is a dummy variable indicat-
ing whether a state s at time t had a privacy law
that also required patient consent in the context of
exchange, and PrivNoConsentst is a dummy variable
indicating whether a state had a privacy law in
place but did not require patient consent in the con-
text of exchange. In this model, PrivConsentst and
PrivNoConsentst capture the impact of privacy regu-
lation that was passed without accompanying incen-
tives. Moreover, Incentivesst is a dummy variable
indicating whether a state s had legislation provid-
ing HIE incentives at time t (where t represents
semiannual intervals). We also include the interac-
tions PrivConsentst × Incentivesst and PrivNoConsentst ×
Incentivesst to identify any differential impact of incen-
tives when varying degrees of privacy protections are
present. These interactions take into account other
potentially relevant privacy legislation. For example,
if a state had passed legislation with HIE incentives
during our time period of analysis without privacy
provisions but either during or prior to our period
of analysis also passed privacy requirements relevant
to exchange in separate legislation, this interaction
would be positive.

We also created variables to differentiate between
the most common provisions in state laws incentiviz-
ing HIE efforts. We found that states differed in terms
of whether they provided explicit funding in legisla-
tion incentivizing HIEs; some states provided funds
explicitly authorized for use in support of HIE efforts,
whereas other states directed responsible entities to
identify sources of financial support for exchange
efforts or were ambiguous regarding financial sup-
port from the state. Thus, our first variable captures
HIE incentives with explicit funding opportunities
(Fundingst5. In addition, we captured differences in
states’ propensity to focus HIE incentives on creating
or designating a statewide exchange versus focusing
HIE incentives on HIE efforts in disparate healthcare
markets. Thus, our second variable captures states
with laws that designate or create a state-sponsored
HIE (StateDesignatedst5. We include these variables in

our model to address the concern that the variation in
state strategies toward HIE incentives may correlate
with a particular legislative approach. If this were the
case, the effect of a given legislative approach could
be driven by the intensity or nature of HIE incentives.

Finally, we include a vector of control variables, Xjst,
which accounts for other factors relevant to the emer-
gence of planning and operational HIEs. For exam-
ple, HIE efforts may require that regional healthcare
entities have some minimum level of patient record
digitization and health IT infrastructure in order to
engage in electronic exchange, which could be corre-
lated with privacy regulation. As a result, we control
for healthcare IT adoption in the HRR by includ-
ing CPOEAdoptionjst to capture hospital adoption of
computerized provider order entry (CPOE).27 CPOE
is often a proxy for advanced adoption of health-
care IT and is highly correlated with the adoption of
other healthcare IT (e.g., electronic medical records).
It is also a core component of the federal defini-
tion of “meaningful use” of electronic health records
(Blumenthal and Tavenner 2010). Other HRR-level
controls include those capturing population, median
income, and unemployment rates. HRR and time
fixed effects are represented by �js and �t, respec-
tively; �jst is the error term. We evaluate whether
multicollinearity is a concern in the estimation of this
model by calculating correlation tables and the vari-
ance inflation factor (VIF) for each independent vari-
able in the model. We find that all variables have a
VIF well below the recommended maximum of 10
(Kennedy 1992), with a mean VIF of 1.9 for the vari-
ables in our panel estimation (see EC.2 in the elec-
tronic companion). Similar fixed effects models have
been used in the literature to examine the effect of a
policy intervention (Bertrand et al. 2004). HRR fixed
effects allow us to control for time-invariant unob-
served factors and time dummies allow us to control
for time trends. Thus, the unbiased effect of varied
regulatory approaches can be identified from varia-
tion across HRRs and time. In an extended specifica-
tion, we include one-year lagged variables to allow
for a delayed effect on HIE outcomes of legislation
aimed at incentivizing HIE efforts with and without
privacy regulation. This accounts for the potential for
resources provided by these laws to take time to reach
entities interested in pursuing HIE.28

5.2. Model 2: Cross-Sectional Model
The second model we estimate also uses a linear
probability model and standard errors clustered at

27 Based on data obtained from HADB.
28 For clarity of exposition, we exclude the lagged terms for the
binary indicators of states having privacy regulation alone (Priv-
Consent and PrivNoConsent) since the lagged effect of this legislative
approach is not of central interest and was rare in our data set.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1056 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

the state level but uses cross-sectional survey data.
Our survey data captured a detailed snapshot of
HIEs’ status and activities as of the end of 2009.
This model evaluates the association between relevant
HIE characteristics (described below) and the vary-
ing approaches toward incentivizing HIE efforts (i.e.,
those with and without consent-based regulation):

HIECharactersiticis = �0 + �1 × Incentivess

+ �2 × Incentivess × PrivConsents

+ � × Xs + � × Zis + �is0

Here, Incentivess is a binary indicator of whether an
HIE is operating in a state s with HIE incentives. The
interaction between Incentivess ∗ PrivConsents captures
any differential impact of having consent require-
ments alongside HIE incentives. Because states with
privacy regulation without incentives had only two
operational and three planning exchanges, we do
not attempt to estimate effects for these legislative
approaches. However, to avoid biased interpretation
of our estimates, we exclude these HIEs from our
estimation for model 2. This model does include a
vector of state-level controls, Xs, which accounts for
state political leaning, wealth, population, age struc-
ture, and education levels, as well as a vector, Zis, of
HIE-level controls including measures of the length of
time an HIE has been pursuing exchange and whether
they have a formal governance structure. Although
we do include a number of state- and HIE-level con-
trols, we cannot include HIE or regional fixed effects.
As a result, the estimates from model 2 should be
interpreted with some caution. However, we argue
that the most problematic endogeneity concerns are
unlikely in the context of our analysis.

For instance, we use this model primarily to eval-
uate the association among HIE incentives, consent
requirements, and HIE privacy challenges. Specifi-
cally, we use a binary measure of whether an HIE i
in state s reported that privacy concerns were a
major challenge or impediment to their development
(PrivChallengeis5 to evaluate our previous conjecture
that incentives for HIEs may be associated with an
increased attention to and salience of privacy con-
cerns, which could materialize as barriers to the emer-
gence of HIEs. In the context of this analysis, one
concern may be that heterogeneity in states’ tastes for
privacy would both impact their propensity to have
consent requirements, as well as the pushback HIEs
face from privacy concerns. However, our predictions
would actually be made less likely by this effect, since
we conjecture that HIEs in states with consent require-
ments will, in fact, report less pushback as a result
of patient privacy concerns. For a similar reason, we
consider reverse causality in which low initial privacy

concerns resulted in states being more likely to pass
consent requirements as also being unlikely.

Additionally, we use this model to evaluate
whether relevant heterogeneity exists in key indi-
vidual characteristics of HIEs across states with and
without consent requirements. For example, because
availability of funding (beyond that from the gov-
ernment) has been shown to significantly affect the
choice to pursue exchange (Adler-Milstein et al.
2009), we evaluate the correlation between consent
requirements and the availability of funding to HIEs.
Although our panel estimation controls for legisla-
tion with explicit funding opportunities as part of
their HIE incentives, this may not suffice, because
HIEs may leverage a range of funding sources includ-
ing those provided by the federal government and
other private sources (e.g., large health systems or
physician groups). As a result, we include the vari-
able FundChallengeis as a binary measure indicating
whether HIE i in state s reported that the lack of
funding was a major challenge to their development.
Finally, we evaluate whether HIEs in states with con-
sent requirements varied with respect to other char-
acteristics that are also indicative of HIE progress and
their ability to achieve desired goals. Specifically, we
evaluate differences in the number of patients covered
by an exchange (HighPatientHIEis5 across states with
and without consent requirements.

6. Results
The results for the fixed effects model (model 1) are
presented in Table 2. We find that privacy regulation
without incentives had a negative effect on the pur-
suit of HIE. However, this effect varied depending
on the stage of HIE development. For privacy regula-
tion with consent requirements (PrivConsent), we find
a large negative and significant coefficient for Plan-
ningHIE (column (A)). However, a similarly negative
coefficient for OperationalHIE is not significant (p =
00171, column (B)). For privacy regulation without
consent requirements (PrivNoConsent), we find a sig-
nificant negative coefficient for OperationalHIE but a
near-zero and insignificant estimate for PlanningHIE.
This suggests that, although privacy regulation with-
out consent had a significant effect on HIEs reaching
operational status, it does not seem to dissuade enti-
ties from initially pursuing HIE.

We find small and generally insignificant estimates
on Incentives, suggesting that HRRs in states that pro-
vided HIE incentives without accompanying privacy
provisions did not see increases in HIEs. However,
we do find a significant and positive coefficient on
the interaction of PrivNoConsent and Incentives, but
only for OperationalHIE. This suggests that incentives
passed alongside regulation without consent require-
ments resulted in a 9% increase in the probability

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1057

Table 2 Impact of Legislation on HIE Efforts

(A) (B) (C) (D)
PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00360∗∗ −00116 −00342∗∗ −000773
40007235 40008315 40007415 40008465

PrivNoConsent 000282 −00104∗∗ 000302 −00100∗∗

40005905 40002435 40005885 40002285
Incentives 0000462 0000459 −0000598 −00000367

40005015 40002675 40003995 40002225
Incentives × PrivConsent 00466∗∗ 00230∗∗ 00432∗∗ 00135∗

4001125 40006915 4001005 40006685
Incentives × PrivNoConsent −000483 000908∗∗ −000410 000987∗∗

40009065 40003075 40007965 40003055
IncentivesLag 000412 000319

4001075 40002735
IncentivesLag × PrivConsentLag 000293 00117

4001195 40009885
IncentivesLag × PrivNoConsentLag −000297 −000344

4001235 40002885
StateDesignated −00162+ 00196∗∗ −00150 00218∗∗

40009015 40007205 40009065 40006965
Funding 000497 −000556∗ 000447 −000641∗

4001065 40002315 4001075 40002565
CPOEAdoption 0000659 000798 0000772 000815

40006665 40008055 40006585 40007985
OperationalHIE −00520∗∗ −00525∗∗

40005695 40005575

Observations 3,672 3,672 3,672 3,672
R-squared 00195 00113 00196 00120
Control variables Yes Yes Yes Yes
Time fixed effects Yes Yes Yes Yes
HRR fixed effects Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.
+p < 001; ∗p < 0005; ∗∗p < 0001.

of an HRR having an operational exchange but no
measurable effect on the propensity of initiating an
exchange. Finally, we find consistent and significant
gains from HIE incentives when they were coupled
with privacy regulation providing patient consent
requirements. Specifically, we find a large and signif-
icant coefficient on the interaction of PrivConsent and
Incentives for both PlanningHIE (p < 0001) and Opera-
tionalHIE (p < 0001), suggesting that incentives passed
alongside privacy regulation with consent require-
ments resulted in a 47% increase in the probability of
HRRs having a planning exchange and a 23% increase
in the probability of HRRs having an operational
exchange. Moreover, the difference in the effective-
ness of incentives coupled with consent requirements
was statistically significant when compared with the
incentives alone (Incentives) or incentives with reg-
ulation without consent (Incentives × PrivNoConsent)
for both PlanningHIE (p < 0001) and OperationalHIE
(p < 0005).

Given that we find evidence of negative baseline
effects of privacy regulation, we also consider the net

effect for states with legislative approaches that com-
bined incentives and privacy regulation. For instance,
although HIE incentives coupled with privacy regu-
lation without consent requirements resulted in a 9%
increase in the probability of HRRs having an opera-
tional exchange, this effect was offset by the negative
(10%) baseline effect of the privacy regulation, result-
ing in a zero net effect on the propensity of HRRs in
these states to have operational HIEs. By contrast, we
find evidence of a net gain in operational HIEs for
HRRs in states with both HIE incentives and privacy
regulation with consent requirements. Specifically, we
identify an 11% (p < 0005) net increase for Operational-
HIE and also a 10% net increase (although insignifi-
cant, p = 0022) for PlanningHIE. Within our data set,
HIE incentives coupled with consent requirements
was the only legislative approach with evidence of a
net gain in OperationalHIE.

Estimates of our main model with lagged variables
are presented in Table 2, columns (C) and (D). We find
that estimates on our baseline interaction of Incentives
and PrivConsent for PlanningHIE are of similar mag-
nitude to our primary estimation and are significant

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1058 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

(p < 0005), whereas our lagged term has a small and
insignificant coefficient. This suggests that new HIEs
were planned within a short period of the passage of
these laws and may reflect the relatively low costs of
initiating an exchange and that parties interested in
pursuing HIE closely tracked the progression of these
laws. However, we may reasonably expect that the
effect of legislation on the propensity of an exchange
actually becoming operational may be less immediate,
because the resources afforded by these laws may be
critical in exchanges advancing their capabilities. We
find some support for this notion, with the coefficient
on our baseline interaction of Incentives and PrivCon-
sent for OperationalHIE roughly half the magnitude
of our primary estimation (13.5% versus 23.0%). Our
lagged term, however, is larger (11.7%) but less pre-
cisely estimated (p = 0024), suggesting some variabil-
ity in the lagged effect of relevant legislation. We
should note that we are not able to observe lagged
effects for states that passed laws within the last year
of our panel (Oregon and Alaska), which may also be
contributing to higher standard errors for estimation
of our lagged term.

The results from our cross-sectional model (see
Table 3) offer some explanation for the differen-
tial HIE gains from incentives coupled with consent
requirements and also address alternative interpre-
tations of our results. First, we evaluate the valid-
ity of our earlier conjecture that the effectiveness of
incentives with consent requirements is driven by the
propensity of consent requirements to address ele-
vated consumer privacy concerns associated with HIE
incentives. We find evidence in support of this con-
jecture with HIE incentives not coupled with consent
requirements positively associated with increased
scrutiny and privacy concerns. Specifically, we find
that HIEs in states with HIE incentives but without
consent requirements were 30% more likely to report
that privacy was a major challenge compared with
HIEs in states with incentives and consent require-
ments (p < 0001) and 14% more likely to report that
privacy was a major challenge in their develop-
ment compared with states without any legislation
(p < 0005). HIEs in states with incentives and consent
requirements were least likely to report major pri-
vacy challenges compared with all other legislative
approaches (p < 0001).

Results from our cross-sectional model also help
to rule out what we considered the most promi-
nent confounding factors to the interpretations of
our results. First, we consider whether our results
merely reflect heterogeneity in the propensity of
incentives coupled with consent requirements to pro-
vide funding opportunities for HIE efforts (the lack
of sufficient financial support has been a prominent
barrier to HIE development). Although we account

Table 3 Consent Requirements and Key HIE Characteristics

(A) (B) (C)
PrivChallenge FundChallenge HighPatientHIE

Incentives 00144∗ −00240∗ −00102
4000665 4001185 4001145

Incentives × PrivConsent −00302∗∗ −00102 00160
4000685 4001415 4001075

Population 00007∗ −00005 −00005
4000035 4000035 4000035

PerCapGDP −00007∗∗ −00007 00010+

4000025 4000055 4000065
BroadbandAccess −00001 00006 00008

4000035 4000075 4000095
Democratic −00015 −00019 00070

4000645 4001125 4001035
TopMed 00135∗ 00218+ 00087

4000535 4001175 4001275
AdvancedDegree 00030∗ 00019 −00078∗

4000145 4000295 4000345
Over65 00032∗∗ −00011 −00030

4000115 4000225 4000205
MonthsPursuing −00001+ −00002 00003∗∗

40000015 4000015 4000015
FormalGov −00087 −00104 00437∗

4000735 4001555 4001595

Observations 133 136 70
R-squared 0013 0011 0019

Notes. Robust standard errors are shown in parentheses. The number of
observations varies because of some nonresponses in the survey; col-
umn (C) only uses responses from operational exchanges.

+p < 001; ∗p < 0005; ∗∗p < 0001.

for this in our panel estimation by controlling for HIE
incentives with funding opportunities (Funding), we
address this concern further by evaluating any asso-
ciation between HIE self-reported funding challenges
and incentives that included consent requirements.
We do not find support for the notion that HIEs in
states with consent requirements significantly differed
with respect to their access to sources of funding: col-
umn (B) in Table 3 shows that, although HIEs in states
with HIE incentives were 24% less likely to report that
funding was a major challenge (p < 0005), there is no
significant correlation between consent requirements
and funding being a major challenge for HIEs with
an insignificant estimate on Incentivess × PrivConsents.

In addition, we evaluate whether legislative ap-
proaches coupling incentives with consent require-
ments actually resulted in a positive effect on
exchange capabilities in a healthcare market. Specif-
ically, it may be the case that, although legislative
approaches coupling incentives with consent result
in a higher likelihood of an exchange being opera-
tional, these exchanges may have less extensive or
comprehensive exchange capabilities. We do not find
evidence of this, however, with an insignificant esti-
mate on Incentivess × PrivConsents for HighPatientHIE

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1059

(column (C)). In fact, the positive estimate on this
coefficient suggests that HIEs in states with both
incentives and consent requirements trended toward
covering more patients, not fewer.

7. Robustness
We evaluated the robustness of our primary results
(model 1) by examining concerns regarding (1) the
endogenous passing of legislation providing incen-
tives and consent, (2) our assumption that HRRs are
subject to only one legislative approach, and (3) incen-
tive heterogeneity and high-impact states.

7.1. Endogeneity of Incentives and Consent
The results presented in §6 highlighted the unique
role of consent requirements combined with HIE
incentives in spurring the emergence of planning and
operational HIEs. The model we estimate was iden-
tified using HRR and time fixed effects to isolate
within-HRR variation over time and controls that
could be correlated with the legislative initiatives of
interest and the pursuit of HIE. However, a state’s
choice of a particular legislative approach is certainly
not random, exposing our estimates to potential bias
if there exists time-varying heterogeneity between
states with certain legislative approaches that also
contributes to the success of HIEs. Although the direc-
tion of this bias is ambiguous (i.e., it is possible that
the potential bias in our results makes our results
more conservative), we focus on the potential bias,
which could result in the overestimation of our cen-
tral result.

First, rather than HIE laws driving HIE activity,
these laws could instead be passed as a result of
increased HIE activity. To assess this possibility, we
plotted the total number of attempted HIEs (plan-
ning plus operational) for the main HIE legislative
approaches we identified. Figure 3 reveals that states
that ultimately passed consent requirements did not
have elevated levels of HIE activity before the pas-
sage of the law. In fact, they had the lowest level
of HIE activity when compared with other legisla-
tive approaches. More generally, before the period in
which most HIE laws were passed (pre-2007), there
were minor differences in the number of attempted
HIEs. However, as we move into 2007, states with
no legislation or incentives without consent main-
tain a roughly constant rate of growth, whereas states
that coupled incentives with consent requirements see
a significant increase in attempted HIEs. We further
evaluate possible reverse causality by estimating our
main model with one-time-period lead variables for
the legal requirements (see columns (A) and (B) in
Table 4). This allows us to evaluate whether the trends
of increased planning and operational HIEs were, in
fact, in existence prior to the enactment of relevant

Figure 3 (Color online) Number of HIEs in States with Key Legislative
Approaches

0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0

2004 2005 2006 2007 2008 2009 2010

T
o
ta

l H
IE

s

Attempted HIEs

Incentives and PrivConsent

Incentives and PrivNoConsent

No HIE law

HIE laws. We find that our initial result is robust to
the inclusion of lead variables and that the estimates
on our lead variables, including the interaction of
incentives and consent requirements, are insignificant.

In addition, our main estimation evaluates the
impact on HIE efforts of legislation with HIE incen-
tives compared with states without any such legisla-
tion. However, HIE incentives may be correlated with
time-varying state unobservables that also impact HIE
outcomes. For example, HIE incentives may be cor-
related with changes in political attitudes or public
opinion toward the importance of health IT, which is
likely to also have an impact on the emergence of HIE
efforts. As a result, we evaluate whether our results
are being driven by differences between states with
and without HIE incentives. Specifically, we estimate
our model using only the subset of states that have
legislation with HIE incentives (columns (C) and (D)
in Table 4). The results are consistent with those in our
original estimation with a sizable and significant (p <
0005) impact of Incentives × PrivConsent on both Plan-
ningHIE and OperationalHIE. In addition, we argue
that the heterogeneous effects on HIE efforts of incen-
tives (e.g., incentives without consent had a marginal
or no effect on HIE efforts) make it less likely that
unobserved factors, correlated over time with HIE
incentives, are systematically driving HIE efforts.

With respect to the endogeneity of privacy regu-
lation, prior work (e.g., Miller and Tucker 2011) has
used privacy regulation limiting the disclosure of
health information as an instrumental variable in the
estimation of the effect of EMR adoption on health-
care outcomes, arguing and presenting evidence that
such regulations are likely exogenous to shifts in
states’ focus on healthcare issues and political motiva-
tions. Similar to such analysis, we find that states with
consent requirements varied considerably in terms of
geographic location, size, and state political affiliation.
Moreover, we propose, similar to the case against the

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1060 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

Table 4 Robustness Checks

Lead variable analysis Only states with incentives Excluding overlapping HRR

(A) (B) (C) (D) (E) (F)
PlanningHIE OperationalHIE PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00354∗∗ −00123∗ −00372∗∗ −00109
40006145 40005755 40008535 40008195

PrivNoConsent −000246 −000845∗∗ −00106∗∗ −00114∗∗

40004075 40002305 40003685 40003745
Incentives −0000114 000266 000172 000150

40003945 40002825 40005855 40002765
Incentives × PrivConsent 00389∗∗ 00164∗∗ 00248∗ 00160∗∗ 00445∗∗ 00221∗∗

4001045 40005695 40009235 40004915 4001225 40006735
Incentives × PrivNoConsent 000430 000630+ 000779 000904∗

40007175 40003465 40008265 40004115
IncentivesLead 000230 −000319

40003545 40003115
IncentivesLead × PrivConsentLead 00116 000798

40007005 40004815
IncentivesLead × PrivNoConsentLead −000601 000447

40004375 40003325
StateDesignated −00161+ 00245∗∗ −00246+ 00152+ −00156+ 00187∗

40009545 40004825 4001255 40007965 40008945 40007115
Funding 000433 −000662∗∗ 000568 −000656∗ 000503 −000590∗

4001195 40002105 40009635 40002905 4001175 40002395
CPOEAdoption 000128 000894 −000408 −000393 000160 000924

40006825 40007935 40009925 40009735 40007245 40008805
OperationalHIE −00530∗∗ −00526∗∗ −00523∗∗

40006385 40008855 40005775

Observations 3,366 3,366 1,584 1,584 3,384 3,384
R-squared 00197 00114 00219 00143 00198 00119
Control variables Yes Yes Yes Yes Yes Yes
Time fixed effects Yes Yes Yes Yes Yes Yes
HRR fixed effects Yes Yes Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.
+p < 001; ∗p < 0005; ∗∗p < 0001.

endogeneity of HIE incentives, that our results par-
tially shield us from these concerns. If unobserved
factors are powerfully driving HIE efforts and these
factors are correlated, over time, with privacy reg-
ulation, the divergent effects of privacy regulation
(e.g., privacy regulation without incentives actually
inhibited HIE efforts) would be considerably more
difficult to identify. Since we focus on the interac-
tion of privacy regulation with incentives, we are still
concerned that specific legislative approaches, partic-
ularly legislative approaches that couple incentives
with consent requirements, could be differentially cor-
related with other unobserved factors over time that
could also drive the emergence of planning and oper-
ational HIEs. For instance, it is possible that legisla-
tive approaches coupling consent requirements with
incentives are also associated with changes in atti-
tudes toward health IT and the value of technol-
ogy in healthcare settings. However, we consider this
unlikely, because HIEs have expressed significant con-
cerns over consent-based regulation. For instance, in

a recent report (National eHealth Collaborative 2011),
HIE administrators suggested that requiring patients
to opt in to an HIE was a barrier to achieving the
critical mass of patient records needed to generate
theorized benefits. As a result, we suggest that it is
more likely that states that adopt consent require-
ments signal a shift toward a more tempered atti-
tude toward the trade-offs associated with health IT
relative to states with HIE incentives alongside less
stringent regulation, likely making our results more
conservative.

Finally, the combination of incentives and con-
sent requirements could reflect the sophistication of
state legislative bodies in anticipating and proac-
tively addressing the central concerns associated with
increased HIE activity in the state. This sophistica-
tion could also be correlated with better administered,
managed, and otherwise executed incentive programs
that yield improved HIE outcomes. To evaluate this
concern, we leverage work by Squire (2007) that ranks
state legislatures based on their professionalism. We

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1061

first find that measures of state legislative profession-
alism do not vary considerably over time: all but one
of the states ranking below the median in 1996 con-
tinued to rank below the median in 2003 (the most
recent ranking). Moreover, the states that passed con-
sent requirements and incentives varied considerably
in their legislative professionalism, with four of the
eight states ranking below the median in 2003.

Although we take a number of steps to con-
sider and evaluate potential endogeneity of legislative
efforts, we acknowledge that these concerns may per-
sist to some degree, as they often do with empirical
work of this nature.

7.2. HRR Boundaries
Measuring HIE activity at the level of an HRR allows
us to identify the impact of legislation on the propen-
sity of an HIE to be operational or in the plan-
ning stage within relatively self-contained healthcare
markets; it also allows for meaningful comparison
across states with regions subject to varying legisla-
tive approaches. This approach requires us to assume
that each HRR is contained within a single state and
thus a single legislative approach. However, HRR
boundaries can sometimes span multiple states that
may have different legislative approaches. We find
that this is fairly uncommon, with 80% of HRRs either
being fully contained in a single state or overlapping
with states that had the same legislative approach. An
additional 11% of HRRs had minor overlap (less than
25% of their population) in states with different leg-
islative approaches. When we exclude the remaining
9% of HRRs, which had significant overlap in states
with different legislation approaches, and estimate
our main model (see Table 4, columns (E) and (F)), we
find consistent results with our original estimation.29

7.3. Incentive Heterogeneity and
High-Impact States

Although we control for the most prominent variation
in the strategies that states take toward HIE incen-
tives, there may also be other HIE incentives that are
less common in our analysis but may still have an
impact on the nature of HIE incentives and also on
HIE outcomes. Specifically, we identified four other
features of HIE incentives that were less frequent
but still of potential interest: whether HIE incentives
were directed to an existing private organization as
opposed to a government entity, whether HIE incen-
tives instituted a pilot program, whether incentives
addressed existing regulation viewed as an impedi-
ment to HIE progress, and whether incentives had

29 Although not presented here for clarity, our results are also con-
sistent when using a state-level ordinary least squares estimation
approach with aggregated count measures of HIE activity, state and
time fixed effects, and state-level controls.

an interstate dimension. To evaluate whether these
less common features of HIE incentives impact our
estimation, we estimate our main model with addi-
tional controls capturing these less frequent features
of HIE incentives and find consistent results with our
main estimation (see EC.3 in the electronic compan-
ion). Because our analysis relies on a limited num-
ber of states, it is also possible that our results are
not due to a correlation between consent requirements
and incentives but by a single state with unique HIE
incentives or with disproportionate HIE success as a
result of factors not captured in our model. To address
this concern, we limit our analysis to states with
HIE incentives and sequentially exclude all regions
in a given state that coupled incentives with consent
requirements from our estimation for PlanningHIE
and OperationalHIE (see EC.3 in the electronic com-
panion). We find that our results for PlanningHIE
and OperationalHIE are robust to sequential exclusion
of states with incentives and consent requirements.
Excluding New York seems to have the largest impact
on estimates of the effect of incentives coupled with
consent requirements, but these estimates are still sig-
nificant for OperationalHIE and marginally significant
for PlanningHIE.

8. Discussion and Conclusions
We evaluated the impact of legislation that varied
in whether it included requirements for patient con-
sent and provided HIE incentives over a span of six
years. We document a surprising interplay between
state attempts to incentivize HIE efforts and pri-
vacy regulation. Specifically, although privacy regula-
tion alone—and, in particular, regulation with consent
requirements—resulted in a negative effect on HIE
efforts, coupling HIE incentives with consent require-
ments was the only legislative approach intended to
encourage HIE efforts that actually resulted in an
increase in operational HIEs. We find that this result
is robust to considerations of reverse causality, endo-
geneity of HIE incentives and consent requirements,
considerations of HRR legislative boundaries, incen-
tive heterogeneity, and a single state driving the effect.
We also find that HIEs in states with both incen-
tives and consent requirements reported lower lev-
els of concern about patient privacy issues, whereas
exchanges in states with HIE incentives but with-
out consent requirements reported higher levels of
patient privacy concerns. We propose that this ele-
vated concern may be due to an association between
HIE incentives and privacy concerns that inhibit the
effectiveness of such incentives when consent require-
ments are not in place.

There are limitations to this research. The depen-
dent variables presented in this work may not cover

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
1062 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

the full breadth of potential measures of success for
HIEs. For instance, prior research on HIEs has noted
that sharing by HIEs has been limited in breadth
and scope (Adler-Milstein et al. 2009). We evaluate
these measures using cross-sectional data, but future
work may evaluate the impact of various legislative
approaches on these measures in more substantive
terms. Moreover, an increase in regional HIE efforts
may not necessarily be a positive outcome. For exam-
ple, a better outcome might be to have only one
exchange that facilitates exchange for all providers in
the state. However, the current national strategy for
the exchange of health information involves spurring
small regional efforts and then linking them as build-
ing blocks of state and national exchange (Vest and
Gamm 2010). As is true in prior work, we can thus
view a higher probability of HIEs in planning and
operational stages in HRRs as a positive indicator of
HIE progress. Moreover, our work focuses specifically
on the role of providing patients with the choice to
consent in the context of HIEs, but other key con-
cerns with HIEs may also be relevant. For example,
it may be prudent in future work to evaluate the role
of information security requirements on the develop-
ment and progress of HIEs. Finally, this paper focuses
on regional models of HIE and, although alternative
approaches to HIE exist (e.g., national EMR vendor
HIE networks), we use an inclusive and widely held
definition of clinical data exchange between unaffil-
iated entities (i.e., those with no shared ownership
or governance). Moreover, regional efforts are more
likely to capture the full benefits of HIE because the
other approaches (e.g., vendor driven) restrict data
exchange in some way. It is therefore critical to under-
stand the conditions under which the HIE efforts
included in our study can succeed and, in particular,
the policy conditions that foster their success.

Our results help to inform the large national effort
underway to achieve the broad-based exchange of
health information. Given that HIEs offer innova-
tive healthcare technology solutions with the poten-
tial to alleviate two of the most pressing concerns
of the current healthcare system—rising costs and
inconsistent quality—this study proposes a comple-
mentarity of technology incentives and substantive
consumer privacy protections, highlighting the poten-
tial for future efforts to incentivize HIE growth while
balancing patient privacy concerns. Such results may
help to inform the broader debate on the role of
privacy regulation in information technology efforts.
First, the findings highlight the potential for the neg-
ative effects of privacy regulation on information
technology efforts to be counteracted by technology
incentives. Additionally, the focus on both the impact
of technology incentives and privacy requirements
extends the growing body of empirical work in this

space and bolsters the notion that privacy regulation
can have heterogeneous and complex effects on infor-
mation technology efforts. Specifically, we suggest
that a symbiotic relationship may exist between tech-
nology incentives and substantive privacy regulation
with simultaneous benefit to both consumers and pro-
ponents of information technology efforts. This yields
a possible lesson for regulators and policy makers:
legislative approaches that both incentivize technol-
ogy efforts and provide consumer privacy protections
may be one approach for enabling the growth of valu-
able information technology efforts while addressing
consumer privacy concerns.

Supplemental Material
Supplemental material to this paper is available at http://dx
.doi.org/10.1287/mnsc.2015.2194.

Acknowledgments
The authors thank their reviewers for helpful comments
and suggestions and their associate editor for exceptional
effort and guidance throughout the review process. They
thank HIMSS Analytics for providing some of the data used
in this study and multiple discussants and seminar par-
ticipants for their insights. In particular, the authors are
grateful for the useful feedback from participants at the
2013 National Bureau of Economic Research Workshop on
the Economics of IT and Digitization, with distinct grati-
tude for the insightful feedback of Avi Goldfarb, Catherine
Tucker, and Amalia Miller. The authors also thank Sasha
Romanosky, Zia Hydari, and Corey Angst for their review
of early drafts of the manuscript. In addition, the authors
thank their research assistants Megan McGovern, Danning
Chen, and Kara Cronin for their diligent work in support
of this manuscript. Finally, Alessandro Acquisti gratefully
acknowledges support from the Carnegie Corporation of
New York via an Andrew Carnegie Fellowship. The state-
ments made and views expressed in this paper are solely the
responsibility of the authors. All errors are the authors’ own.

References
Adler-Milstein J, Bates DW, Jha AK (2009) U.S. regional health

information organizations: Progress but challenges remain.
Health Affairs 28(2):483–492.

Adler-Milstein J, Bates DW, Jha AK (2011) A survey of health infor-
mation exchange organizations in the United States: Impli-
cations for meaningful use. Ann. Internal Medicine 154(10):
666–671.

Anderson CL, Agarwal R (2011) The digitization of healthcare:
Boundary risks, emotion, and consumer willingness to disclose
personal health information. Inform. Systems Res. 22(3):469–490.

Angrist JD, Pischke JS (2008) Mostly Harmless Econometrics: An
Empiricist’s Companion (Princeton University Press, Prince-
ton, NJ).

Angst CM, Agarwal R (2009) Adoption of electronic health records
in the presence of privacy concerns: The elaboration likelihood
model and individual persuasion. MIS Quart. 33(2):339–370.

Angst CM, Agarwal R, Sambamurthy V, Kelley K (2010) Social con-
tagion and information technology diffusion: The adoption of
electronic medical records in U.S. hospitals. Management Sci.
56(8):1219–1241.

Bamberger K, Mulligan D (2011) Privacy on the books and on the
ground. Stanford Law Rev. 63(274):274–315.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives
Management Science 62(4), pp. 1042–1063, © 2016 INFORMS 1063

Bertrand M, Duflo E, Mullainathan S (2004) How much should
we trust differences-in-differences estimates? Quart. J. Econom.
119(1):249–275.

Blumenthal D (2010) Launching HITECH. New Engl. J. Med.
362(5):382–385.

Blumenthal D, Tavenner M (2010) The “meaningful use” regulation
for electronic health records. New Engl. J. Med. 363(6):501–504.

Brandimarte L, Acquisti A, Loewenstein G (2012) Misplaced confi-
dences: Privacy and the control paradox. Soc. Psych. Personality
Sci. 4(3):340–347.

Cala A (2013) Renewable energy in Spain is taking a beating.
New York Times (October 8), http://www.nytimes.com/2013/
10/09/business/energy-environment/renewable-energy-in-spain
-is-taking-a-beating.html.

Comarow A America’s best hospitals: The 2009–2010 honor roll.
U.S. News & World Report (July 15), http://health.usnews.com/
health-news/best-hospitals/articles/2009/07/15/americas-best
-hospitals-the-2009-2010-honor-roll.

eHealth Initiative (2005–2010) Annual survey of Health Informa-
tion Exchange at the state and local levels. Report, eHealth
Initiative, Washington, DC. https://www.ehidc.org/articles/
reports.

Federal Trade Commission (2012) Protecting consumer privacy
in an era of rapid change: Recommendations for businesses
and policy makers. Report, Federal Trade Commission, Wash-
ington, DC. https://www.ftc.go/reports/protecting-consumer
-privacy-era-rapid-change-recommendations-businesses-policy
makers.

Goldfarb A, Tucker CE (2011) Privacy regulation and online adver-
tising. Management Sci. 57(1):57–71.

Goldstein M, Rein A (2010) Consumer consent options for elec-
tronic health information exchange: Policy considerations
and analysis. Report, Office of the National Coordinator for
Health Information Technology, U.S. Department of Health
and Human Services, Washington, DC.

Greenberg MD, Ridgely MS, Hillestad RJ (2009) Crossed wires:
How yesterday’s privacy rules might undercut tomorrow’s
nationwide health information network. Health Affairs 28(2):
450–452.

Greene W (2002) The behavior of the fixed effects estimator in non-
linear models. Working Paper EC-02-05, New York University,
New York.

Grossman JM, Kushner KL, November EA (2008) Creating sus-
tainable local health information exchanges: Can barriers to
stakeholder participation be overcome? Res. Brief February(2):
1–12.

Jha AK, Chan DC, Ridgway AB, Franz C, Bates DW (2009) Improv-
ing safety and eliminating redundant tests: Cutting costs in
U.S. hospitals. Health Affairs 28(5):1475–1484.

Kennedy P (1992) A Guide to Econometrics (Blackwell, Oxford, UK).
Lai Y, Hui K (2006) Internet opt-in and opt-out: Investigating the

roles of frames, defaults and privacy concerns. Proc. 2006 ACM
SIGMIS CPR, (ACM, New York), 253–263.

Lenard TM, Rubin PH (2005) Slow down on data secu-
rity legislation. Progress Snapshot (Release 1.9), https://www
.techpolicyinstitute.org/files/ps1.9.pdf.

McDonald C (2009) Protecting patients in health information
exchange: A defense of the HIPAA privacy rule. Health Affairs
28(2):447–449.

McGraw D, Dempsey JX, Harris L, Goldman J (2009) Privacy as an
enabler, not an impediment: Building trust into health infor-
mation exchange. Health Affairs 28(2):416–427.

Miliard M (2010) ACLU brings suit against Rhode Island HIE.
it Healthcare IT News (December 1), http://www.healthcareit
news.com/news/aclu-brings-suit-against-rhode-island-hie-0.

Miller AR, Tucker C (2009) Privacy protection and technology dif-
fusion: The case of electronic medical records. Management Sci.
55(7):1077–1093.

Miller AR, Tucker CE (2011) Can health care information technol-
ogy save babies? J. Political Econom. 119(2):289–324.

National eHealth Collaborative (2011) Secrets of HIE success
revealed: Lessons from the leaders. Report, HIE Networks,
Tallahassee, FL. http://www.nationalehealth.org/ckfinder/
userfiles/files/REPORT%20-SecretsofHIESuccessRevealed.pdf.

National Rural Health Resource Center (2015) Health informa-
tion exchange—First considerations. Report, National Rural
Health Resource Center, Duluth, MN. Accessed September 1,
2015, https://www.ruralcenter.org/sites/default/files/rhitnd/
HIE-First%20Considerations-National%20Rural%20Health%20
Resource%20Center.pdf.

Neyman J, Scott EL (1948) Consistent estimates based on partially
consistent observations. Econometrica 16(1):1–32.

Office of the National Coordinator for Health Information Technol-
ogy (2012) Electronic health record adoption and utilization:
2012 highlights and accomplishments. Report, Office of the
National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, Washington, DC.

Posner R (1981) The economics of privacy. Amer. Econom. Rev.
71(2):405–409.

Pritts J, Choy A, Emmart L, Hustead J (2002) The State of Health
Privacy: A Survey of State Health Privacy Statutes (Georgetown
University, Washington, DC).

Pritts J, Lewis S, Jacobson R, Lucia K, Kayne K (2009) Privacy
and security solutions for interoperable health information
exchange: Report on state law requirements for patient per-
mission to disclose health information. Report, Office of the
National Coordinator for Health Information Technology, U.S.
Department of Health and Human Services, Washington, DC.

Sheng H, Nah FH, Siau K (2008) An experimental study on ubiq-
uitous commerce adoption: Impact of personalization and pri-
vacy concerns. J. Assoc. Inform. Systems 9(6):Article 15.

Simon S, Evans JS, Benjamin A, Delano D, Bates DW (2009)
Patients’ attitudes toward electronic health information
exchange: Qualitative study. J. Medical Internet Res. 11(3):e30.

Solove DJ (2004) The Digital Person: Technology and Privacy in the
Information Age (New York University Press, New York).

Somaskanda S (2013) Renewable energy losing its shine in Europe.
USA Today (March 23), http://www.usatoday.com/story/
money/business/2013/03/21/europe-renewable-energy/
2006245/.

Squire P (2007) Measuring state legislative professionalism: The
Squire index revisited. State Politics Policy Quart. 7(2):211–227.

Stigler G (1980) An introduction to privacy in economics and poli-
tics. J. Legal Stud. 9(4):628–633.

Stutzman F, Gross R, Acquisti A (2013) Silent listeners: The evolu-
tion of privacy and disclosure on Facebook. J. Privacy Confiden-
tiality 4(2):7–41.

Vest JR, Gamm LD (2010) Health information exchange: Persis-
tent challenges and new strategies. J. Amer. Medical Informatics
Assoc. 17(3):288–294.

Walker J, Pan E, Johnston D, Adler-Milstein J, Bates DW, Middleton
B (2005) The value of health care information exchange and
interoperability. Health Affairs 24(2):10–18.

Wennberg JE, Cooper MM (1996) The diagnosis and surgical treat-
ment of common medical conditions. The Dartmouth Atlas of
Healthcare (American Hospital Publishing, Chicago), 113–144.

White House (2012) Consumer data privacy in a networked world:
A framework for protecting privacy and promoting innovation
in the global digital economy. Report, U.S. Government Print-
ing Office, Washington, DC.

D
ow

nl
oa

de
d

fr
om

i
nf

or
m

s.
or

g
by

[
14

0.
23

4.
25

5.
9]

o
n

19
A

pr
il

2
01

6,
a

t
12

:2
3

. F
or

p
er

so
na

l
us

e
on

ly
, a

ll
r

ig
ht

s
re

se
rv

ed
.

Copyright 2016, by INFORMS, all rights reserved. Copyright of Management Science is the
property of INFORMS: Institute for Operations Research and its content may not be copied or
emailed to multiple sites or posted to a listserv without the copyright holder’s express written
permission. However, users may print, download, or email articles for individual use.

207

Health Information Ownership: Legal
Theories and Policy Implications

Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*

ABSTRACT

This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.

TABLE OF CONTENTS

I. INTRODUCTION ………………………………………………………….. 208
 
II. THE UNIQUE NATURE OF HEALTH INFORMATION ……………. 209
 

A. Definitions of Health Information ……………………………. 210
 
1. Health Information Characteristics ……………….. 210
 
2. Health Information Types …………………………….. 212
 

III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH
INFORMATION ……………………………………………………………. 214
 

IV. LEGAL THEORIES OF INFORMATION OWNERSHIP …………….. 219
 
A. Property law …………………………………………………………. 220
 
B. Intellectual Property Law ……………………………………….. 225
 
C. Federal Privacy Law ……………………………………………… 226
 

1. Constitutional Law ………………………………………. 226
 
2. HIPAA ………………………………………………………… 228
 

* The authors thank Jennifer Ansberry, JD, MPH, Maanasa Kona, JD, LLM, and
Resa Cascio, JD, LLM, for their valuable research contributions to this paper.

208 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

3. Other Federal and State Statutes and
Regulations Protecting Health Information
Privacy …………………………………………………. 231
 
a. The Genetic Information Non-Disclosure

Act of 2008 (GINA) ………………………. 232
 
b. Privacy Act and FOIA …………………………. 233
 
c. 42 C.F.R. Part 2 …………………………………. 234
 

D. Contract Law ………………………………………………………… 235
 
E. State Law …………………………………………………………….. 236
 

V. POLICY CONSIDERATIONS ……………………………………………. 237
 
VI. CONCLUSION …………………………………………………………….. 241
 

I. INTRODUCTION

The concept of owning information invokes thoughts of
property and profit. Property ownership means that the owner may
use the property as he or she wishes. The owner may modify it,
destroy it, transfer it by sale or donation, and permit others to use it
according to his or her terms, among other things. However,
ownership of health information is less clear. In some cases, the law
ascribes clear ownership rights over part or all of a health record, but
in other cases, information may be used by a number of parties
without clear ownership rights, even for the person who is the subject
of the information. Stakeholders at the state and federal levels
struggle with these issues as more uses for health information are
developed, technological advancements enable greater mobility, and
accessibility and ownership of health information becomes more
significant, yet the answer to the ownership question remains unclear.
Numerous potential solutions to the health information ownership
question exist. One option would be to allow each person to own the
information held in her personal medical records, even if another
person created the record. Another might be to give ownership of the
patient’s information to the healthcare provider who recorded that
information. Or perhaps the many rights surrounding health
information amount to ownership or make ownership irrelevant in a
highly regulated environment.

This Article will explore the existing laws that confer rights
and responsibilities with respect to health information, discuss
various legal theories of ownership that could apply to health
information, and consider the implications of applying them in the
current health information policy landscape. In Part I, the Article will
explore the nature of health information and the various

2016] HEALTH INFORMATION OWNERSHIP 209

characteristics that may make it subject to federal and state
regulation. In Part II, the Article will explore the legal and policy
landscape surrounding health information regulation, considering why
ownership of health information is of particular relevance now. In
Part III, the Article will discuss the various laws and legal theories
that apply to health information, giving full ownership rights or rights
to access, use, and control it. Finally, in Part IV, the Article will
discuss policy considerations surrounding the question of health
information ownership, including the implications of conferring
specific ownership rights over health information. While there is no
one solution to the question of health information ownership, given
the complex bundle of overlapping rights under state and federal laws
that apply, the Article highlights the policy considerations that weigh
against treating health information exclusively as property.
Ultimately, a legal framework is needed that reflects the rights of the
many stakeholders in the health information marketplace, from
patients to providers to payers, as well as the public’s interest in the
appropriate sharing of health information.

II. THE UNIQUE NATURE OF HEALTH INFORMATION

In some ways, health information is similar to other types of
personal information: it contains unique details about a particular
individual. Like financial information, it can be used improperly to
discriminate against an individual and, like private photos or personal
thoughts, it can be embarrassing if disclosed publicly. In other ways,
health information is unique. For example, disclosing health
information to others is necessary both for proper medical treatment
of the person who is the subject of the information and also for the
business purposes of potentially many different people or entities,
such as doctors for treatment and billing purposes and health
insurance companies for payment purposes. Health information may
be relevant to third parties, as in the case of communicable diseases or
inheritable genetic conditions. Before considering how laws apply to
health information, it is important to define what health information
is and explain what makes it subject to regulation.

210 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

A. Definitions of Health Information

The most basic definition of health information is any
information concerning the health of at least one person.1 When
considering law and policy, however, the regulated information must
be specifically defined. For example, the physical medical record, the
content of the record, biological samples taken from a person, and data
aggregated from many different people can all be considered “health
information,” but they may be treated differently under the law. Not
all health information is subject to regulation, and information that is
regulated may be subject to laws that overlap or directly contradict
each other.2

1. Health Information Characteristics

There is no single legal framework governing “health
information;” rather, information may be subject to one or more laws
and/or regulations depending on the information’s specific
characteristics. For purposes of applying legal protections and
restrictions, health information can be defined based on a variety of
characteristics, such as its content, its source, and its form. These
characteristics are not mutually exclusive, so that multiple
overlapping rights and obligations may apply to a particular record or
piece of information, complicating the question of ownership.

Content focuses on the substance of the information. The
American Health Information Management Association (AHIMA)
defines health information as “the data related to a person’s medical
history, including symptoms, diagnoses, procedures, and outcomes.”3
This content-based definition is perhaps the broadest possible way to
describe health information, as there are no limitations related to its
source, form, or subject. The Office for the National Coordinator for
Health Information Technology (ONC) uses a slightly narrower
definition, recognizing health information as information about an
individual’s medical condition or history where the information can be
used to identify an individual.4 Indeed, identifiability is a critical

1. What Is Health Information?, AM. HEALTH INFO. MGMT. ASS’N,
http://www.ahima.org/careers/healthinfo [https://perma.cc/8NV9-5VL4] (last visited Oct. 27,
2016).
2. See, e.g., Beverly Cohen, Reconciling the HIPAA Privacy Rule with State Laws
Regulating Ex Parte Interviews of Plaintiffs’ Treating Physicians: A Guide to Performing HIPAA
Preemption Analysis, 43 HOUS. L. REV. 1091, 1105–07 (2006).
3. What Is Health Information?, supra note 1.
4. What Is “Health Information” for Purposes of the Mobile Device Privacy and Security
Subsection of HealthIT.gov?, HEALTHIT.GOV, https://www.healthit.gov/providers-

2016] HEALTH INFORMATION OWNERSHIP 211

component underlying most federal and state laws and regulations
governing health information.5

Health information can also be categorized by its source, which
refers to the person or the entity that initially collected the information,
as well as the setting in which the information was generated or
collected. Sometimes, the individual subject of the information or the
individual’s family members may be the information collector. Health
information may also be collected by entities providing care, paying for
care,6 performing public health functions, conducting research, or
delivering other services that may incidentally involve healthcare
information, such as those provided by prisons, schools, or
universities. Laws focusing on the source alone may protect
information only in its collected form, meaning the information itself
is not protected but the list, database, or other collected information
format is protected, as in the case of a business record, such as a
patient list. Moreover, these laws may only protect information held
by a certain party, such as a substance abuse treatment facility.

Lastly, the form of medical information indicates the method
by which information is collected and stored. Health information may
be tangible, such as a tissue sample, or intangible, such as an
individual’s memory about his or her health or an individual’s genetic
information. Intangible health information becomes tangible once it is
recorded or extracted from the individual. Tangible health
information is stored digitally or on paper, or as preserved physical
samples, such as those kept in biobanks. Some legal protections and
restrictions apply to health information by virtue of its form or
medium, such as laws granting ownership of a medical record to the
healthcare provider that holds it.7 In that case, the information is
protected health information because it is contained in a medical
record, but the protection may not follow the information once it
leaves the medical record.

professionals/faqs/what-health-information-purposes-mobile-device-privacy-and-security-sub
[https://perma.cc/72JC-NQT2] (last visited Oct. 27, 2016).
5. See, e.g., Health Insurance Portability and Accountability Act (HIPAA) of 1996 §
1177, 42 U.S.C. § 1320d(6) (2012) (defining an “offense” by referring four times to “identifiable
health information” or “health identifier”).
6. Health insurers, for example, are entities that pay for care, though other entities
may be involved in payment. This would include the federal government when it directly pays
providers to deliver care to a specific population for which it has responsibility, such as veterans.
7. E.g., S.C. CODE ANN. § 44-115-20 (West 2016) (a physician is the owner of medical
records that were made in treating a patient and are in his or her possession, as well as the
owner of records transferred to him or her concerning prior treatment of the patient); V.A. CODE
ANN. § 54.1-2403.3 (West 2016) (medical records maintained by any healthcare provider are the
property of the healthcare provider or the provider’s employer).

212 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

2. Health Information Types

When considering ownership and regulation of health
information, it is important to understand what may be owned or
regulated. Laws may regulate only a certain type of health
information, as in the case of state laws granting ownership of genetic
information to the subject of the information,8 which can complicate
matters if a certain record contains multiple types of information. It
is important to understand the terms used by policymakers and
stakeholders to delineate different types of information because these
definitions may determine what rights and responsibilities apply to
that information.

The medical and health policy communities have adopted
several commonly used terms to define certain types of health
information. The term “clinical data,” for example, refers to health
information collected in a clinical setting by a provider from a patient.9
Clinical data may include patient histories, lab results, x-rays, or
provider notes.10 Clinical data is stored in electronic health records
(EHRs) and electronic medical records (EMRs), paper-based medical
records, and clinical trial records.11

“Administrative data” is information collected from patients by
healthcare stakeholders, such as providers and payers, in connection
with the patient’s care or payment for care.12 Administrative data is
used primarily for business purposes like record keeping or billing and
may include patient demographic and insurance information.13

8. E.g., ALASKA STAT. ANN. § 18.13.010 (West 2016) (“DNA sample and the results of a
DNA analysis are the exclusive property of the person sampled or analyzed.”); COLO. REV. STAT.
ANN. §§ 10-3-1104.6, -1104.7 (West 2016) (indicating genetic information is the property of the
individual); FLA. STAT. § 760.40 (2016) (“[R]esults of . . . DNA analysis, whether held by a public
or private entity, are the exclusive property of the person tested.”); GA. CODE ANN. § 33-54-1
(West 2016) (“Genetic information is the unique property of the individual tested . . . .”); LA.
STAT. ANN. §§ 22:1023, 40:2210 (2016) (“[I]nsured’s or enrollee’s genetic information is the
property of the insured or enrollee . . . .”).
9. Data Resources in the Health Sciences, U. WASH.,
http://guides.lib.uw.edu/hsl/data/findclin [https://perma.cc/3TXB-EQT5] (last visited Nov. 2,
2016).
10. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., COMMON
CLINICAL DATA SET 2 (2015),
https://www.healthit.gov/sites/default/files/commonclinicaldataset_ml_11-4-15.pdf
[https://perma.cc/G37Q-LPP2]; see also What Is Health Information?, supra note 1.
11. See, e.g., INST. OF MED., CLINICAL DATA AS THE BASIC STAPLE OF HEALTH LEARNING:
CREATING AND PROTECTING A PUBLIC GOOD: WORKSHOP SUMMARY 45 (National Academies Press
2010), http://www.ncbi.nlm.nih.gov/books/NBK54296/ [https://perma.cc/9VDT-SPY9].
12. Id. at 100.
13. Id. at 126.

2016] HEALTH INFORMATION OWNERSHIP 213

Administrative data may be found in EHRs and EMRs, paper-based
medical records, and practice management systems.14

Finally, “patient-generated health data” (PGHD) is “health-
related data created, recorded, or gathered by or from patients” or
patients’ family members or other caregivers in non-clinical settings.15
PGHD may be generated or collected by mobile apps, personal health
records (PHRs), and home health equipment that does not
automatically transmit to a provider, such as a blood glucose
monitor.16

Other common terms refer to the content of the information.
“Biospecimens” are physical materials taken from an individual,
including tissue, blood, urine, or other human-derived material,17 as
well as the information derived from the material, such as extracted
DNA.18 A biospecimen can comprise subcellular structures, cells,
tissue, organs, blood, gametes (sperm and ova), buccal swabs,
embryos, fetal tissue, exhaled breath condensate, and waste (urine,
feces, sweat, hair and nail clippings, shed epithelial cells, and
placenta).19 “Genetic information” refers to information about an
individual’s genetic makeup and the genetic makeup of an individual’s
family members, as well as information about the manifestation of a
disease or disorder in an individual’s family members, such as a
family medical history.20 Both biospecimens and genetic information
may be defined and regulated according to their form as well as
content, as in the case of a rule applying only to the physical sample
taken from a body.

14. Id. at 69.
15. Patient-Generated Health Data, HEALTHIT.GOV, https://www.healthit.gov/policy-
researchers-implementers/patient-generated-health-data [https://perma.cc/6QHJ-T7MT] (last
visited Oct. 27, 2016).
16. Id.
17. OFFICE OF BIOREPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., NCI BEST
PRACTICES FOR BIOSPECIMEN RESOURCES 59 (2011),
http://biospecimens.cancer.gov/bestpractices/2011-NCIBestPractices.pdf [https://perma.cc/WAH2-
3WQS] (last visited Oct. 27, 2016).
18. NAT’L INST. OF HEALTH, GUIDELINES FOR HUMAN BIOSPECIMEN STORAGE AND
TRACKING WITHIN THE NIH INTRAMURAL RESEARCH PROGRAM 3 (2013),
https://oir.nih.gov/sites/default/files/uploads/sourcebook/documents/ethical_conduct/guidelines-
biospecimen.pdf [https://perma.cc/QU9E-CDR4] (last visited June 28, 2016).
19. OFFICE OF BIORESPOSITORIES AND BIOSPECIMEN RESEARCH ET AL., supra note 17, at
59; Jonathan S. Miller, Can I Call You Back? A Sustained Interaction with Biospecimen Donors
to Facilitate Advances in Research, 22 RICH. J.L. & TECH. 1 (2015).
20. Adapted from the definition of “genetic information” set forth in GINA Title I. See
Genetic Information Nondiscrimination Act of 2008 § 201, 42 U.S.C. § 2000ff (2012).

214 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH INFORMATION

In recent years, evolving technology has made health
information more accessible and more meaningful to individual
consumers, providers, payers, and researchers. Value-based
purchasing policies have created incentives for providers to collect,
analyze, and report more data about individual patients.21 Wearable
devices collect and record health information such as activity, heart
rate, and blood sugar level, enabling individuals to monitor, and thus
better manage their own health.22 These and other self-management
tools, such as Consumer Health Informatics (CHI) applications, are
particularly useful for patients with chronic conditions. For example,
researchers have found that the use of such tools can positively affect
health outcomes in the cases of breast cancer, alcohol abuse, smoking
cessation, obesity, diabetes, mental health, and asthma.23 CHI
applications also include electronic PHRs and patient portals, some of
which function as peer interaction systems by which users can
communicate with others who have similar conditions.24 Individuals
may also choose to share personal health information freely online
through websites specifically designed to aggregate information from
patients, such as PatientsLikeMe,25 as well as on social media.26
Providers even share patient information on social media (with
privacy protections in place), essentially crowdsourcing medical
diagnosis and treatment.27

21. See, e.g., Linking Quality to Payment, MEDICARE.GOV,
https://www.medicare.gov/hospitalcompare/linking-quality-to-payment.html
[https://perma.cc/D5FK-XVJQ] (last visited Oct. 27, 2016).
22. See John Comstock, CES 2016: Running List of Health and Wellness Devices,
MOBIHEALTH NEWS (Jan. 6, 2016), http://mobihealthnews.com/content/ces-2016-running-list-
health-and-wellness-devices [https://perma.cc/U4B3-WSJ2].
23. JOHNS HOPKINS UNIV. EVIDENCE-BASED PRACTICE CTR., IMPACT OF CONSUMER
HEALTH INFORMATICS APPLICATIONS, at v (2009),
http://www.ahrq.gov/downloads/pub/evidence/pdf/chiapp/impactchia.pdf [https://perma.cc/8H5Q-
L9KR].
24. Bisk, Defining the Concept of CHI, and Exploring How It Is Democratizing
Healthcare for Patients, USF HEALTH, http://www.usfhealthonline.com/resources/key-
concepts/consumer-health-informatics/#.V2xi0jkrK2x [https://perma.cc/5TET-T7GU] (last visited
Nov. 2, 2016).
25. Live Better, Together!, PATIENTSLIKEME, https://www.patientslikeme.com
[https://perma.cc/R66M-K49F] (last visited Nov. 2, 2016).
26. See Patricia Sanchez Abril & Anita Cava, Health Privacy in a Techno-Social World:
A Cyber-Patient’s Bill of Rights, 6 NW. J. TECH. & INTELL. PROP. 244, 247–48 (2008).
27. See, e.g., Alex Mohensi, Doc APProvED: ‘Instagram for Doctors,’ 36 EMERGENCY
MED. NEWS 22 (2014), http://journals.lww.com/em-
news/Fulltext/2014/04000/Doc_APProvED___Instagram_for_Doctors_.15.aspx
[https://perma.cc/2B9P-GKDX]; see also Esther K. Choo et al., Twitter as a Tool for

2016] HEALTH INFORMATION OWNERSHIP 215

Technology is also enabling the use of “big data” drawn from
health records, which promises to improve the quality of healthcare,
allow a greater understanding of patient and provider behaviors, and
even find new treatments for conditions like cancer. “Big data” refers
to very large datasets containing vast quantities of a variety of
information types that arrive and must be processed quickly.28 It also
invites concern about commercial uses by information resellers and
marketers, as well as nefarious uses like identity theft and
discrimination.29 Cybersecurity experts estimate that a stolen medical
record is worth ten times more than stolen credit card information
because of medical information’s greater profit potential.30 In the
legal data market, health information is collected and sold to
companies such as credit bureaus, advertisers, and investigators. An
appendix to a 2013 Government Accountability Office (GAO) report on
information resellers listed characteristics that the credit reporting
company Experian used to identify individuals to include in marketing
lists it created and provided to its clients.31 The characteristics
included an extensive list of heath conditions, including potentially
sensitive conditions like Alzheimer’s disease, cancer, clinical
depression, diabetes, erectile dysfunction, epilepsy, irritable bowel
syndrome, menopause, Parkinson’s disease, and prostate problems.32
The business of gathering health data for commercial purposes can be
significant; for example, IMS Health, one of the leading providers of
such intelligence, reported approximately $1.5 billion in annual
revenue for its information segment in each of the last five years.33
IMS Health draws information from a variety of sources, including
over 500 million patient medical records and over fourteen million
healthcare providers and organizations (Figure 1). These millions of

Communication and Knowledge Exchange in Academic Medicine: A Guide for Skeptics and
Novices, 37 MED. TCHR. 411, 413 (2014).
28. Bernard Marr, Big Data a Game Changer for Healthcare, FORBES (May 24, 2016,
1:55 AM), http://www.forbes.com/sites/bernardmarr/2016/05/24/big-data-a-game-changer-in-
healthcare/#28efa52f3c75 [https://perma.cc/UYA3-MJKC].
29. Id.
30. Caroline Humer & Jim Finkle, Your Medical Record Is Worth More to Hackers Than
Your Credit Card, REUTERS (Sep. 24, 2014, 2:24 PM), http://www.reuters.com/article/us-
cybersecurity-hospitals-idUSKCN0HJ21I20140924 [https://perma.cc/X7QQ-4SVD].
31. U.S. GOV’T ACCOUNTABILITY OFFICE, INFORMATION RESELLERS: CONSUMER PRIVACY
FRAMEWORK NEEDS TO REFLECT CHANGES IN TECHNOLOGY AND THE MARKETPLACE 52–53 (2013),
http://www.gao.gov/assets/660/658151.pdf [https://perma.cc/U8JQ-SZZZ].
32. Id. at 53.
33. IMS HEALTH HOLDINGS, INC., 2015 ANNUAL REPORT 38 (2015),
http://s2.q4cdn.com/521378675/files/doc_downloads/2016/IMS_2015_Annual-
Report_Final_Final.pdf [https://perma.cc/V35F-JGCT]. $1.5 billion per year is a lot of money to
make just from aggregating and selling health data.

216 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

records and pieces of patient information are combined into a dataset
that is sold as a product to a variety of users.34 These practices
illustrate how one’s health information may be commodified—that is,
turned into a product for someone else’s profit. In this landscape,
legal ownership of information becomes a critical question.

Figure 1: Data combined by IMS Health for its “Market Insights”

health information business sector35

Courts are confronting these new data uses and considering

where they fit in existing legal structures, such as intellectual
property law. Two cases decided by the US Supreme Court in recent
years illustrate the challenge of sorting out legal rights where
corporate interests in personal information are concerned.36 In 2013,
in Ass’n for Molecular Pathology v. Myriad Genetics, Inc., (Myriad),
the Court considered a challenge to a patent held by Myriad Genetics
on genetic tests for certain genes that increase the risk of breast and
ovarian cancer.37 The tests involved isolating natural DNA strands
and creating synthetic complementary DNA that mirrored the original
isolated strands with slight alterations.38 The Court ruled that
synthetically created complementary DNA is patentable, while
isolated natural DNA is not.39 Although the case appeared to be a
relatively straightforward application of intellectual property law,
granting corporations a protectable property interest in material
derived from an individual’s DNA could have far-reaching
implications.40 If a corporation can create a commodity from DNA,
selling it and preventing others from making competing products,

34. Id.
35. Global, National and Subnational Insights, QUINTILESIMS,
http://www.imshealth.com/en/solution-areas/market-insights [https://perma.cc/NG8J-YY56] (last
visited Nov. 12, 2016).
36. See generally Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107
(2013); Sorrell v. IMS Health Inc., 564 U.S. 552 (2011).
37. Myriad, 133 S. Ct. at 2110–11.
38. Id. at 2111.
39. Id.
40. Id. at 2113, 2120.

2016] HEALTH INFORMATION OWNERSHIP 217

other activities that amount to ownership of a person’s biological
material are not far off.

In 2011, the Court considered the constitutionality of legal
restrictions on the use of collected personal information in Sorrell v.
IMS Health Inc.41 Sorrell dealt with a common marketing practice,
wherein pharmacies collect prescriber-identifying information when
processing prescriptions and sell this information to “data miners.”42
Data miners use this information to produce reports on prescriber
behaviors, de-identified with respect to patients but identifying the
prescribing physician, which they lease to pharmaceutical
manufacturers.43 Manufacturers then employ “detailers,” commonly
known as pharmaceutical sales representatives or “drug reps,” who
use the reports to strategically market and promote their drugs to
physicians.44

The Vermont law in question prohibited pharmacies from
selling or disclosing prescriber-identifying information for marketing
purposes without the prescriber’s consent and further prohibited
pharmaceutical manufacturers and marketers from using prescriber-
identifiable information for sales marketing and promotion practices.45
The majority used a First Amendment free speech analysis to strike
down the statute because it imposed a burden on the protected speech
of the regulated pharmacies, manufacturers, and marketers, including
plaintiff IMS Health, thereby restricting communication.46

The dissent, however, argued that Vermont’s law regulated
commercial activity rather than speech and thus imposed no
significant burden on free speech.47 Because the majority interpreted
restrictions on the use of health information as a free speech violation
rather than regulation of health information use and exchange for
commercial purposes, the Court may have made it very difficult for
legislators to regulate the activity of collecting and disseminating
personal information, including health information, for profit. With
respect to ownership of health information, it may not be possible
after Sorrel to give ownership rights over health information to a
particular individual or entity through statute, regulation, or common

41. Sorrell, 564 U.S. at 557.
42. Id. at 558.
43. Id.
44. Id.
45. VT. STAT. ANN. tit. 18, § 4631(d) (West 2010), invalidated by Sorrell v. IMS Health,
Inc., 564 U.S. 552 (2011).
46. Sorrell, 564 U.S. at 563–65.
47. Id. at 591–92.

218 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

law because another party may be able to claim a constitutional right
to use the information for their own purposes.

The legal status of health information is the subject of robust
debate and the legal landscape is in flux. Scholars debate what legal
framework—whether property law, tort law, or constitutional
protections of free speech—should apply to health information.48
Members of the public debate the ethics of using personal health
information without consent, as in the case of Henrietta Lacks, whose
cancer cells were taken, replicated, and later commodified for valuable
research for decades without her consent and without her family’s
knowledge.49 Policymakers debate the proper balance between the
potential benefits of data derived from personal information and the
need to protect privacy and other rights.50

At the federal level, ONC is leading efforts to define the rules
of the road for the use and exchange of health information. For
example, ONC released a set of guiding principles related to health
information exchange governance in 2013, which were designed to
serve as a common framework for organizations engaging in the data
exchange for healthcare purposes.51 In 2015, ONC released the
Federal Health IT [Information Technology] Strategic Plan 2015–
2020,52 which highlights the importance of protecting health
information privacy and security in order to support and advance
“widespread use of all forms of health IT.”53 According to the Plan,
clarifying federal and state laws governing the privacy and security of
health information is a key component of promoting greater adoption
of health information technology.54

48. See, e.g., Barbara J. Evans, Much Ado About Data Ownership, 25 HARV. J.L. &
TECH. 70, 74 (2011) (arguing against propertization of health data); Bonnie Kaplan, Selling
Health Data: De-Identification, Privacy, and Speech, 24 CAMBRIDGE Q. HEALTHCARE ETHICS 256
(2015) (comparing property and free speech framework and suggesting tort law as alternative);
Paul M. Schwartz, Property, Privacy, and Personal Data, 117 HARV. L. REV. 2055, 2056 (2004)
(criticizing tort law as comprehensive framework and suggesting property law as proper
framework).
49. See generally REBECCA SKLOOT, THE IMMORTAL LIFE OF HENRIETTA LACKS (Random
House 2010).
50. See, e.g., Marc A. Rodwin, Patient Data: Property, Privacy & the Public Interest, 36
AM. J.L. & MED. 586, 617 (2010).
51. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., GOVERNANCE
FRAMEWORK FOR TRUSTED ELECTRONIC HEALTH INFORMATION EXCHANGE 1 (2013),
https://www.healthit.gov/sites/default/files/GovernanceFrameworkTrustedEHIE_Final.pdf
[https://perma.cc/8WX9-DBFT].
52. THE OFFICE OF THE NAT’L COORDINATOR FOR HEALTH INFO. TECH., FEDERAL HEALTH
IT STRATEGIC PLAN 2015–2020, at 4 (2015), https://www.healthit.gov/sites/default/files/9-5-
federalhealthitstratplanfinal_0.pdf [https://perma.cc/BSG4-943T].
53. Id.
54. Id. at 43.

2016] HEALTH INFORMATION OWNERSHIP 219

IV. LEGAL THEORIES OF INFORMATION OWNERSHIP

In law, ownership generally means legal title to something
combined with the exclusive right to possess it.55 Legal title gives the
owner a variety of rights, including rights to control, use, profit from,
dispose of, and prevent others from using the thing that is owned.56
This concept is straightforward in the case of an object or piece of real
estate. In the case of health information, ownership is usually less
clear. A patchwork of laws grants various rights and obligations with
respect to health information and medical records, including privacy,
confidentiality, and the rights to access, amend, and direct the
transfer of one’s health information.57 Some rights come from specific
laws and regulations, while others are derived from broader principles
of law, like privacy and property.58

Some states have laws granting specific ownership over
medical records or health information either to the healthcare
provider or, in New Hampshire, to the individual who is the subject of
the information.59 Some of these state laws use the term “own” or
“owner,” while others use the term “property.”60 In Wyoming, the law
refers to the physical conveyance for the information, giving the
provider ownership of “the paper, microfilm, or data storage unit upon
which the patient’s information is maintained [and stating that
patients] do not have a right to possess the physical means by which
the information is stored,” although they must be given access to
“pertinent information.”61 In New Hampshire, the state’s Patients’
Bill of Rights law states: “[m]edical information contained in the
medical records at any facility licensed under this chapter shall be
deemed to be the property of the patient.”62 This law is unique among
states and, since providers retain a property interest in their business
records, it is not clear how the conflicting property rights of patients
and providers would be resolved in case of a dispute. There are also
cases finding that medical records are the property of the healthcare

55. Ownership, BLACK’S LAW DICTIONARY (10th ed. 2014).
56. E.g., Jane B. Baron, Property as Control: Case of Information, 18 MICH. TELECOMM.
& TECH. L. REV. 367, 384 (2012).
57. E.g., Mark A. Hall, Property, Privacy, and the Pursuit of Interconnected Electronic
Medical Records, 95 IOWA L. REV. 631, 649–50 (2010).
58. See id.
59. Who Owns Medical Records: 50 State Comparison, HEALTH INFO. & L.,
http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state-
comparison [https://perma.cc/3H2N-XNF5] (last visited Nov. 12, 2016).
60. See id.
61. 024-052 WYO. CODE R. § 003 (LexisNexis 2016).
62. N.H. REV. STAT. ANN. § 151:21 (2016).

220 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

provider who created them, even where there is no statute or
regulation to that effect.63

While ownership is significant, it may not determine who can
do what with health information. Patients may have rights with
respect to their medical records under some federal privacy laws and
regulations.64 Many states have specific laws addressing how
providers must maintain, protect, and dispose of records, as well as
laws giving patients, providers, and others access to medical records,
regardless of ownership status.65 The following discussion addresses
the legal theories that could potentially serve as the basis for
ownership of health information, including property law, intellectual
property law, and privacy law.

A. Property law

In the United States, there is no recognized property interest in
one’s own personal information.66 There may be property interests in
specific types of information, as in the case of medical information
under the New Hampshire law67 referenced above, or in the physical
container that houses the information, such as a computer or diary.68
When information about individuals is compiled from public data or by
an entity with legal access to the information, such as a credit card
company, it can be sold without the permission of the subjects of the
information, who are not entitled to any compensation.69 Information
about customers, such as mailing lists, can be distributed alongside
real property when a business is transferred.70

Property can be defined broadly as “any interest in an object,
whether tangible or intangible, that is enforceable against the

63. See, e.g., Holtkamp Trucking Co. v. David J. Fletcher, M.D., L.L.C., 932 N.E.2d 34,
43 (Ill. 2010) (holding that medical records were physician’s property); McGarry v. J.A. Mercier
Co., 262 N.W. 296, 297–98 (Mich. 1935) (holding that x-ray negatives were the property of the
physician who made them, not the patient).
64. Hall, supra note 57, at 649–50.

65. See States, HEALTH INFO. & L., http://www.healthinfolaw.org/state
[https://perma.cc/6DWF-FVSR] (last visited Nov. 13, 2016).
66. Vera Bergelson, It’s Personal but Is It Mine? Toward Property Rights in Personal
Information, 37 U.C. DAVIS L. REV. 379, 403 (2003).
67. N.H. REV. STAT. ANN. § 151:21 (2016).
68. Hall, supra note 57, at 646–47.
69. Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1352–53 (Ill. App. Ct. 1995).
70. E-7.04 Sale of a Medical Practice, AM. MED. ASS’N,
https://www.denbar.org/docs/AMA%20(Professionalism)%20E-7.pdf?ID=2373
[https://perma.cc/5P5Y-WBAT] (last updated Sept. 26, 2005).

2016] HEALTH INFORMATION OWNERSHIP 221

world.”71 As explained by the California Supreme Court, applying a
broad definition, “[t]he term ‘property’ is sufficiently comprehensive to
include every species of estate, real and personal, and everything
which one person can own and transfer to another. It extends to every
species of right and interest capable of being enjoyed as such upon
which it is practicable to place a money value.”72 Others have limited
the definition of property to the specific set of “legally sanctioned
property forms” defined by legislatures.73 This Article uses a broad
definition, modified to apply to health information. Thus, a property
interest in health information may be defined as any interest in the
health information that is enforceable against the world. Property
rights under this definition are distinguished from the more limited
rights that apply under the terms of a contract, where rights are
enforceable only against a party to the contract, or rights that only
apply in certain settings or for certain users, such as health
information privacy and security regulations. When considering
property rights in personal information, courts have historically held
that such information belongs to no one until it is collected, at which
point it belongs to the collector.74 Thus, when a company collects the
names, addresses, phone numbers, and shopping histories of its
customers, that information may become a protected piece of property
that can be transferred along with other corporate property when the
business is sold or sold outright as a product itself.75

In the healthcare context, medical records typically belong to
the physician, hospital, or another provider that created them.76
Thinking of healthcare like any other service industry, the medical
record is a record of the service provided to the customer. For the
healthcare provider, the information in a medical record is necessary
for a number of purposes other than patient care. These include
receiving payment for the service from an insurance company,
complying with state and federal reporting requirements, supporting
business functions such as profit-sharing among partners and paying
taxes, and defending the provider in case of any claim of malpractice.77

71. Schwartz, supra note 48, at 2058.
72. Yuba River Power Co. v. Nevada Irrigation Dist., 207 Cal. 521, 524 (1929).
73. Thomas W. Merrill & Henry E. Smith, Optimal Standardization in the Law of
Property: The Numerus Clausus Principle, 110 YALE L.J. 1, 10 (2000).
74. Bergelson, supra note 66, at 403.
75. E.g., Julia N. Mehlman, If You Give a Mouse a Cookie, It’s Going to Ask for Your
Personally Identifiable Information: A Look at the Data-Collection Industry and a Proposal for
Recognizing the Value of Consumer Information, 81 BROOK. L. REV. 329, 331 (2015).
76. E.g., Hall, supra note 57, at 646–47.
77. Stanley J. Reiser, The Clinical Record in Medicine Part 2: Reforming Content and
Purpose, 114 ANNALS INTERNAL MED. 980, 984 (1991).

222 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

As business records, medical records and the information they contain
can be transferred when, for example, a partner leaves a medical
practice or a practice merges with another institution.78 Custody of
medical records may be made part of an employment contract between
a practice and an individual physician or part of a contract for the sale
of a practice.79 Patients cannot take the original medical record away
from the provider who created it, as it remains a vital business record
of the service provided.

On the other hand, the property interest in medical records is
not exclusive to the individual or entity that created them.80 Because
of the many rights held by individual patients with respect to their
medical records, records may not be disposed of in the same manner
as other property.81 Medical records cannot be destroyed or given to
others without following the procedures prescribed by federal and
state laws.82 Providers cannot prevent individuals from taking the
information in their records and giving it to a competing provider.83
The property interest a physician has in medical records is
fundamentally different than the property interest he or she has in an
x-ray machine or stethoscope.84 Thus, while medical records are
certainly property, they are a unique type of property.

Turning to the information contained in the medical record, it
may be the property of the person or entity that collected it. In
general, the collected form of the information may be “property,”
which courts have recognized,85 rather than the individual pieces of
the information itself. In the case of a customer list, for example, the
list may be considered property in its collected form. However, when
the names of some of the individuals from that customer list are
available elsewhere, such as in a phone book, it cannot be said that
the phone book contains the property of the company that collected the
customer list. In other words, the fact that health information may be

78. WILLIAM H. ROACH JR. ET AL., MEDICAL RECORDS AND THE LAW 333 (Jones and
Bartlett Publishers 4th ed. 2006).
79. Id. at 339.
80. Mark A. Hall & Kevin A. Schulman, Ownership of Medical Information, 301 J. AM.
MED. ASS’N. 1282, 1282–84 (2009).
81. See generally id.
82. E.g., Christine L. Glover, To Retain or Destroy? That Is the Health Care Records
Question, 103 W. VA. L. REV. 619, 625–26 (2001).
83. See Hall & Schulman, supra note 80, at 1282–84.
84. Id.
85. E.g., In re Nw. Airlines Privacy Litig., No. CIV.04-126(PAM/JSM), 2004 WL
1278459, at *4 (D. Minn. June 6, 2004) (where airline passengers’ personal information was
compiled and combined with other information to form a record, and the record itself became the
airline’s property).

2016] HEALTH INFORMATION OWNERSHIP 223

the property of one party in its collected form does not mean that the
information itself is the property of the collector wherever it exists.

Whether or not the collected health information, like that in a
medical record, could be the property of the person who is the subject
of the information remains in question. In general, courts have
refused to recognize property rights in information about oneself, even
as they recognize causes of action where personal information is
misused, as in the case of identity theft or misappropriation of an
individual’s name or likeness for profit.86 Individuals have been
unable to prevent the distribution of information about them by
investigators, credit companies, and magazine publishers.87
Certainly, health information cannot be the exclusive property of the
subject, since the information itself is contained in business records of
the health providers who recorded the information and must be
exchanged with others, such as regulators, insurance companies, and
other providers, in order to do business.

What about genetic information, which is even more closely
tied to an individual than a name or photograph? Does genetic
information, such as a DNA sequence, have a special status as
property even where other health information does not? In the
famous Moore v. Regents of the University of California,88 a physician
at UCLA Medical Center isolated a cell line from the patient Moore’s
T-lymphocytes, extracted from biological samples taken during his
treatment.89 The physician made agreements to profit from
commercial development of the cell line and resulting products. Moore
sued, claiming, among other causes of action, that the biological
samples that yielded the cell line were his property that was illegally
converted by the physician.90 To prove the tort of conversion, the
“plaintiff must establish an actual interference with his ownership or
right of possession . . . [w]here plaintiff neither has title to the
property alleged to have been converted, nor possession thereof, he
cannot maintain an action for conversion.”91 In Moore, the California
Supreme Court held that Moore did not have an enforceable property
interest in his cells under existing law, partly because he did not

86. I.J. Schiffres, Annotation, Invasion of Privacy by Use of Plaintiff’s Name or Likeness
in Advertising, 23 A.L.R.3d 865 § 4 (1969).
87. E.g., Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1351 (Ill. App. Ct. 1995); Shibley
v. Time, Inc., 341 N.E.2d 337, 340 (Ohio Ct. App. 1975); U.S. News & World Report, Inc. v.
Avrahami, No. 95-1318, 1996 WL 1065557, at *6 (Va. Cir. Ct. June 13, 1996).
88. Moore v. Regents of Univ. of Cal., 793 P.2d 479, 487 (Cal. 1990) (rejecting
individual’s claim of property right in his genetic information).
89. Id. at 481.
90. Id. at 482.
91. Id. at 488.

224 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

expect to retain possession of them after they were taken from his
body.92 The court declined to extend conversion to the facts in Moore,
noting the chilling effect on medical research and development of
treatments that would result from giving every patient a property
interest in their biological samples taken in the course of treatment
and any resulting research or innovation.93 Interestingly, genetic
information is one type of health information where states have given
individuals a property interest under the law. In Alaska,94 Colorado,95
Florida,96 Georgia,97 and Louisiana,98 state statutes declare genetic
information, DNA samples, or the results of DNA analysis to be the
property of the individuals who are the subject of the information.
Likewise, reproductive material has been deemed property after it has
been removed from the body.99 In general, reproductive material itself
is not sold but “donated,” although the donor may receive substantial
compensation in exchange for her “donor services.”100 Indeed, egg
donation is an $80 million market.101 Largely self regulated, there are
industry guidelines limiting the amount of compensation an egg donor
may receive, though no limits apply to sperm donation. These limits
were challenged in a class action102 brought by egg donors that was
settled in early 2016.103 Thus, given this history of treating
reproductive material as property or allowing the sale of reproductive
material using contracts in the same way other goods are sold, there is
potentially a greater degree of ownership that applies to reproductive
material than to other biological material or, more broadly, to health
information.

In contrast, the status of preserved embryos is much less clear.
Some courts have held that as potential persons, embryos cannot be

92. Id. at 488–89.
93. Id. at 494.
94. ALASKA STAT. ANN. §§ 18.13.010–.030, .100 (West 2016).
95. COLO. REV. STAT. ANN. §§ 10-3-1104.6, 1104.7 (West 2016).
96. FLA. STAT. § 760.40 (2016).
97. GA. CODE ANN. §§ 33-54-1 to -8 (West 2016).
98. LA. STAT. ANN. § 22:1023 (2016).
99. E.g., Kurchner v. State Farm Fire & Cas. Co., 858 So. 2d 1220, 1221 (Fla. Dist. Ct.
App. 2003) (holding that sperm outside of the body is property for purposes of insurance claim).
100. Kamakahi v. Am. Soc’y for Reprod. Med., No. C 11-01781 SBA, 2013 WL 1768706, at
*3 (N.D. Cal. Mar. 29, 2013).
101. Id.
102. Kamakahi v. Am. Soc’y for Reprod. Med., No. 11-CV-01781-JCS, 2015 WL 1926312,
at *1 (N.D. Cal. Apr. 27, 2015).
103. Jacob Gershman, Fertility Industry Group Settles Lawsuit over Egg Donor Price
Caps, WALL ST. J. (Feb. 3, 2016, 11:01 AM), http://blogs.wsj.com/law/2016/02/03/fertility-
industry-group-settles-lawsuit-over-egg-donor-price-caps/ [https://perma.cc/989S-CHXF].

2016] HEALTH INFORMATION OWNERSHIP 225

property to be transferred like other marital property,104 while others
have freely enforced contracts that determine how embryos are to be
used or disposed of in the case of a separation.105 As the practice of
assisted reproduction continues to become more common, the legal
approach to the disposition of embryos may be informative for the
question of health information ownership. At least two people have
simultaneous and valid legal interests in a frozen embryo, created
from their biological material, which is somewhat analogous to
multiple parties having valid interests in a piece of health
information.

As these examples illustrate, the practice of treating health
information as property under the law has an uneven history. There
are some forms of health information, such as medical records created
by a healthcare provider in the course of doing business, that the law
is comfortable treating as property. Other forms, such as biological
materials and genetic information, have been treated differently.
Because an ownership interest may be claimed in intangible
information rather than the physical form of the record, some have
proposed that health information be protected under intellectual
property law.106

B. Intellectual Property Law

Intellectual property laws (which include trademark, copyright,
and patent mechanisms) confer the rights of property on creations of
the mind, such as scientific discoveries, artwork, designs, and written
work, which one could not otherwise have an exclusive interest.107
The term “[i]ntellectual property relates to items of information or
knowledge, which can be incorporated in tangible objects at the same
time in an unlimited number of copies at different locations anywhere
in the world.”108 In order to be protected by a patent, which is the
mechanism that would apply to most healthcare-related intellectual
property, the discovery in question cannot be simply a “consequence of
the body’s natural processes.”109 Even if the natural phenomenon in
question is not identical across every person, if “the genetic

104. Davis v. Davis, 842 S.W.2d 588, 593, 604 (Tenn. 1992).
105. E.g., Litowitz v. Litowitz, 48 P.3d 261, 274 (Wash. 2002).
106. See Schwartz, supra note 48, at 2076.
107. See What Is Intellectual Property?, WORLD INTELL. PROP. ORG.,
http://www.wipo.int/about-ip/en/ [https://perma.cc/HS98-PTZU] (last visited Nov. 14, 2016).
108. SRIKANTH VENKATRAMAN, UNDERSTANDING DESIGNS ACT 115 (2010).
109. Genetic Techs. Ltd. v. Bristol-Myers Squibb Co., 72 F. Supp. 3d 521, 530 (D. Del.
2014).

226 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

correlations . . . exist apart from any human action,” the discovery is
unpatentable.110 Most of the health information about an individual
that is collected in medical records and databases is merely reporting
on the observed biological state and processes of the individual who is
the subject of the information. As such, it could not be protected by
intellectual property law, even if a human made the observation.

Courts in the United States have rejected attempts to patent
diagnostic procedures and medical treatments.111 However, it is
possible for a physician to use a very specialized technique for
evaluating or treating a patient and for that technique to be protected
by copyright or patent laws.112 The US Patent and Trademark Office
(USPTO) issued guidance to illustrate what considerations may allow
a procedure for evaluating or treating a natural process to be
protectable.113 If such protection is granted, the physician may be able
to shield the protected part of the evaluation from disclosure. Thus,
there is some capacity for health information to be protected by
intellectual property law, but it is limited under current standards.

C. Federal Privacy Law

1. Constitutional Law

The US Constitution does not explicitly enumerate a right to
privacy.114 However, various amendments to the Constitution grant
rights that relate to personal autonomy, an aspect of privacy insofar
as individuals can choose whether or not to participate in certain
activities or be subject to certain experiences, such as “the right to be
left alone.”115 The US Supreme Court has also identified a right to
privacy under the Fourteenth Amendment.116 Under the Fourteenth

110. Id. (citing Genetic Techs. Ltd. v. Agilent Techs., Inc., 24 F. Supp. 3d 922, 927 (N.D.
Cal. 2014) (stating correlations between variation in non-coding and coding regions alone are
unpatentable natural laws despite not being “universal” or “immutable scientific truths”)).
111. E.g., Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1298
(2012); PerkinElmer, Inc. v. Intema Ltd., 496 Fed. Appx. 65 (Fed. Cir. 2012). In Australia, by
contrast, medical treatments are considered patentable. Apotex Pty Ltd v Sanofi-Aventis
Australia Pty Ltd [2013] HCA 50.
112. See Memorandum from Andrew H. Hirshfeld, Deputy Comm’r for Patent
Examination Policy, U.S. Patent and Trademark Office, to the Patent Examining Corps (Mar. 4,
2014), http://www.uspto.gov/patents/law/exam/myriad-mayo_guidance.pdf
[https://perma.cc/3T4R-Z8C6].
113. Id.
114. Julie K. Freeman, Medical Records and the U.S. and Pennsylvania Constitutions’
Right to Privacy, 70 Pa. B.A. Q. 93, 95 (1999).
115. Robert E. Mensel, The Antiprogressive Origins and Uses of the Right to Privacy in
the Federal Courts 1860–1937, 3 FED. CTS. L. REV. 109, 124 (2009).
116. See, e.g., Roe v. Wade, 410 U.S. 113, 164 (1973).

2016] HEALTH INFORMATION OWNERSHIP 227

Amendment, a law is unconstitutional if it infringes upon the exercise
of a fundamental right, such as the right to privacy, without a
“compelling” state interest.117 The right to privacy is defined and
determined on a case-by-case basis; for example, the Court has
identified a specific right to privacy with respect to decisions about
“family, marriage, motherhood, procreation, and child rearing.”118

One aspect of the privacy concept is the ability to control one’s
own information.119 However, existing Supreme Court case law does
not recognize within the right to privacy a right to control information,
though it has specifically declined to foreclose that possibility for the
future.120 As it currently stands, the right to control one’s information,
health-related or otherwise, is not considered a fundamental right,
and thus any law infringing upon that ability need only be rationally
related to a legitimate government purpose.121 Ten states explicitly
recognize an individual’s right to privacy in their constitutions.122
These states prohibit unreasonable or unwarranted invasions of
privacy, though none specifically include the right to control one’s
personal information as an aspect of “privacy.”123 In general, however,
the right to information privacy has been conferred primarily by
statute and regulation rather than by courts’ application of a
constitutional right.124

There is no comprehensive federal statutory framework
governing health information privacy and security,125 rather a
patchwork of federal laws that often overlap or even contradict each
other. The primary function of these laws and regulations is to limit
the ways in which lawful holders of the information may use and
share it with or without the subject of the information’s consent.126
Although federal privacy laws and regulations do not explicitly confer
an ownership interest in health information, they do grant
information holders some ability to direct and control how the

117. Id. at 155–56.
118. Paris Adult Theater v. Slaton, 413 U.S. 49, 65 (1973).
119. See Hall & Schulman, supra note 80, at 1282–84.
120. ERWIN CHEMERINSKY, CONSTITUTIONAL LAW: PRINCIPLES AND POLICIES 856 (3d ed.
2006).
121. See id.
122. Privacy Protections in State Constitutions, NAT’L CONF. ST. LEGISLATURES (Dec. 3,
2015), http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-
protections-in-state-constitutions.aspx [https://perma.cc/VG3R-Q6MY].
123. See id.
124. See id.
125. Jane Hyatt Thorpe & Elizabeth A. Gray, Big Data and Public Health: Navigating
Privacy Laws to Maximize Potential, PUB. HEALTH REP. 130(2):171–75 (2015).
126. E.g., Hall, supra note 57, at 657.

228 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

information is used.127 Some laws and regulations give individuals
explicit rights with respect to their health information when it is in
the possession of certain lawful holders of that information.128 These
laws vary considerably in terms of the health information they protect
and the entities they govern, though all of these laws apply only to
identifiable information.129

2. HIPAA

The most widely referenced federal framework related to
health information are the Health Insurance Portability and
Accountability Act of 1996 (HIPAA)’s130 Administrative Simplification
provisions131 and their enabling regulations—the Privacy, Security,
Breach Notification, and Enforcement Rules, known collectively as
“the HIPAA Rules.” Under HIPAA, individually identifiable health
information is oral or recorded information created or received by a
healthcare provider, health plan, employer, or healthcare
clearinghouse that identifies or could be used to identify an individual,
and relates to the individual’s care or to his past, present, or future
mental or physical health condition or payment for care.132 The
HIPAA Rules do not apply to individually identifiable health
information held in certain types of records, such as education records,
or about individuals deceased for over fifty years.133 The information
subject to HIPAA is referred to as “protected health information”
(PHI). Much health-related information exists outside of HIPAA’s
protections, including PGHD,134 consumer and sentiment data
describing patient activities and preferences (i.e., exhaust data),135

127. See id.
128. See id. at 646.
129. Id. at 659.
130. Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. No.
104-191, 110 Stat. 139 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
131. See, e.g., id. at §§ 261–62.
132. 45 C.F.R. § 160.103 (2016) (“Individually identifiable health information is
information that is a subset of health information, including demographic information collected
from an individual . . . .”).
133. Id.
134. Patient-Generated Health Data, supra note 15.
135. Nicolas P. Terry, Big Data Proxies and Health Privacy Exceptionalism, 24 HEALTH
MATRIX 65, 85 (2014),
http://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?article=1005&context=healthmatrix
[https://perma.cc/RR4R-Z4Y4].

2016] HEALTH INFORMATION OWNERSHIP 229

and de-identified information—though these types of information may
be subject to other laws and regulations.136

The HIPAA Rules only regulate the use, disclosure, and
management of PHI when it is in the possession of certain entities.137
These are Covered Entities (health plans, healthcare clearinghouses,
and most healthcare providers)138 and their Business Associates
(entities that have access to PHI in the course of performing certain
services for or functions on behalf of a Covered Entity);139 HIPAA does
not govern individually identifiable health information when it is in
the possession of non-regulated entities (i.e., neither Covered Entity
nor Business Associate), even if the information meets the definition
of PHI.140

The HIPAA Rules collectively serve as the federal floor for
identifiable health information privacy and security.141 The HIPAA
Privacy Rule, as its name suggests, governs the privacy and
confidentiality of PHI.142 It dictates when and to whom a Regulated
Entity is permitted to disclose PHI, which can be grouped into three
broad categories:

1. Required Disclosures: a Regulated Entity must disclose PHI to
the individual subject of the information upon request143 and

136. See generally What Is “Health Information” for Purposes of the Mobile Device
Privacy and Security Subsection of HealthIT.gov?, supra note 4.
137. 45 C.F.R. § 160.102(a), (b) (2016).
138. 45 C.F.R. § 160.103 (defining “covered entity” to include “[a] health plan,” “[a]
health care clearinghouse,” and “[a] health care provider who transmits any health information
in electronic form in connection with a transaction covered by this subchapter”); see also §
160.103 (defining “health care clearinghouses” to include businesses or agencies that process
nonstandard health information they receive from other entities into a standard format); §
160.103 (where “health information”—information (identifiable or not) that is created by a
healthcare provider, health plan, public health authority, employer, life insurer, school or
university, or healthcare clearinghouse and that relates to an individual’s healthcare or an
individual’s past, present, or future physical or mental health or condition or payment for care—
has a broader definition than “protected health information”); 45 C.F.R. § 162 (2016) (defining
“covered health care provider” as one who electronically transmits health information in
connection with “covered” transactions, which include, but are not limited to, benefit eligibility
inquiries and claims).
139. 45 C.F.R. § 160.103 (defining “business associate” to include those who provide
“legal, actuarial, accounting, consultation, data aggregation . . ., management, administrative,
accreditation, or financial services”).
140. See, e.g., Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic and Clinical Health
Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA
Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (codified at C.F.R. pts. 160, 164).
141. See 45 C.F.R. § 160 (2016); see also 45 C.F.R. § 160.203 (2016); 45 C.F.R. § 164.502
(2016).
142. See generally 45 C.F.R. §§ 164.500–.534 (2016).
143. 45 C.F.R. § 164.502(a)(2)(i), (4)(ii) (2016).

230 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

to the Secretary of the US Department of Health and Human
Services (HHS) for enforcement and compliance purposes;144

2. Prohibited or Limited Disclosures: a Regulated Entity may not
disclose PHI for certain purposes145 (e.g., most sales of PHI146)
and must obtain an individual’s authorization to disclose
certain types of PHI (e.g., psychotherapy notes147) in almost all
circumstances;148 and

3. Permissive Disclosures: a Covered Entity149 may disclose
[most] PHI without first obtaining the subject’s authorization
for a variety of purposes (though some of these purposes
require that, where practicable, the individual be given the
opportunity to informally object to the disclosure150).151

Any disclosures not required, permitted, or prohibited by the Privacy
Rule require written authorization from the individual subject of the
PHI.152 The “permissive disclosure” exceptions were designed to
permit Covered Entities to engage in fundamental healthcare
activities without being burdened by authorization requirements.153
Permissive exceptions include disclosures for purposes of treatment,
payment, and healthcare operations,154 as well as a variety of purposes
that benefit the public good, such as disease surveillance, national
security, and law enforcement activities.155 These exceptions are so
broad that Covered Entities essentially retain greater control over
PHI than the actual subject of the information.156 However, in an

144. 45 C.F.R. § 164.502(a)(2)(ii), (4)(i).
145. See 45 C.F.R. § 164.502(a)(5).
146. 45 C.F.R. § 164.502(a)(5)(ii).
147. 45 C.F.R. § 164.508(a) (2016).
148. 45 C.F.R. § 164.508(a)(2).
149. See 45 C.F.R. § 164.502(a)(1); see also 45 C.F.R. § 164.502(a)(3) (stating that a
business associate may only disclose PHI as required by its business associate contract or the
law).
150. 45 C.F.R. § 164.510 (2016).
151. 45 C.F.R. § 164.512 (2016); see also OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND
DISCLOSURES: EXCHANGE FOR TREATMENT 1 (2016),
http://www.hhs.gov/sites/default/files/exchange_treatment.pdf [https://perma.cc/8WK6-F6D5];
OFFICE FOR CIVIL RIGHTS, PERMITTED USES AND DISCLOSURES: EXCHANGE FOR HEALTH CARE
OPERATIONS 1 (2016), http://www.hhs.gov/sites/default/files/exchange_health_care_ops.pdf
[https://perma.cc/22LV-LN9M].
152. 45 C.F.R. § 164.502(a)(1).
153. See, e.g., Standards for Privacy of Individually Identifiable Health Information, 67
Fed. Reg. 14776 (proposed Mar. 27, 2002) (to be codified at C.F.R. pts. 160, 164).
154. 45 C.F.R. § 164.506 (2016).
155. 45 C.F.R. § 164, §§ 510, 512 (2016).
156. See infra notes 168–73.

2016] HEALTH INFORMATION OWNERSHIP 231

effort to balance an individual’s interest in his or her own information
with the need to enable proper functioning of the healthcare system,
the Privacy Rule establishes six rights individuals have with respect
to their PHI:

1. To be notified of uses and disclosures a Covered Entity may
make;157

2. To request restrictions on some uses and disclosures, though a
Covered Entity is only required to comply with such a request
in very limited circumstances;158

3. To request that a health plan or a covered provider
communicate PHI confidentially (i.e., by alternative means or
at alternative locations), though a health plan is only required
to comply in specific circumstances;159

4. To inspect and obtain a copy of PHI or have the Covered Entity
transmit a copy of PHI to a designated third party;160

5. To amend PHI in certain circumstances;161 and

6. To receive an accounting of disclosures of PHI made in the
preceding six years, though many types of disclosures are
exempt from the accounting requirement.162

While the HIPAA Privacy Rule grants an individual substantial
rights, including access to and some measure of control over their
health information, because of the many exceptions to and limitations
on these rights, they do not equate to the full control that ownership
under a property theory would convey.163

3. Other Federal and State Statutes and Regulations Protecting
Health Information Privacy

Some other federal statutes and regulations protect health
information primarily based on its content. These include: 42 C.F.R.
Part 2 (Part 2),164 which protects identifying information about

157. 45 C.F.R. § 164.520(a)(1) (2016).
158. 45 C.F.R. § 164.522(a) (2016).
159. 45 C.F.R. § 164.522(b).
160. 45 C.F.R. § 164.524 (2016).
161. 45 C.F.R. § 164.526 (2016).
162. 45 C.F.R. § 164.528 (2016).
163. Hall, supra note 57, at 649.
164. 42 C.F.R. § 2 (2016).

232 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

substance abuse treatment patients, the Genetic Information Non-
Disclosure Act of 2008 (GINA),165 which protects individuals’ genetic
information, and the Patient Safety and Quality Improvement Act of
2005 (PSQIA),166 which protects identifiable patient safety work
product. Other laws protect health information primarily based on its
source. These include: the Fair Credit Reporting Act (FCRA),167 which
protects medical information in consumer reports, the Privacy Act of
1974,168 which protects individually identifiable information—
including health information—held by the federal government, the
Family Educational Records Privacy Act (FERPA),169 which protects
identifiable information—including health information—in education
records, and the Public Health Services Act’s Title X,170 which protects
health information collected by Community Health Centers.

a. The Genetic Information Non-Disclosure Act of 2008 (GINA)

GINA protects individuals’ genetic information171 from being
used for certain purposes.172 Under Title I of GINA, health plans and
health insurance issuers may not use genetic information to make
coverage-related decisions about beneficiaries.173 Health plans and
issuers generally may not even request that a beneficiary undergo
genetic testing or provide genetic information, though there are
limited exceptions.174

Title II of GINA prohibits employers from using genetic
information to discriminate against employees or applicants and from
using genetic information in employment decisions.175 Employers are
generally prohibited from acquiring genetic information about an

165. Genetic Information Nondiscrimination Act (GINA) of 2008, Pub. L. No. 110-233,
122 Stat. 881 (tit. II codified at 42 U.S.C. § 2000ff).
166. Patient Safety and Quality Improvement Act (PSQIA) of 2005, Pub. L. No. 109-41,
119 Stat. 424 (codified in scattered sections of 42 U.S.C.).
167. Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681–1681x (2012).
168. Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified at 5 U.S.C. § 552a).
169. Family Educational Records Privacy Act (FERPA) of 1974, 20 U.S.C. § 1232g (2012)
(implementing regulations at 34 C.F.R. § 99).
170. 42 C.F.R. § 51c.110 (2016).
171. “Genetic information” includes family medical history, information from genetic tests
and services, requests for and receipt of genetic services, and participation in clinical research
that includes genetic services. See, e.g., Genetic Information Nondiscrimination Act (GINA) of
2008, Pub. L. No. 110-233, tit. I, § 101(d), 122 Stat. 881, 883 (2008).
172. Note that GINA does not apply to life insurance plans, long-term care plan issuers,
or disability insurers. Genetic Discrimination, NAT’L HUM. GENOME RES. INST.,
https://www.genome.gov/10002077/ [https://perma.cc/CF84-PPR3] (last updated May 2, 2016).
173. See, e.g., GINA tit. I, § 102(a)(4).
174. See, e.g., GINA § 101(b).
175. See, e.g., GINA tit. II, § 202(a).

2016] HEALTH INFORMATION OWNERSHIP 233

employee or applicant for any reason,176 with some exceptions where
the acquisition is unintentional or for certain legitimate business
purposes. Title II also requires that employers keep [legally acquired]
genetic information confidential,177 and lists several purposes for such
information may be disclosed without the individual subject’s
consent.178 GINA permits, but does not require, employers to disclose
genetic information to the employee upon written request.179

GINA mandated amendments to HIPAA to ensure that
“genetic information” is included within the definition of PHI, and that
Title I’s prohibition on the use of genetic information by health
insurers for underwriting purposes is also explicitly prohibited under
HIPAA.180 GINA’s protections give individuals some control over their
genetic information by limiting not just how that information can be
used, but whether it can be obtained at all.181 GINA was enacted to
ensure that individuals were not discouraged from utilizing genetic
testing, technologies, research, and related therapies out of fear of
discrimination.182

b. Privacy Act and FOIA

The Privacy Act of 1974 protects identifiable information about
individuals, including health information, held or collected by the
federal government.183 Generally, a federal agency may not release
individually identifiable information to anyone without the subject of
the information’s written consent.184 There are multiple exceptions to
this prohibition, including for several legitimate governmental
purposes, statistical research, and as required by the US Freedom of
Information Act (FOIA).185 The Privacy Act does provide individuals
certain rights with respect to their information, including the right to
receive an accounting of certain disclosures made within the last five
years,186 the right to review and obtain a copy of the information upon
request,187 and the right to request an amendment to the information,

176. GINA § 203(b).
177. GINA § 206(a).
178. GINA § 206(b).
179. Id.
180. GINA tit. I, § 105(a).
181. GINA § 101(d).
182. GINA § 2(5).
183. 5 U.S.C. § 552a (2012).
184. § 552a(b).
185. Id.
186. § 552a(c)(3).
187. § 552a(d)(1).

234 VAND. J. ENT. & TECH. L. [Vol. XIX:2:207

though the agency is not required to comply with such a request.188
While the Privacy Act does give individuals some control over their
information, it does not limit the information that may be collected or
stored by a federal agency, though such limitations may exist in other
laws or regulations.189 An individual cannot restrict, or even request
that an agency restrict, how information is used or disclosed.190 Thus,
the Privacy Act is quite broad, though its reach is limited by its
relationship to FOIA.191

Under FOIA, any person may access any information contained
in federal agency records,192 including individually identifiable
information otherwise protected by the Privacy Act, unless the
information is specifically exempted from disclosure.193 Generally,
these exemptions prevent disclosure of information that is considered
sensitive or of a personal nature; the most pertinent of these is
exemption 6, which protects “personnel, medical, and similar files”
where disclosure “would constitute a clearly unwarranted invasion of
personal privacy.”194 Exemption 6 essentially closes the privacy gap
created by the Privacy Act’s exception for FOIA-related disclosures.195
While exemption 6 does not give an individual more control over his or
her health information in the possession of the federal government,
the opportunities for such information to be shared without the
individual’s consent is limited almost entirely to governmental and
law enforcement functions.196

c. 42 C.F.R. Part 2

42 C.F.R. Part 2 protects identifying information, recorded or
not, that could or does reveal that an individual received substance
abuse treatment;197 Part 2 applies to all federally-assisted
programs198 providing substance abuse diagnosis, treatment, or

188. § 552a(d)(2).
189. § 552a(b)(1).
190. Id.
191. U.S. GOV’T GEN. SERVS. ADMIN., YOUR RIGHT TO FEDERAL RECORDS: QUESTIONS AND
ANSWERS ON THE FREEDOM OF INFORMATION ACT AND THE PRIVACY ACT 16 (2009),
https://www.justice.gov/sites/default/files/oip/legacy/2014/07/23/right_to_federal_records09.pdf
[https://perma.cc/2V3V-R7BF].
192. 5 U.S.C. § 552(a)(6)(A) (2012).
193. § 552(b).
194. § 552(b)(6).
195. See id.
196. See id.
197. 42 CFR § 2.12(a)(1)(ii), (a)(2) (2016).
198. A program is “federally assisted” if it is conducted by any federal department or
agency (directly or under contract), is carried out under any federal license, certification,

2016] HEALTH INFORMATION OWNERSHIP 235

referral.199 While Part 2 information is also protected health
information (PHI) and Part 2 programs are almost always Covered
Entities, Part 2’s protection for patient identifying information
provides much greater control to patients than HIPAA would
otherwise provide.200 In general, Part 2-covered information may not
be disclosed without the patient’s written consent,201 with limited
exceptions. Part 2 also prohibits recipients of covered information
from further disclosing the information without written consent or
unless otherwise permitted by Part 2.202 Part 2 grants individuals
some rights with respect to their covered information, though these
are limited to the right to be informed of Part 2’s confidentiality
protections203 and the right to access, inspect, and obtain a copy of his
or her own records.204 Part 2’s provisions grant individuals the near-
exclusive ability to control when and to whom their covered
information is disclosed.205 Similar to GINA’s intended purpose, Part
2 was enacted to ensure that individuals were not discouraged from
seeking substance abuse treatment due to privacy-related fears.206

Federal Privacy Law has been crafted to meet certain needs
but is not a comprehensive regulatory scheme covering all types or
uses of health information. It does not confer comprehensive
ownership rights but does extend a number of rights and obligations
over health information that may have the same effect as ownership
under the law, in some circumstances, for those types and uses of
information that are covered.

D. Contract Law

Contracts are a way to confer rights where they may or may
not be granted by other legal authorities.207 Ownership can be

registration, or authorization (e.g., Medicare/Medicaid providers, providers with a DEA number),
or receives any federal financial assistance (e.g., grants, federal tax-exempt status). § 2.12(b).
199. § 2.12(e)(2).
200. See, e.g., U.S. DEP’T OF HEALTH & HUMAN SERVS., THE CONFIDENTIALITY OF
ALCOHOL AND DRUG ABUSE PATIENT RECORDS REGULATION AND THE HIPAA PRIVACY RULE:
IMPLICATIONS FOR ALCOHOL AND SUBSTANCE ABUSE PROGRAMS 4 (2004),
http://archive.samhsa.gov/HealthPrivacy/docs/SAMHSAPart2-HIPAAComparison2004.pdf
[https://perma.cc/FSH9-E35P].
201. 42 C.F.R. § 2.1(a) (2016).
202. 42 C.F.R. § 2.12(d)(2)(iii).
203. 42 C.F.R. § 2.22(a) (2016).
204. 42 C.F.R. § 2.23(a) (2016).
205. See § 2.12.
206. 42 C.F.R. § 2.3(b)(2) (2016).
207. See RESTATEMENT (SECOND) OF CONTRACTS § 1 (AM. LAW INST. 2016).